GAO finds information security compliance is sporadic

Agency compliance with federal information security standards is irregular and the process that measures compliance is unreliable, the Government Accountability Office said in a report released Wednesday.

A GAO survey of 24 federal agencies found that 63 percent of information systems met security guidelines issued by the National Institute of Standards and Technology, including the minimum security controls mandated by the 2002 Federal Information Security Management Act. The GAO report determined, however, that compliance and accreditation varied greatly. Seven of the 24 agencies said more than 90 percent of their systems were certified and accredited as secure while, six reported less than half of their systems were accredited as secure.

The survey was completed for House Government Reform Committee Chairman Tom Davis, R-Va., who has been critical of the government's information security. In March, Davis warned of a "cyber Pearl Harbor" if IT security measures were not improved.

The Housing and Urban Development and Agriculture departments reported that none of their systems are certified or accredited to meet the NIST guidelines. Officials at both departments said concerns over the certification process caused them to report that their systems were not in compliance.

The top compliance levels were at the Social Security Administration and the Nuclear Regulatory Commission, which both registered 100 percent accreditation and certification. NASA reported 98 percent compliance and the National Science Foundation told GAO that 95 percent of its information systems met the guidelines. At the Defense Department, 77 percent of systems meet the guidelines, according to GAO. The study was conducted between September 2003 and June 2004.

The NIST compliance guidelines are an update to its previous security guidance. They are tailored to "reflect today's more distributed computing environment in which systems are constantly evolving and require real-time, ongoing monitoring," according to the report (GAO-04-376). The guidelines do not apply to information systems that deal with intelligence issues, the management of military forces and other national security subjects.

Every agency surveyed reported that its process for certification and accreditation met the federal guidelines, but a closer GAO investigation of four agencies showed that the standards were not always satisfied.