Selected agencies—the Federal Aviation Administration, Indian Health Services, and Small Business Administration—had generally deployed tools intended to provide cybersecurity data to support the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program. As depicted in the figure, the program relies on automated tools to identify hardware and software residin

In recent years, the Department of Homeland Security (DHS) has acted to improve and promote the cybersecurity of federal and private-sector computer systems and networks, but further improvements are needed. Specifically, consistent with its statutory authorities, DHS has made important progress in implementing programs and activities that are intended to mitigate cybersecurity risks on the compu

The Securities and Exchange Commission (SEC) improved its information security by addressing weaknesses previously identified by GAO, including separating the user production network from the internal management network. However, weaknesses continue to limit the effectiveness of other security controls. In particular: (1) While SEC had issued policies and implemented controls based on those polic

The Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives: (1) <b>Intrusion detection:</b> NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of m

Federal systems face an evolving array of cyber-based threats. These threats can be unintentional--for example, from software coding errors or the actions of careless or poorly trained employees; or intentional--targeted or untargeted attacks from criminals, hackers, adversarial nations, terrorists, disgruntled employees or other organizational insiders, among others. These concerns are further h

Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively applying information security policies and practices. Most agencies continue to have weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer resources; (2) managing the configuration of software and hardware; (3) segregating duties to ensure that a single individual does

While the Department of Veterans Affairs (VA) has taken actions to mitigate previously identified vulnerabilities, it has not fully addressed these weaknesses. For example, VA took actions to contain and eradicate a significant incident detected in 2012 involving a network intrusion, but these actions were not fully effective: (1) The department's Network and Security Operations Center (NSOC) ana

Although FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. FDIC has implemented controls to detect and change default user accounts and passwords in vendor-supplied software, restricted access to network management servers, developed an

The threats to systems supporting critical infrastructures are evolving and growing. In a February 2011 testimony, the Director of National Intelligence noted that there has been a dramatic increase in cyber activity targeting U.S. computers and systems in the last year, including a more than tripling of the volume of malicious software since 2009. Varying types of threats from numerous sources c

GAO identified a range of leading security practices for deploying and monitoring secure wireless networks and technologies that can help secure these networks. The leading practices include the following: (1) comprehensive policies requiring secure encryption and establishing usage restrictions, implementation practices, and access controls; (2) a risk-based approach for wireless deployment and