Skip to main content

Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk

AIMD-98-92 Published: Sep 23, 1998. Publicly Released: Sep 23, 1998.
Jump To:
Skip to Highlights

Highlights

Pursuant to a congressional request, GAO reviewed: (1) the effectiveness of federal information security practices based on recently issued audit reports; (2) efforts to centrally oversee and manage federal information security; and (3) actions taken by the Office of Management and Budget (OMB) and the federal Chief Information Officers (CIO) Council to address federal information security problems.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should ensure that executive agencies are carrying out the responsibilities outlined in laws and regulations requiring them to protect the security of their information resources.
Closed – Implemented
In October 2000, Congress enacted Government Information Security Reform legislation that consolidated separate information security requirements found in law and guidance into an overall framework for managing information security, and established new annual review, independent evaluation, and reporting requirements to help ensure agency implementation and oversight by both the Office of Management and Budget and Congress. These provisions require each agency to establish an agency-wide risk-based information security program, implement specific information security requirements, and to conduct an annual program review. In addition, each agency is to have an annual independent evaluation of its information security program and practices performed by the agency inspector general or another independent evaluator. The results of these evaluations are to be reported to the Office of Management and Budget, which is required to submit an annual report to the Congress summarizing the results. In its February 2002 statutory report to Congress on Government Information Security Reform, the Office of Management and Budget reviewed and summarized the reports submitted by the agencies and their inspector generals, and identified six common government-wide security weaknesses. The information security practices and annual evaluation and reporting requirements of the Government Information Security Reform legislation satisfies the overall intent of this recommendation that federal information security be coordinated under a comprehensive strategy. While this legislation expires in November 2002, Congress is considering reauthorization legislation, and the Office of Management and Budget has expressed their commitment to continuing requirements for annual agency evaluation and reporting.
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should clearly delineate the roles of the various federal organizations with responsibilities related to federal information security.
Closed – Implemented
In October 2000, Congress enacted Government Information Security Reform provisions that consolidated separate information security requirements found in law and guidance into an overall framework for managing information security. This legislation reinforced the information security oversight role of the Office of Management and Budget by requiring agencies to report the results of an annual independent evaluation of their information security programs and practices to the Office of Management and Budget, which is to submit an annual report to Congress summarizing these results. It also defined responsibilities of other agencies such the Department of Commerce, through the National Institute of Standards and Technology, to develop and issue information security standards and guidance, and the Secretary of Defense and the Director of Central Intelligence to develop and issue standards and guidance for national security systems. In addition, in October 2001, the President issued an executive order establishing the Critical Infrastructure Protection Board, which includes a standing committee for executive branch information systems security, chaired by the Office of Management and Budget.
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should identify and rank the most significant information security issues facing federal agencies.
Closed – Implemented
In its February 2002 statutory report to the Congress on Government Information Security Reform, the Office of Management and Budget identified six common government-wide security weaknesses based on its review of reports submitted by the agencies and their inspector generals. Also, the Critical Infrastructure Protection Office, within the Department of Commerce, has developed a methodology--referred to as Project Matrix--for identifying key federal assets and operations that merit strong protection. In its report to Congress, the Office of Management and Budget established a requirement for large federal agencies to undergo a Project Matrix review. These efforts and particularly annual reporting by the Office of Management and Budget to Congress on the results of Government Information Security Reform evaluations should continue to help identify the most significant information security issues facing federal agencies.
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should promote information security risk awareness among senior agency officials whose critical operations rely on automated systems.
Closed – Implemented
Several significant actions have been taken to promote risk awareness. Specifically, the Critical Infrastructure Assurance Office, the Federal Chief Information Officers Council, and Office of Management and Budget have held seminars and urged agencies to gain a more thorough understanding of the risks associated with their use of the Internet, and to more explicitly identify the steps they are taking to ensure the security of their computerized operations. In addition, Government Information Security Reform legislation requires agencies to implement a risk management approach, and the Office of Management and Budget now requires that agencies annually report the number of systems that have received risk assessments. The National Institute of Standards and Technology has also recently issued a guide for federal agencies on risk management (SP 800-30, January 2002).
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should identify and promote proven security tools, techniques, and management best practices.
Closed – Implemented
