Information Security:

Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses

GAO-09-546: Published: Jul 17, 2009. Publicly Released: Jul 17, 2009.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

For many years, GAO has reported that weaknesses in information security are a widespread problem that can have serious consequences--such as intrusions by malicious users, compromised networks, and the theft of intellectual property and personally identifiable information--and has identified information security as a governmentwide high-risk issue since 1997. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which authorized and strengthened information security program, evaluation, and reporting requirements for federal agencies. In accordance with the FISMA requirement that the Comptroller General report periodically to Congress, GAO's objectives were to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) federal agencies' implementation of FISMA requirements. To address these objectives, GAO analyzed agency, inspectors general, Office of Management and Budget (OMB), and GAO reports.

Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft. For fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls. An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs. As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise. In prior reports, GAO has made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls. Federal agencies reported increased compliance in implementing key information security control activities for fiscal year 2008; however, inspectors general at several agencies noted shortcomings with agencies' implementation of information security requirements. Agencies reported increased implementation of control activities, such as providing awareness training for employees and testing system contingency plans. However, agencies reported decreased levels of testing security controls and training for employees who have significant security responsibilities. In addition, inspectors general at several agencies disagreed with performance reported by their agencies and identified weaknesses in the processes used to implement these activities. Further, although OMB took steps to clarify its reporting instructions to agencies for preparing fiscal year 2008 reports, the instructions did not request inspectors general to report on agencies' effectiveness of key activities and did not always provide clear guidance to inspectors general. As a result, the reporting may not adequately reflect agencies' implementation of the required information security policies and procedures.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that OMB included in its annual FISMA report to Congress, a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices. (3/1/2013)

    Recommendation: The Director of the Office of Management and Budget should include in OMB's report to Congress, a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that OMB clarified and enhanced reporting instructions to inspectors general for evaluating certifications and accreditations by removing the rating categories and providing additional guidance for assessing certifications and accreditations, which are now known as security assessments and authorizations. (3/1/2013)

    Recommendation: The Director of the Office of Management and Budget should clarify and enhance reporting instructions to inspectors general for certification and accreditation evaluations by providing them with guidance on the requirements for each rating category.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that OMB updated its annual FISMA reporting instructions to request that inspectors general report on the effectiveness of agencies' processes for developing inventories, monitoring contractor operations, and providing specialized security training. (3/1/2013)

    Recommendation: The Director of the Office of Management and Budget should update annual reporting instructions to request inspectors general to report on the effectiveness of agencies' processes for developing inventories, monitoring contractor operations, and providing specialized security training.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Not Implemented

    Comments: In fiscal year 2013, OMB did not provide support to demonstrate that it approves or disapproves agencies' information security programs through the approval of agencies' budgets. (3/1/2013)

    Recommendation: The Director of the Office of Management and Budget should approve or disapprove agency information security programs after review.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Looking for more? Browse all our products here