Information Security:

Selected Departments Need to Address Challenges in Implementing Statutory Requirements

GAO-07-528: Published: Aug 31, 2007. Publicly Released: Oct 1, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Information Security Management Act of 2002 (FISMA) strengthened security requirements by, among other things, requiring federal agencies to establish programs to provide cost-effective security for information and information systems. In overseeing FISMA implementation, the Office of Management and Budget (OMB) has established supporting processes and reporting requirements. However, 4 years into implementation of the act, agencies have not yet fully implemented key provisions. In this context, GAO determined what challenges or obstacles inhibit the implementation of the information security provisions of FISMA at the Departments of Defense, Homeland Security, Justice, and State. To do this, GAO reviewed and analyzed department policies, procedures, and reports related to department information security programs and interviewed agency officials.

Defense, Homeland Security, Justice, and State face challenges in implementing key information security control activities required by FISMA and by OMB in its oversight role. These activities include creating and maintaining an inventory of major systems, implementing common security configurations, ensuring that staff receive information security training, testing and evaluating controls, taking remedial actions where deficiencies are found, and certifying and accrediting systems for operation. The four departments were challenged in several of these areas. For example, Defense is challenged in developing a complete FISMA inventory of systems because it has different definitions of what constitutes a "system." As another example, Homeland Security reported that the tool it uses to report security training counts each course taken, instead of tracking that an individual has taken a specialized course. As a result, the department lacks assurance that all users have received appropriate training. Until the departments address their challenges and fully implement effective departmentwide information security programs, increased risk exists that they will not be able to effectively protect the confidentiality, integrity, and availability of their information and information systems.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Secretary of State should direct State's Chief Information Officer (CIO) to improve mechanisms for tracking information security awareness training of personnel.

    Agency Affected: Department of State

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of State was implementing an automated tool that tracks information security awareness training of personnel. State has also enhanced its review processes to determine that all users have completed this training.

    Recommendation: The Secretary of State should direct State's CIO to address the weaknesses in security control testing policies as described in this report, and ensure that components complete required annual security control and contingency plan testing on all systems.

    Agency Affected: Department of State

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of State implemented an automated tool that outlines policies for testing and evaluation of security controls and contingency plans, and allows the department to track testing reports.

    Recommendation: The Attorney General should direct the Department of Justice's CIO to develop and implement a plan with milestones to achieve full implementation of common security configurations across all system platforms.

    Agency Affected: Department of Justice

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that the Department of Justice has issued a configuration management plan. In addition, Justice has implemented automated tools to ensure that department components adhere to configuration requirements.

    Recommendation: The Attorney General should direct the Department of Justice's CIO to address the weaknesses in security control testing policies as described in this report.

    Agency Affected: Department of Justice

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that the Department of Justice issued a security control assessment guide in 2009 that strengthens Justice's testing policies, including determining the depth and breadth of testing needed. In addition, we verified that Justice is conducting annual security assessments for all of its components.

    Recommendation: The Attorney General should direct the Department of Justice's CIO to reconcile redundancies in the department's remediation plan tracking tool.

    Agency Affected: Department of Justice

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of Justice replaced the remediation tracking tool that contained redundant plans of action and milestones (POA&Ms) with another tracking tool, and ensured that duplicate versions of POA&Ms were removed.

    Recommendation: The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to finalize and implement a departmentwide definition of a major information system that is accepted by the Defense Inspector General.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: In fiscal year 2009, we verified that the Department of Defense did not take action on this recommendation. Defense did not concur with the recommendation, and stated that its current definition of a major information system satisfied department requirements and those of the Federal Information Security Management Act.

    Recommendation: The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to achieve full implementation of common security configurations across all system platforms.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In fiscal year 2011, GAO verified that the Department of Defense had issued an Instruction in November 2007 establishing a certification and accreditation process that required a Defense-wide configuration control and management process. GAO also verified that Defense had implemented plans, such as the Federal Desktop Core Configuration, to achieve full implementation of common security configurations across all system platforms.

    Recommendation: The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to implement a mechanism to track information security training of personnel (i.e., security awareness and specialized training).

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that the Department of Defense issued an updated directive that described training objectives, including annual awareness training for all personnel, and specialized training for information assurance personnel. In addition, we verified that Defense has implemented an automated tool that enables the department to provide and track required training.

    Recommendation: The Secretary of Defense should direct the Department of Defense's CIO to address the weaknesses in security control testing policies as described in this report, and ensure that components complete required annual security control and contingency plan testing on all systems.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that the Department of Defense has substantially addressed weaknesses in security control testing policies. In addition, Defense implemented procedures to ensure that annual testing of security controls and contingency plans is conducted and recorded.

    Recommendation: The Secretary of Defense should direct the Department of Defense's CIO to complete development of the departmentwide remediation process and finalize the remediation guidance.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of Defense had finalized the remediation process and guidance by issuing a Defense Instruction "Information Assurance Certification and Accreditation Process (DIACAP), in November 2007.

    Recommendation: The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to ensure that all information systems receive a full authorization to operate, and to improve the department's certification and accreditation process.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of Defense in its Defense Instruction "Information Assurance Certification and Accreditation Process (DIACAP), restricted use of interim authority to operate by limiting the number of days that such an authorization can operate. Additionally, DIACAP requires operational systems found to have weaknesses to include these weaknesses in plans of action and milestones so they may be remediated. DIACAP also includes instructions for improving Defense's certification and accreditation processes.

    Recommendation: The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to develop and implement a plan with milestones to achieve full implementation of common security configurations across all system platforms.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of Homeland Security (DHS) issued a performance plan in 2008 that lists steps for strengthening configuration management at DHS and specifies deadlines and resources for achieving these steps.

    Recommendation: The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to coordinate with Homeland Security's Office of Human Capital to finalize implementation of the centralized Web-based learning management system for tracking the information security training of personnel.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of Homeland Security (DHS) has taken steps to finalize implementation of its centralized learning management system. Because this system did not track all DHS personnel, the department required all DHS components to report training totals to a Web-based, centralized compliance tool.

    Recommendation: The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to address the weaknesses in security control testing policies as described in this report, and ensure that components complete required annual security control and contingency plan testing on all systems.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of Homeland Security (DHS) issued a performance plan in 2008 that strengthens policies for testing security controls. In addition, this plan includes verification and validation processes for security control and contingency plan testing.

    Recommendation: The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to determine whether the department's FISMA reporting tool meets the requirements of different users, such as those at components, and take any necessary corrective action.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that the Department of Homeland Security's (DHS) Chief Information Officer had determined that the department's FISMA reporting tool, along with other tools for tracking actions taken to address weaknesses, meets the requirements of different DHS users. The CIO outlined processes in place for addressing the concerns of various DHS components regarding remediation tools.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here