During late 1999 and early 2000, the Chief Information Officers Council sponsored an effort to establish a repository of security "best practices," which was led by the Agency for International Development and made available through the Internet. In August 2001, the Chief Information Officers Council recognized the success of the Federal Best Security Practices pilot effort and began steps to see it transitioned to an operational, institutional program. Specifically, the Council asked National Institute of Standards and Technology's Computer Security Division to create a security practices web site. This transition is complete and is now available as "Agency Security Practices" found on National Institute of Standards and Technology's Computer Security Resource Clearinghouse website (http://csrc.nist.gov/). In addition, the National Institute of Standards and Technology has issued a number of information security guidance documents, covering such topics as risk management, intrusion detection systems, and contingency planning. It has also issued a Security Self-Assessment Guide for Information Technology Systems (SP 800-26, November 2001) and an automated version, the Automated Security Self-Evaluation Tool (ASSET).
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should ensure the adequacy of information technology workforce skills.
Closed – Implemented
In June 1999, the Federal CIO Council issued a report entitled "Meeting the Federal IT Workforce Challenge," which included 13 recommendations. The Office of Personnel Management has acted to address many of the recommendations, including revising job titles and standards, and authorizing pay enhancements for information technology workers. Other actions include a scholarship program, focused recruitment efforts, and grants to educational institutions. In addition, Government Information Security Reform legislation enacted in 2000, requires agencies to ensure training for personnel with significant information security responsibilities. While information technology workforce shortages continue, these actions represent significant efforts to address this issue. Accordingly, recognizing that long-term efforts in this area must continue, GAO is closing this recommendation.
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should ensure that the security of both financial and nonfinancial systems is adequately evaluated on a regular basis.
Closed – Implemented
In late 2000, Congress enacted Government Information Security Reform provisions that require annual audits of all agency information systems. In support of this effort, the National Institute of Standards and Technology and the Office of Management and Budget, working with the Chief Information Officers Council, developed the Federal Information Technology Security Assessment Framework and a supporting questionnaire, the Security Self-Assessment Guide for Information Technology Systems (SP 800-26, November 2001) to guide agency efforts. In addition, in mid-2001, the National Institute of Standards and Technology established an "expert review team" to help agencies evaluate the security of their systems. The Office of Management and Budget now requires that the agencies use the security self-assessment guide in performing their Government Information Security Reform reviews. Also, in its July 2002 reporting instructions to the agencies, the Office of Management and Budget specifically encourages that inspector general independent evaluations be a representative sampling of agency systems, which would include both financial and nonfinancial systems.
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should include long-term goals and objectives, including timeframes, priorities, and annual performance goals.
Closed – Implemented
Enacted in December 2002, the Federal Information Security Management Act of 2002, requires federal departments and agencies to establish information security programs that meet specific requirements and to perform annual reviews and independent evaluations of these programs. OMB has also provided annual reporting guidance to the agencies that include specific performance measures for many of these requirements, and has established overall performance goals for key requirements. For example, one such measure is the percentage of agency systems that have been certified and accredited, a process that helps to ensure controls for an information system meet specified security requirements and that management approves the operation of the system at an acceptable level of risk. And related to this measure, OMB has established an overall performance goal that 80 percent of federal information systems be certified and accredited by the end of fiscal year 2003. In addition, agencies must report the results of their annual security program reviews to OMB and Congress, and OMB must report the overall results of agencies' annual independent evaluations to Congress by March first of each year. These statutory program and reporting requirements, as well as the OMB-established performance measures and goals satisfy the overall intent of this recommendation that federal information security be coordinated under a comprehensive strategy.
Office of Management and Budget The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should provide for periodically evaluating agency performance from a governmentwide perspective and acting to address shortfalls.
Closed – Implemented
In October 2000, Congress enacted Government Information Security Reform provisions that consolidated separate information security requirements found in law and guidance into an overall framework for managing information security and established new annual review, independent evaluation, and reporting requirements to help ensure agency implementation and oversight by both the Office of Management and Budget and Congress. These provisions require each agency to conduct an annual program review and to have an annual independent evaluation of its information security program and practices performed by the agency inspector general or another independent evaluator. The results of these evaluations are to be reported to the Office of Management and Budget, which is required to submit an annual report to Congress summarizing the results. In its February 2002 statutory report to Congress on Government Information Security Reform, the Office of Management and Budget reviewed and summarized the reports submitted by the agencies and their inspector generals, and identified six common government-wide security weaknesses. In addition, the Office of Management and Budget is requiring the agencies to prepare and submit corrective action plans and quarterly updates of these plans to monitor correction of information security weaknesses identified in the agency reviews and evaluations.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Classified informationComputer crimesComputer securityConfidential communicationsCritical infrastructure protectionData integrityFederal CIO CouncilFederal computer incident response capabilityHackersHomeland securityInformation leakingInformation resources managementInformation securityInternal controlsInformation management