GAO Finds ‘Persistent’ Weaknesses in Agency Information Security

The Government Accountability Office said in report issued today that it found “persistent weaknesses” in how 24 federal government agencies are applying information security policies and practices, and recommended the Office of Management and Budget in consultation with the Department of Homeland Security improve security program reporting guidance to agency inspectors general “so that the ratings of agency security performance will be consistent and comparable.”

GAO said that OMB concurred with its recommendation. Among the weaknesses listed by GAO were:  limiting and detecting “inappropriate access” to computer resources; managing hardware and software configuration;  segregating duties so that a single person does not have control over all key aspects of a computer-related operation;  planning for continuity of operations in the event of disruption or disaster;  and implementing agency-wide security management programs critical to identifying control deficiencies, resolving problems and managing risks on an ongoing basis.

Those weaknesses were gauged against requirements spelled out under the Federal Information Security Management Act of 2002, with GAO saying that federal agency implementation of those requirements was “mixed.”

“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies’ efforts to fully implement effective information security programs,” GAO said.

“In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented,” GAO said.

“At a time when threats in cyber space are growing at a rapid pace, it is unacceptable that so many agencies continue to fall behind in cyber defense and remain far out of compliance with the law,” said Sen. Tom Carper (D., Del.), ranking member of the Senate Homeland Security and Government Affairs Committee, in a statement issued following release of the GAO report.

“Simply put, agencies need to do a better job fully implementing basic security measures. While the Government Accountability Office’s results are very disappointing, it is important to note that much of this audit took place before the enactment of the updated Federal Information Security Modernization Act (FISMA) of 2014 and Federal Information Technology Acquisition Reform Act (FITARA),” he said.  “These laws represent two significant steps in empowering agencies to better protect their cyber networks, and I am optimistic that next year’s audit results will reflect those benefits. But in order to be successful, leadership at all agencies must make cybersecurity a top priority.

He continued, “Though it’s clear agencies have significant work ahead, we must not overlook the progress that has been made over the past year. I am encouraged by the increased oversight efforts currently being made by the Office of Management and Budget and the Department of Homeland Security. Efforts like the Administration’s Cyber Sprint initiative are crucial in finding where we are most vulnerable and shoring up these weak links in the chain.” – John Curran,

Courtesy TRDaily