The Office of Management and Budget and the Department of Homeland Security need to step up their monitoring of small government agencies’ implementation of federal security and privacy requirements.
That’s the main recommendation made by the Government Accountability Office in a new report reviewing cybersecurity and privacy at agencies that have, for the most part, 6,000 or fewer employees.
Although these agencies possess less staff, stature and resources than the most sizable government entities, these smaller agencies are no less important when it comes to their network security and privacy protocols, Gregory C. Wilshusen, GAO director of information security issues, and Dr. Nabajyoti Barkakati, the GAO’s chief technologist, wrote to Congress in explaining the findings.
“Small agencies…like large agencies, place a great deal of sensitive information on their systems and, if not properly protected, they are at risk from the growing and evolving threats to the systems and networks that support federal operations,” they wrote. “These growing and evolving threats can potentially affect all segments of our society, including individuals, private businesses, government agencies and other entities.”
The GAO, in completing the review, did a deep dive into the inner workings of six small agencies. Auditors evaluated them on a variety of factors that fall under the headings of privacy and information security. The six agencies selected were: the Federal Retirement Investment Board, the Federal Trade Commission, the International Boundary Commission (for the border between the United States and Canada), the James Madison Memorial Fellowship Foundation, the National Capital Planning Commission and the National Endowment for the Humanities.
Agencies made ‘mixed progress’
Overall, the half-dozen agencies were found to have made “mixed progress” in keeping up with requirements mandated by the Privacy Act of 1974, the E-Government Act of 2002 and the Federal Information Security Management Act (FISMA) of 2002. The report states that the agencies “generally developed many of the requirements of an information security program, but these programs have not been fully implemented.”
Specifically, four of the six agencies have developed information-security programs that include risk assessments, security policies and procedures, system- security plans, security-awareness training, periodic testing and evaluation, remedial-action plans, incident-handling and contingency planning, as required by the slew of federal laws. But key elements of their plans, policies, or procedures were outdated, incomplete or did not exist. Also, two of the six agencies didn’t develop an information-security program with the required elements, as outlined in FISMA.
Regardless of their size, federal agencies must abide by mandated standards, guidelines and requirements related to federal information systems. These rules have been put in place to safeguard government computer systems and sensitive information, including personally identifiable information that resides on them. Especially as systems become more complex and interconnected and hacking tools become easier to obtain and deploy, this remains a big challenge, GAO said.
OMB and DHS have taken some steps to oversee and help small agencies implement security and privacy requirements — just not enough, in the eyes of the GAO auditors.
For example, OMB and DHS have issued reporting guidance and offered up assistance to all agencies when it comes to implementing security and privacy programs. However, 55 of 129 small agencies are not reporting on cybersecurity and privacy requirements.
The subsequent recommendation, which OMB and DHS generally agree with, is a more hands-on approach. DHS should develop special services and guidance that’s specifically tailored to the environments of small agencies. Meanwhile, OMB should report on all small agencies’ implementation efforts and progress, the GAO report stated.
“Until OMB and DHS oversee agencies’ implementation of information security and privacy program requirements and provide additional assistance, small agencies will continue to face challenges in protecting their information and information systems,” auditors wrote.