Senator Carper Responds to GAO Assessment of Security of Federal Agencies’ Networks

WASHINGTON – Today, Sen. Tom Carper (D-Del.), ranking member of the Homeland Security and Government Affairs Committee, responded to a new Government Accountability Office (GAO) report that analyzed the security of federal agencies’ networks. The report found that until agencies correct longstanding security deficiencies, federal systems will remain at increased and unnecessary risk of attack or compromise.

“Today’s report sheds light on a number of deficiencies in the security of federal agencies’ networks across the government,” said Sen. Carper. “At a time when threats in cyber space are growing at a rapid pace, it is unacceptable that so many agencies continue to fall behind in cyber defense and remain far out of compliance with the law. Simply put, agencies need to do a better job fully implementing basic security measures. While the Government Accountability Office’s results are very disappointing, it is important to note that much of this audit took place before the enactment of the updated Federal Information Security Modernization Act (FISMA) of 2014 and Federal Information Technology Acquisition Reform Act (FITARA). These laws represent two significant steps in empowering agencies to better protect their cyber networks, and I am optimistic that next year’s audit results will reflect those benefits. But in order to be successful, leadership at all agencies must make cybersecurity a top priority.

“Though it’s clear agencies have significant work ahead, we must not overlook the progress that has been made over the past year. I am encouraged by the increased oversight efforts currently being made by the Office of Management and Budget and the Department of Homeland Security. Efforts like the Administration’s Cyber Sprint initiative are crucial in finding where we are most vulnerable and shoring up these weak links in the chain.

“Strong cybersecurity requires a team effort. While agencies have a responsibility to secure their cyber networks, we in Congress have a responsibility to provide agencies with the resources, tools, and authorities they need to achieve this goal. My legislation with Chairman Johnson would require agencies to adopt key cybersecurity practices and tools, including the cyber intrusion detection and prevention system known as EINSTEIN. It is my hope that Congress and the Administration can continue to work together and ensure that our federal networks are properly prepared and equipped to fend off cyber attacks.”

The Federal Cybersecurity Enhancement Act of 2015 would mandate the deployment of cybersecurity best practices at agencies — measures such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls. The bill would also authorize EINSTEIN, an intrusion detection and prevention system intended to screen federal agencies’ Internet traffic for potential cyber threats. It would dramatically accelerate deployment and adoption of EINSTEIN, and it includes reporting requirements to increase program accountability. The bill was approved by the Senate Homeland Security and Governmental Affairs Committee in July.

Passed last Congress, the Federal Information Security Modernization Act (FISMA) of 2014 (P.L. 113-283), introduced by Sens. Carper and Tom Coburn (R-Okla.) made updates to the Federal Information Security Management Act of 2002 to better help agencies address evolving cyber threats. The law better delineates the roles and responsibilities of the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) in securing federal networks, moves agencies away from paperwork-heavy processes and toward real-time and automated security, and puts greater management and oversight attention on data breaches.

The Federal Information Technology Acquisition Reform Act (FITARA), co-sponsored by Sens. Carper and Coburn, and Reps. Darrell Issa (R-Calif.) and Gerry Connolly (D-Va.) would improve how the federal government acquires, implements and manages its information technology investments by giving agency Chief Information Officers (CIOs) more authority over the budget, governance, and personnel processes for agency Information Technology investments, and by improving transparency and review processes of agency IT investments. The measure was passed as part of the FY 2015 National Defense Authorization Act (NDAA) (P.L. 113-291).