During its audit of the Internal Revenue Service's (IRS) fiscal years 2019 and 2018 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in the agency's internal control over financial reporting systems. Specifically, GAO identified 11 new def

The Department of Veterans Affairs (VA) has taken actions to mitigate previously identified vulnerabilities, but it has not fully addressed these weaknesses: (1) Incident response: VA took actions to contain and eradicate the effects of a network intrusion detected in 2012, but it could not show that these actions were fully effective. Specifically, the department's Network and Security Operation

Enrollment through Healthcare.gov is supported by the exchange of information among many systems and entities. The Department of Health and Human Services' (HHS) Centers for Medicare & Medicaid Services (CMS) has overall responsibility for key information technology (IT) systems supporting Healthcare.gov. These include, among others, the Federally Facilitated Marketplace (FFM) system, which facil

Many systems and entities exchange information to carry out functions that support individuals' ability to use Healthcare.gov to compare, select, and enroll in private health insurance plans participating in the federal marketplaces, as required by the Patient Protection and Affordable Care Act (PPACA). The Centers for Medicare & Medicaid Services (CMS) has overall responsibility for key federal

State has developed and implemented a risk scoring program that identifies and prioritizes several but not all areas affecting information security risk. Specifically, the scope of iPost's risk scoring program (1) addresses Windows hosts but not other IT assets on its major unclassified network; (2) covers a set of 10 scoring components that includes many, but not all, information system controls

FDIC did not sufficiently implement access and other controls intended to protect the confidentiality, integrity, and availability of its financial systems and information. For example, it did not always (1) sufficiently restrict user access to systems, (2) ensure strong system boundaries, (3) consistently enforce strong controls for identifying and authenticating users, (5) encrypt sensitive inf

NARA has not effectively implemented information security controls to sufficiently protect the confidentiality, integrity, and availability of the information and systems that support its mission. Although it has developed a policy for granting or denying access rights to its resources, employed mechanisms to prevent and respond to security breaches, and made use of encryption technologies to pro

Although FHFA has implemented important information security controls, it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of financial information stored on and transmitted over its key financial systems, databases, and computer networks. The agency's financial system computing environment had deficiencies in several areas a

The goals of TIC are to secure federal agencies' external network connections, including Internet connections, and improve the government's incident response capability by reducing the number of agencies' external network connections and implementing security controls over the connections that remain. In implementing TIC, agencies could either provide their own access points by becoming an access

None of the control deficiencies we identified represented significant risks to the BPD financial systems. With regard to financial reporting and compliance with applicable laws and regulations, BPD mitigated the potential effect of such control deficiencies with physical security measures and a program of monitoring user and system activity. Further, BPD has compensating management and reconcili