GAO again slams agencies' cybersecurity efforts

Congressional auditors have given federal agencies a harsh rebuke for failing to implement laws intended to guard government computers from electronic attacks.

Finding "pervasive weaknesses" in the information security policies of all 24 major agencies studied, a recent Government Accountability Office report (GAO-05-552) concluded that the agencies' poor performance could "threaten the integrity, confidentiality and availability of federal information and information systems."

Despite this harsh criticism, GAO found that agencies' compliance with the law that sets guidelines for making agencies' networks secure - the 2002 Federal Information Security Management Act - has improved. The report stated that agencies are implementing security practices and inspector generals have been conducting mandated annual reviews.

GAO criticized the Office of Management and Budget's guidance to agencies, stating that the usefulness of the reports could be improved for congressional oversight purposes.

In a letter included in the report, Karen Evans, OMB's administrator for the Office of E-Government and Information Technology, disputed several of GAO's findings, including the recommendation that OMB could improve oversight. She said that OMB "strongly disagrees with any inference" that its reporting guidelines failed to meet FISMA requirements.

"OMB's reporting instructions satisfy all FISMA requirements through a combination of data questions and specialized questions," Evans wrote. "Scarce agency resources should focus on developing and implementing a program to secure information and systems."

OMB is developing a method for standardizing agencies' cybersecurity processes to allow for better security and to cut costs.

This is the second report in as many months on the IT security plans of agencies. GAO also strongly criticized the Homeland Security Department for failing to have adequate cybersecurity plans in a report released earlier this month.

Rep. Tom Davis, R-Va., chairman of the House Government Reform Committee, which issues cybersecurity grades to each agency every year, said that GAO's recommendations would improve reporting requirements and give oversight groups like his committee a better idea of agencies' information security progress. He said the FISMA process is still developing and "as it matures, the guidance will go through growing pains and require further changes."

"Given the ever evolving nature of cyberthreats, complacency is not an option," Davis said. "Having said that, we want to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law. We don't want them filling out forms to simply fill out forms."

In February, Davis released ratings showing that while agencies are improving in their compliance with FISMA, there is still much to be done.

"I think [FISMA] provides the agencies with a strong management framework, but I recognize that it is not a panacea," Davis said. "There may be a need for amendments to facilitate implementation of the security concepts that drive FISMA. The FISMA process is still a young one."