TOPICS
TOPICS
Government still suffers from information insecurity
Federal agencies continue to struggle with information security, according to a new report from the Government Accountability Office. Weak access controls, network device configuration, and management procedures leave systems vulnerable to malicious attacks and data at risk of exposure.
The report (GAO-08-496), which GAO presented to Congress during a hearing Thursday, summarized agency progress in performing key control activities, the effectiveness of information security efforts, and opportunities to strengthen security, based upon prior audits, federal policies, and inspectors general reports.
"Significant weaknesses continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets and personnel of federal agencies," the report said. In their fiscal 2007 performance and accountability reports, 20 of 24 major agencies indicated that inadequate information security controls were either a significant deficiency or a material weakness. GAO audits returned similar findings for financial and non-financial systems.
Such weaknesses resulted in a number of reported breaches by agencies, and an increase in security incidents reported to the U.S. Computer Emergency Readiness Team (US-CERT) from 3,634 in fiscal 2005 to 13,029 in fiscal 2007.
GAO organized the most significant information security weaknesses facing agencies into five categories: access controls that ensure only authorized users can view and alter data; software configuration management controls; separation of duties, which offers checks and balances over users' network activities; continuity of operations planning to minimize risk of system outages in emergencies, and agencywide information security programs that meet the requirements of the 2002 Federal Information Security Management Act by properly assessing risk and defining policies for preventing data breaches.
In the area of access controls, GAO found that 19 of 24 major agencies reported weaknesses, including failure to identify and authenticate users, enforce measures to ensure access is appropriate, encrypt sensitive data on networks and mobile devices, and monitor network activities.
GAO pointed to failure to implement security programs as a primary cause of information security weaknesses. In one case, an agency assessed its security risk without any inventory of interconnections between systems. In another, an agency overlooked a number of vulnerabilities that GAO later identified. Program guidelines and testing are often insufficient or out of date, and training of employees on protocols for ensuring information security lacking, auditors found.
Some progress in information security has been made. According to the Bush administration's proposed fiscal 2009 budget, the percentage of certified and accredited systems rose from 88 percent to 92 percent in 2007, and testing of security controls increased from 88 percent to 95 percent of systems. Contingency plan testing increased from 77 percent to 86 percent, and 76 percent of agencies had an effective process in place for identifying and correcting weaknesses using management processes.
"The government has made progress in writing reports, but no progress in improving the [aspects of] security that matter -- keeping the wrong people out," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md. Paller also testified at the hearing, arguing that FISMA requirements laid out by the National Institute of Standards and Technology need to be prioritized.
Currently, agencies receive a list of standards required for FISMA compliance, and are scored according to the percentage met. "When you have children, there will be a time where you want them to do homework along with 10 other things," Paller said. "If you score them on the percentage of what they complete, and the homework is hard, they'll do all the other stuff that matters a whole lot less because it's easy."
Another way to improve information security in the federal government is to have vendors "bake it in with every procurement," Paller said. He pointed to a mandate from the Office of Management and Budget requiring agencies that run, or plan to run, Windows XP or Vista to adopt a specific security configuration. The guidelines include recommended language for use in bids for technology to ensure contractors incorporate the proper security configurations with procured systems.
"It's brilliant," Paller said. "It's the best thing at a high level going on in government to promote information security."
COMMENTS
- That's what you get from jumping into something with both feet without careful analysis. I wonder if all the SOA and EA junk being implemented will need to be revisited. That will cost the taxpayers even more -- because of poor analysis, planning, and weak implementation. frank Posted February 19, 2008 6:12 PM
- Seems that too few people understand risks and make the proper assessments. All C&A activities and FISMA are approximations, shortcuts for risk assessments. Even given the easier way out, many folks still put energy into circumventing the process, "gaming the process" as I often say. Those who understand the real risks should have a say in what the security controls should be. Then, hopefully, agencies will become believers and understand that the security requirements are important. ..and as concerns procurements and program development, security experts should be at the table from the very beginning of any procurement discussions. Lastly, if the Government wants the contractors to include security in their bids, then the Government must make security a part of each RFP. Roger Rocket Posted February 19, 2008 10:00 AM
- This is part of the problem in the misinterpretation of the policies and procedures. The Continuity of Operations Plan (COOP) is the restoration of business functions should a building become inaccessible (Ie DOJ during flooding). A Contingency Plan (CP) (NIST SP 800-34) refers to restoring a system to its full operational cability. The above article does not begin to cover the whole story, it would be interesting to see how many agencies have Certified Professionals (CISSP, CISA, CISM) that assisted in acquiring a failing mark. It is the unethical practices of upper management and the shear misunderstanding of the whole process that gives way to inadequate securiy measures. FISMA is a joke, it that the scorecard only lists the Executive Branch, where are the Judicial and Legislative Branches. FISMA clearly specifies federal agencies and yet only one branch is lame enought to report to the FISMA standards. Why? The last article in FISMA must be true: 3549. While this subchapter is in effect, subchapter II of this chapter shall not apply.’’. Are the other two branches exercising this section and not reporting to congress or OMB on their effectiveness. If it is desired to fix this probelm, try replacing the management levels that on political agendas and not caring for their own agency beenfits. Robert Edwards Posted February 19, 2008 8:30 AM
PROMO RIGHT: GBC
Advancing the business of government through analysis, insight and the sharing of best practices.
SPONSORED RESEARCH
Achieving a Greener Federal Government IBM
Federal Cybersecurity: Securing the Nation's Information IBM
American Recovery and Reinvestment Act: New Requirements for Tracking and Reporting Federal Workforce Data Kronos
Managing the Stimulus: A Candid Survey of Federal Program Managers Accenture and Microsoft
Improving Collaboration and Productivity in 21st Century Government: The Role of Communication for Government Executives Cisco
