This is the accessible text file for GAO report number GAO-02-649R entitled 'Information Security: Subcommittee Post-Hearing Questions Concerning the Additional Actions Needed to Implement Reform Legislation' which was released on April 16, 2002. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products’ accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. GAO-02-649R: United States General Accounting Office: Washington, DC 20548: April 16, 2002: The Honorable Stephen Horn: Chairman: Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations: Committee on Government Reform: House of Representatives: Subject: Information Security: Subcommittee Post-Hearing Questions Concerning the Additional Actions Needed to Implement Reform Legislation: This letter responds to your March 26, 2002, request that we provide answers to questions relating to our testimony of March 6, 2002. [Footnote 1] In that hearing, we discussed efforts by the Office of Management and Budget (OMB), 24 of the largest federal agencies, and these agencies' inspectors general to implement requirements and report evaluation results according to provisions for Government Information Security Reform (the reform provisions) that were enacted as part of the National Defense Authorization Act for Fiscal Year 2001.[Footnote 2] Your questions, along with our responses, follow. 1. Do you agree with OMB's assessment of the top six security weaknesses within the Federal agencies? Why or why not? We agree that the six security weaknesses OMB identified in its report to the Congress represent significant deficiencies in federal departments' and agencies' information security programs. Specifically, these are (1) a lack of senior management attention to information security; (2) inadequate accountability for job and program performance related to information technology security; (3) limited security training for general users, information technology professionals, and security professionals; (4) inadequate integration of security into the capital planning and investment control process; (5) poor security for contractor-provided services; and (6) limited capability to detect, report, and share information on vulnerabilities or to detect intrusions, suspected intrusions, or virus infections. However, as OMB indicates, for the most part, its report focuses on management issues, not those of technical or operational implementation. As pointed out in my written statement, our analyses of the reports submitted to OMB by 24 of the largest federal agencies and their inspectors general showed that there are other key security requirements of the reform provisions that agencies have not fully implemented, such as those that require periodic risk assessments for all agency systems and periodic testing and evaluation of controls to ensure that they are implemented and operating as intended. In addition, our analyses of GAO and inspector general audit reports issued from July 2000 through September 2001 confirm that most agencies have significant weaknesses in their information security general controls, that is, the policies, procedures, and technical controls that apply to all or a large segment of an entity's information systems and help ensure their proper operation. In particular, we found that for the 24 large federal departments and agencies we reviewed, all had significant weaknesses in security program management, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented, and in access controls which ensure that only authorized individuals can read, alter, or delete data. 2. In your statement, you indicated that "an important step toward ensuring information security is to fully understand the weaknesses that exist, and as the body of audit evidence expands, it is probable that additional significant deficiencies will be identified." * Why are security weaknesses in Federal information systems still not fully understood? In past years, most reviews of information security controls were performed as part of agency financial statement audits and, thus, focused on financial systems. However, since the reform provisions are applicable to essentially all systems including national security systems and other types of risk beyond financial statements, audit coverage, as well as the required annual management reviews of agency information security programs, should include such additional risks and more nonfinancial systems. This is particularly true for agencies with significant nonfinancial operations, such as the departments of Defense and Justice. It is the extent of the weaknesses for these nonfinancial systems that are still not fully identified. * Is there any way to characterize the impact of those undiscovered weaknesses? While we do not know the extent of the weaknesses in many nonfinancial systems, any weaknesses would likely be similar to those found in financial systems. Such weaknesses are categorized within six general control categories, which are described in GAO's Federal Information System Controls Audit Manual.[Footnote 3] These general control categories are (1) security program management, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented; (2) access controls, which ensure that only authorized individuals can read, alter, or delete data; (3) software development and change controls, which ensure that only authorized software programs are implemented; (4) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection; (5) operating systems controls, which protect sensitive programs that support multiple applications from tampering and misuse; and (6) service continuity, which ensures that computer-dependent operations experience no significant disruptions. My written statement characterizes the impact of such control weaknesses as placing a broad array of federal operations and assets at risk. For example, * resources, such as federal payments and collections, could be lost or stolen; * computer resources could be used for unauthorized purposes or to launch attacks on others; * sensitive information-—such as taxpayer data, social security records, medical records, and proprietary business information—-could be inappropriately disclosed or browsed or copied for purposes of espionage or other types of crime; * critical operations, such as those supporting national defense and emergency services, could be disrupted; * data could be modified or destroyed for purposes of fraud or disruption; and; * agency missions could be undermined by embarrassing incidents that result in diminished confidence in their ability to conduct operations and fulfill their fiduciary responsibilities. Until these undiscovered weaknesses are fully identified, corrective actions will not be fully effective. * Are current evaluation and audit methodologies adequate to uncover these weaknesses? While adequate methodologies currently exist to identify and detect information security weaknesses, such methodologies must be appropriately applied to provide necessary audit and management review coverage. Further, periodically evaluating the effectiveness of security policies and controls is essential to ensuring that