Agencies continue to struggle to secure their computer systems even 10 years after Congress passed the Federal Information Security Management Act, or FISMA.
The Government Accountability Office found all 24 agencies it reviewed had weaknesses in security controls. These include access control, configuration management and security management.
“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs,” auditors wrote in the report issued today. “As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.”
GAO found 19 of 24 agencies had inadequate information security controls for financial reporting purposes. Specifically, eight agencies identified material weaknesses, increasing from six agencies, while 11 reported significant deficiencies, decreasing from 15 agencies in fiscal 2009.
Additionally, GAO said 23 of 24 inspectors general cited information security as a “major management challenge” for their agency, reflecting an increase from 2009, when 20 of 24 inspectors general cited this issue.
Access controls, which ensure that only authorized individuals can read, alter or delete data.
Configuration management controls, which provide assurance that only authorized software programs are implemented.
Segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection.
Continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations.
Agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.
“These findings are all the more troubling given that GAO has been telling us for some time that these are areas of vulnerability and must be addressed, yet we still haven’t made enough progress in shoring up these obvious weaknesses,” said Sen. Tom Carper (D-Del.), in a statement. “Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future, and they need the proper oversight and guidance to accomplish that goal.”
Carper, along with Sens. Joseph Lieberman and Susan Collins (R-Maine), introduced the Cybersecurity and Internet Freedom Act of 2011 to modernize FISMA.
It is one of dozens of bills Congress is considering to improve agency oversight and fix problems with agency computer networks.
The report comes during cybersecurity awareness month. President Barack Obama issued a proclamation today as well touting the administration’s cyber proposal released in May. The President also called on citizens “to recognize the importance of cybersecurity and to observe this month with activities, events, and trainings that will enhance our national security and resilience.”
And there seems to be a lot of work that still needs to be done. GAO found several continuing holes in agency systems.
For instance, GAO found a the lack of training of federal employees. Despite the focus by the Office of Management and Budget over the last five years, GAO said inspectors general for 17 of 24 major agencies cited weaknesses in their agency’s training programs. Five inspectors general reported that less than 90 percent of employees with log-in privileges had attended security awareness training in the last year. In addition, 11 inspectors general reported that less than 90 percent of employees, contractors, and other users with significant security responsibilities had attended specialized training in the past year. Inspectors general for 11 agencies also reported that identification tracking of those with significant security responsibilities were not adequate.
GAO found another risk agencies continue to face is how they oversee contractor systems with federal data.
“Inspectors general for 18 agencies identified weaknesses in agency programs for overseeing contractor operations,” auditors wrote. “For example, inspectors general for two agencies revealed that their agency did not have a program in place, and the remaining 16 identified weaknesses in their agency’s program. Illustrative examples included 10 inspectors general reporting that their agency had not fully developed or consistently implemented policies and procedures to oversee systems operated on the agency’s behalf by contractors or other entities. Eight inspectors general also reported that systems owned or operated by contractors and entities did not meet OMB and NIST FISMA requirements.”
OMB and the Homeland Security Department have been trying to address many of these problems from a governmentwide and agency specific perspective over the last five years.
For instance, since July 2011, DHS has held CyberStat sessions with seven agencies discussing various topics including continuous monitoring.
GAO made one recommendation for OMB and DHS to give agencies performance targets for metrics as part of the annual FISMA guidance.
“OMB’s fiscal year 2010 reporting instructions included 31 metrics for chief information officers. While most chief information officer metrics were clearly defined and reflected agency priorities, all but one of the metrics did not include performance targets that would allow agencies to track progress over time,” the audit agency found. “For example, one of the measures asks agencies to provide the mean time for incident detection, remediation and recovery. While this defined metric addresses an organizational priority, it does not provide a target or threshold to monitor progress over time.”
“There is perhaps no greater vulnerability that Congress has yet to address through legislation than the insecurity of cyberspace,” said Collins in a release.
“Today’s report points out too many serious vulnerabilities. We must fortify the government’s efforts to safeguard its own cyber networks from attack and build a public/private partnership to promote stronger national cyber-security. Unfortunately, the government’s work on this issue continues to be disjointed, ineffective, and uncoordinated. Reform legislation continues to languish. This simply cannot continue because the stakes are far too high.”