GAO reports “significant weaknesses” in federal information security systems
WASHINGTON – Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., Friday called for the federal government to take more steps to address its persistent and widespread information security vulnerabilities.
A report released by the Government Accountability Office found “significant weaknesses” in information security policies and practices across almost all of the major federal agencies that have placed sensitive data at risk for theft, loss, or improper disclosure. The GAO study was a requirement under the Federal Information Security Management Act (FISMA) enacted in 2002.
“This GAO study, along with recent reports of missing computers at the Veterans Affairs Department and millions of dollars worth of lost equipment at NASA, are just the latest reminders that the federal government is not doing enough to guarantee the security of its computer systems and the vast databases within them,” Lieberman said. “As information technology continues to advance by leaps and bounds, we must take equivalent leaps and bounds to protect against theft, misuse, and abuse of information brought together by that technology. Cybersecurity and data protection are issues that the Homeland Security and Governmental Affairs Committee have been working on for years, and I will continue to make sure agencies are taking the necessary precautions to defend against breaches and abuse.”
GAO found the following information security gaps:
• Almost all of the major federal agencies had weaknesses in one or more areas of information security controls.
• Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer resources.
• Agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
• Agencies have not fully implemented their information security programs.
• The report concluded that “as a result, agencies may not have assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.
In prior FISMA reports, GAO made hundreds of recommendations to agencies to address specific threats or risks to information security vulnerabilities. This most recent report made recommendations to the Director of the Office of Management and Budget to strengthen FISMA reporting requirements and to request that Inspectors General evaluate certain implementation efforts.
Lieberman’s E-government Act, which was signed into law on Dec. 17, 2002, included FISMA, which was a strengthened version of the Government Information Security Reform Act that he had originally coauthored in 2000. The law established guidelines for computer security throughout the federal government and provided for both OMB and Congressional oversight.
The full GAO report can be accessed at here