This is the accessible text file for GAO report number GAO-09-546 
entitled 'Information Security: Agencies Continue to Report Progress, 
but Need to Mitigate Persistent Weaknesses' which was released on July 
17, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 
GAO: 

July 2009: 

Information Security: 

Agencies Continue to Report Progress, but Need to Mitigate Persistent 
Weaknesses: 

GAO-09-546: 

GAO Highlights: 

Highlights of GAO-09-546, a report to congressional committees. 

Why GAO Did This Study: 

For many years, GAO has reported that weaknesses in information 
security are a widespread problem that can have serious consequences—
such as intrusions by malicious users, compromised networks, and the 
theft of intellectual property and personally identifiable information—
and has identified information security as a governmentwide high-risk 
issue since 1997. 

Concerned by reports of significant vulnerabilities in federal computer 
systems, Congress passed the Federal Information Security Management 
Act of 2002 (FISMA), which authorized and strengthened information 
security program, evaluation, and reporting requirements for federal 
agencies. 

In accordance with the FISMA requirement that the Comptroller General 
report periodically to Congress, GAO’s objectives were to evaluate (1) 
the adequacy and effectiveness of agencies’ information security 
policies and practices and (2) federal agencies’ implementation of 
FISMA requirements. To address these objectives, GAO analyzed agency, 
inspectors general, Office of Management and Budget (OMB), and GAO 
reports. 

What GAO Found: 

Persistent weaknesses in information security policies and practices 
continue to threaten the confidentiality, integrity, and availability 
of critical information and information systems used to support the 
operations, assets, and personnel of most federal agencies. Recently 
reported incidents at federal agencies have placed sensitive data at 
risk, including the theft, loss, or improper disclosure of personally 
identifiable information of Americans, thereby exposing them to loss of 
privacy and identity theft. For fiscal year 2008, almost all 24 major 
federal agencies had weaknesses in information security controls (see 
figure). An underlying reason for these weaknesses is that agencies 
have not fully implemented their information security programs. As a 
result, agencies have limited assurance that controls are in place and 
operating as intended to protect their information resources, thereby 
leaving them vulnerable to attack or compromise. In prior reports, GAO 
has made hundreds of recommendations to agencies for actions necessary 
to resolve prior significant control deficiencies and information 
security program shortfalls. 

Federal agencies reported increased compliance in implementing key 
information security control activities for fiscal year 2008; however, 
inspectors general at several agencies noted shortcomings with 
agencies’ implementation of information security requirements. Agencies 
reported increased implementation of control activities, such as 
providing awareness training for employees and testing system 
contingency plans. However, agencies reported decreased levels of 
testing security controls and training for employees who have 
significant security responsibilities. In addition, inspectors general 
at several agencies disagreed with performance reported by their 
agencies and identified weaknesses in the processes used to implement 
these activities. Further, although OMB took steps to clarify its 
reporting instructions to agencies for preparing fiscal year 2008 
reports, the instructions did not request inspectors general to report 
on agencies’ effectiveness of key activities and did not always provide 
clear guidance to inspectors general. As a result, the reporting may 
not adequately reflect agencies’ implementation of the required 
information security policies and procedures. 

Figure: Information Security Weaknesses at Major Federal Agencies for 
Fiscal Year 2008: 

[Refer to PDF for image: vertical bar graph] 

Weakness category: Access control; 
Number of agencies: 23. 

Weakness category: Configuration management; 
Number of agencies: 21, 

Weakness category: Segregation of duties; 
Number of agencies: 14. 

Weakness category: Continuity of operations; 
Number of agencies: 17. 

Weakness category: Security management; 
Number of agencies: 23. 

Source: GAO analysis of IG, agency, and GAO reports. 

[End of figure] 

What GAO Recommends: 

GAO is recommending that the Director of OMB take several actions, 
including revising guidance. OMB generally agreed with GAO’s overall 
assessment of information security at agencies, but did not concur with 
one aspect of GAO’s assessment of OMB’s review activities. 

View [hyperlink, http://www.gao.gov/products/GAO-09-546] or key 
components. For more information, contact Gregory C. Wilshusen at (202) 
512-6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Weaknesses in Information Security Place Sensitive Information at Risk: 

Agencies Continue to Report Progress in Implementing Requirements: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Office of Management and Budget: 

Appendix III: Cybersecurity Experts Highlighted Key Improvements for 
Strengthening the Nation's Cyber Security: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Related GAO Products: 

Tables: 

Table 1: Total Number of Agency and Contractor Systems in FY 2007 and 
FY 2008 by Impact Level: 

Table 2: Key Improvements Needed to Strengthen the Nation's 
Cybersecurity Posture: 

Figures: 

Figure 1: Incidents Reported to US-CERT, FY 2006-FY 2008: 

Figure 2: Percentage of Incidents Reported to US-CERT in FY06-FY08 by 
Category: 

Figure 3: Number of Major Agencies Reporting Significant Deficiencies 
in Information Security: 

Figure 4: Information Security Weaknesses at 24 Major Agencies for FY 
2008: 

Figure 5: Control Weaknesses Identified in GAO Reports, May 2007-April 
2009: 

Figure 6: Reported Data for Selected Performance Metrics for 24 Major 
Agencies: 

