Although each day seems to bring news of another damaging cyber attack, federal agencies continue to lag behind in implementing crucial information security policies and practices, creating significant cybersecurity weaknesses within the agencies, according to a recent Government Accountability Office (GAO) audit report.
“The emergence of increasingly sophisticated cyber threats underscores the need to manage and bolster the security of federal information systems,” GAO said. In fact, the report came just months after the massive breach of the Office of Personnel Management (OPM) which compromised the personally identifiable information of more than 20 million federal workers.
Despite the increased number and sophistication of devastating, high profile security breaches in recent years, GAO’s report revealed “persistent weaknesses” at 24 federal agencies. The government investigators identified vulnerabilities in the areas of access control, configuration management, segregation of duties, contingency planning and security management.
“Until agencies correct longstanding control deficiencies and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at increased and unnecessary risk of attack or compromise,” GAO stated.
These findings are not new. Over the past several years, GAO has issued numerous reports containing hundreds of recommendations urging federal agencies to improve their cybersecurity practices. However, many of these recommendations remain unimplemented.
“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk and can impair agencies’ efforts to fully implement effective information security programs,” GAO said.
Since 1997, GAO has designated federal information security as a government-wide high risk area, and in 2003 expanded this area to include computerized systems supporting the nation’s critical infrastructure. Then, In February 2015, GAO expanded this area to include protecting the privacy of personal information that is collected, maintained and shared by both federal and nonfederal entities.
In addition, to help prevent against threats to federal systems, the Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to “develop, document and implement” an information security program.
In examining federal agency compliance with FISMA, however, GAO called into question the comprehensiveness of the guidance OMB and Dartment of Homeland Security (DHS) provide inspectors general for auditing the IT security compliance of agencies.
While most agencies had developed risk-management policies required by FISMA’s annual reporting requirements, each agency’s inspector general reported weaknesses in the processes used to implement those requirements. GAO indicates that shortcomings in reporting could result in uneven information being provided to Congress and other oversight entities, limiting their ability to accurately assess federal implementation of information security programs.
“GAO found that this guidance was not always complete, leading to inconsistent application by the inspectors general,” the audit stated. “For example, because it did not include criteria for making overall assessments, inspectors general inconsistently reported agency security performance.”
The auditors recommended that the OMB work with DHS and others to enhance security program reporting guidance to inspectors general so that the ratings of agency security performance will be consistent and comparable. OMB generally concurred with GAO’s recommendation.
A representative from OMB commented that during fiscal year 2015, OMB worked with DHS and Intelligence Community to develop and refine the FY 2016 FISMA metrics. Additionally, OMB has worked with the Chief Information Officers Council and the Information Technology Committee for the Council of the Inspectors General on Integrity and Efficiency to improve the reporting process and enhance FISMA reporting guidance for the inspector general community, respectively.
In response to GAO’s assessment of the security of federal agencies’ networks, Sen. Tom Carper (D-Del.), ranking member of the Senate Committee on Homeland Security and Government Affairs, issued a statement emphasizing the importance of addressing risks to federal systems in order to prevent attack or compromise.
“Today’s report sheds light on a number of deficiencies in the security of federal agencies’ networks across the government,” Carper said. “At a time when threats in cyber space are growing at a rapid pace, it is unacceptable that so many agencies continue to fall behind in cyber defense and remain far out of compliance with the law. Simplyput, agencies need to do a better job fully implementing basic security measures."
However, Carper also noted that much of the audit took place before the enactment of recent updates to FISMA and the Federal Information Technology Acquisition Reform Act (FITARA). Carper stated, “These laws represent two significant steps in empowering agencies to better protect their cyber networks, and I am optimistic that next year’s audit results will reflect those benefits.”
“But in order to be successful, leadership at all agencies must make cybersecurity a top priority,” Carper added.