controls are implemented and functioning as intended. For example, GAO's Federal Information System Controls Audit Manual provides a methodology for evaluating information system controls. However, audit coverage should be expanded to cover both financial and nonfinancial systems. This will place a significant new burden on the existing audit capabilities of agency inspectors general and will require that they have appropriate resources to either perform or contract for the needed work. As another example, the reform provisions require program officials to perform annual program reviews, which are to include periodic testing and evaluation of the effectiveness of information security policies, procedures, controls, and techniques. To help perform these reviews, the National Institute of Standards and Technology developed its Federal IT Security Assessment Framework, [Footnote 4] which uses an extensive questionnaire containing specific control objectives and techniques against which an unclassified system or group of interconnected systems can be tested and measured. While many of the 24 agencies we contacted said that they used this questionnaire in performing their reviews, many also said that their results were based on management self-assessments, which did not include control testing to ensure that information security controls were implemented and operating as intended. 3. What do you see as the most significant barriers to securing Federal information technology resources? What can be done to overcome these barriers? Through our audit work and analyses, we have noted several significant barriers to securing federal information technology resources. Three such barriers—poor information security program management, obtaining appropriate funding, and acquiring needed technical and audit expertise—are discussed below. Poor Information Security Program Management: GAO and inspector general audit work reviewed for 24 of the largest federal agencies indicates that a significant barrier to securing federal information technology resources is agencies not fully implementing a set of management procedures and an organizational framework for identifying and assessing risks, deciding what policies and controls are needed, periodically evaluating the effectiveness of these policies and controls, and acting to address any identified weaknesses. These are the fundamental activities that allow an organization to manage its information security risks in a cost- effective manner rather than reacting to individual problems in an ad- hoc manner only after a problem has been detected or an audit finding reported. Despite the importance of this aspect of an information security program, virtually all the agencies for which this aspect of security was reviewed had deficiencies. Specifically, many had not (1) developed security plans for major systems based on risk, (2) documented security policies, and (3) implemented a program for testing and evaluating the effectiveness of the controls they relied on. As a result, these agencies: * were not fully aware of the information security risks to their operations, * had accepted an unknown level of risk by default rather than consciously deciding what level of risk was tolerable, * had a false sense of security because they were relying on ineffective controls, and, * could not make informed judgments as to whether they were spending too little or too much of their resources on security. Obtaining Appropriate Funding: Another barrier frequently mentioned by agencies is obtaining appropriate information security funding. However, while OMB requires agencies to identify amounts for information security in their budget submissions, agencies do not always provide this information. For example, the fiscal year 2001 and 2002 security costs that OMB requested agencies to identify as part of their reform provision reporting were not provided in some cases, and in other cases, there was no detail as to what these costs consisted of or how they are actually reflected in agency budget submissions. Further, OMB reports that it assessed the agencies' performance against the amount agencies spent and did not find that increased security spending equals increased security performance. As a result, OMB concludes that there is no evidence that poor security is a result of lack of money. To help overcome this funding barrier, agencies must identify their information security costs to demonstrate their understanding of such costs and justify continued or additional funding. Further, as OMB indicates in its report to the Congress, much can also be done to cost- effectively address common weaknesses, such as security training, across government rather than piecemeal by agency. New funding initiatives by the administration may also help provide additional information security resources to federal agencies. For fiscal year 2003, the president is requesting $4.2 billion for information security funding from a total information technology investment request of approximately $52 billion as compared to about $2.7 billion reported for fiscal year 2002 from a total reported information technology investment of about $48 billion. This fiscal year 2003 amount does not include new governmentwide initiatives of the Office of Homeland Security, which include $298 million for cyberspace security. Acquiring Technical and Audit Expertise: As highlighted during the Year 2000 challenge, the availability of technical and audit expertise is a continuing concern to agencies. Agencies must have the technical expertise they need to select, implement, and maintain controls that protect their information systems. Programs are now underway to increase these resources by encouraging the creation of and participation in information security curriculums in educational institutions. In addition, the federal government must also maximize the value of its technical staff by sharing expertise and information. We are sending copies of this letter to OMB and other interested parties. Should you or your offices have any questions on matters discussed in this letter, please contact me at (202) 512- 3317. I can also be reached by e-mail at daceyr@gao.gov. Sincerely yours, Signed by: Robert F. Dacey Director, Information Security Issues: [End of section] Footnotes: [1] U.S. General Accounting Office, Information Security: Additional Actions Needed to Fully Implement Reform Provisions, [hyperlink, http://www.gao.gov/products/GAO-02-470T] (Washington, D.C.: Mar. 6, 2002). [2] Title X, Subtitle G—Government Information Security Reform, Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001, P.L.106-398 (Oct. 30, 2000). [3] U.S. General Accounting Office, Federal Information System Controls Audit Manual, Volume 1-—Financial Statement Audits, [hyperlink, http://www.gao.gov/products/GAO/AIMD-12.19.6] (Washington, D.C.: Jan. 1999). [4] National Institute of Standards and Technology, Federal Information Technology Security Assessment Framework, prepared for the Federal CIO Council by the NIST Computer Security Division Systems and Network Security Group (Nov. 28, 2000). [End of section]