Security problems continue to plague federal accounting system

The government has failed to correct long-standing computer security weaknesses in its central accounting system, continuing to put sensitive data and billions of dollars at risk, according to a new report from the General Accounting Office. The Treasury Department's Financial Management Service still needs to address nearly half of the accounting system's security problems, including weak computer access controls and lax enforcement of security policies, according to the report, "Financial Management Service: Significant Weaknesses in Computer Controls Continue" (GAO-02-317). FMS oversees the federal government's accounting and reporting systems and distributes money to most federal agencies. As part of its annual financial audit, GAO reviewed FMS' computer security policies, concluding that access controls at each of the agency's data centers failed to protect computer programs from unauthorized users and granted excessive privileges to employees who did not need them. Physical security controls at three of the five sites GAO studied also were lax, according to the report. One center could not provide GAO with a list of those granted physical access to the building because its security system was not working. The computer security gaps are placing "billions of dollars of payments and collections at risk of loss or fraud," the report said. In fiscal 2000, the Treasury Department distributed more than $1.9 trillion, mainly in the form of Social Security checks and veterans benefit payments, IRS tax refunds, federal employee salaries and payments to contractors. The government collected more than $2 trillion in taxes, duties and fines during the same period. Access controls in each of the data centers studied for fiscal 1997, 1998 and 1999 were also inadequate, GAO said. Although GAO praised FMS for making strides in developing security procedures and guidance, the congressional watchdog agency said FMS must make a greater effort to develop and maintain system-wide security improvements. "Until FMS takes a more disciplined and structured approach to computer security through a fully implemented entity-wide security program, there is a significant increased risk that controls will not be adequate, properly implemented or applied consistently across each of its data centers," the report said. GAO recommended that FMS correct each of the individual security weaknesses outlined in the report and urged the agency to develop a detailed plan naming the officials responsible for implementing a system-wide security network and establishing a timeline for completion. FMS agreed that security needs to be improved, but also said it has made progress in correcting problems identified in previous audits, including improving weaknesses caused by obsolete technology. "Although there is always room for improvement, I believe that we have not compromised the public trust in carrying out our payments, collections and governmentwide accounting responsibilities," said FMS Commissioner Richard L. Gregg in a letter to GAO.