Figure 7: Specialized Training for 24 Major Agencies: 

Abbreviations: 

CD: compact disk: 

CIO: chief information officer: 

FISMA: Federal Information Security Management Act of 2002: 

IG: Inspector General: 

IP: Internet Protocol: 

NIST: National Institute of Standards and Technology: 

OMB: Office of Management and Budget: 

POA&M: Plan of Action and Milestones: 

US-CERT: U.S. Computer Emergency Readiness Team: 

US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: 

[End of section] 

United States Government Accountability Office: Washington, DC 20548: 

July 17, 2009: 

The Honorable Joseph I. Lieberman: 
Chairman: 
The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Edolphus Towns: 
Chairman: 
The Honorable Darrell Issa: 
Ranking Member: 
Committee on Oversight and Government Reform: 
House of Representatives: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business. It is especially important for government 
agencies, where the public's trust is essential. The need for a 
vigilant approach to information security is demonstrated by the 
increase in reports of security incidents, the wide availability of 
hacking tools, and steady advances in the sophistication and 
effectiveness of attack technology. 

Over the past few years, 24 major federal agencies[Footnote 1] have 
reported numerous security incidents in which sensitive information has 
been lost or stolen, including personally identifiable information, 
which has exposed millions of Americans to a loss of privacy, identity 
theft, and other financial crimes. Since 1997, we have identified 
information security as a governmentwide high-risk issue in our 
biennial reports to Congress.[Footnote 2] 

Concerned by reports of significant weaknesses in federal computer 
systems, Congress passed the Federal Information Security Management 
Act (FISMA) of 2002,[Footnote 3] which requires agencies to develop and 
implement an information security program, evaluation processes, and 
annual reporting. FISMA requires mandated annual reports by federal 
agencies, the Office of Management and Budget (OMB), and the National 
Institute of Standards and Technology (NIST). FISMA also includes a 
requirement for independent annual evaluations by the agencies' 
inspectors general or independent external auditors. 

In accordance with the FISMA requirement that we report periodically to 
Congress, our objectives were to evaluate (1) the adequacy and 
effectiveness of agencies' information security policies and practices 
and (2) federal agencies' implementation of FISMA requirements. To 
accomplish these objectives, we analyzed agency, inspector general, 
OMB, and our reports on information security. Where possible, we 
categorized findings from those reports into areas defined by FISMA and 
the Federal Information System Controls Audit Manual.[Footnote 4] We 
did not include systems categorized as national security systems in our 
review, nor did we review the adequacy or effectiveness of the security 
policies and practices for those systems. 

We conducted this performance audit from December 2008 to May 2009 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. For more details on our 
objectives, scope, and methodology, see appendix I. 

Background: 

Without proper safeguards, computer systems are vulnerable to 
individuals and groups with malicious intentions who can intrude and 
use their access to obtain and manipulate sensitive information, commit 
fraud, disrupt operations, or launch attacks against other computer 
systems and networks. The risks to federal systems are well-founded for 
a number of reasons, including the dramatic increase in reports of 
security incidents, the ease of obtaining and using hacking tools, and 
steady advances in the sophistication and effectiveness of attack 
technology. 

Recognizing the importance of securing federal systems and data, 
Congress passed FISMA in 2002. The act sets forth a comprehensive 
framework for ensuring the effectiveness of information security 
controls over information resources that support federal operations and 
assets. FISMA's framework creates a cycle of risk management activities 
necessary for an effective security program; these activities are 
similar to the principles noted in our study of the risk management 
activities of leading private-sector organizations[Footnote 5]-- 
assessing risk, establishing a central management focal point, 
implementing appropriate policies and procedures, promoting awareness, 
and monitoring and evaluating policy and control effectiveness. In 
order to ensure the implementation of this framework, the act assigns 
specific responsibilities to agency heads, chief information officers, 
inspectors general, and NIST. It also assigns responsibilities to OMB 
that include developing and overseeing the implementation of policies, 
principles, standards, and guidelines on information security, and 
reviewing agency information security programs, at least annually, and 
approving or disapproving them. 

Agency Responsibilities: 

FISMA requires each agency, including agencies with national security 
systems, to develop, document, and implement an agencywide information 
security program to provide security for the information and 
information systems that support the operations and assets of the 
agency, including those provided or managed by another agency, 
contractor, or other source. 

Specifically, FISMA requires information security programs to include, 
among other things: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information or information systems; 

* risk-based policies and procedures that cost-effectively reduce 
information security risks to an acceptable level and ensure that 
information security is addressed throughout the life cycle of each 
information system; 

* subordinate plans for providing adequate information security for 
networks, facilities, and systems or groups of information systems, as 
appropriate; 

* security awareness training for agency personnel, including 
contractors and other users of information systems that support the 
operations and assets of the agency; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, performed with a 
frequency depending on risk, but no less than annually, and that 
includes testing of management, operational, and technical controls for 
every system identified in the agency's required inventory of major 
information systems; 

* a process for planning, implementing, evaluating, and documenting 
remedial actions to address any deficiencies in the information 
security policies, procedures, and practices of the agency; 

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

In addition, agencies must produce an annually updated inventory of 
major information systems (including major national security systems) 
operated by the agency or under its control, which includes an 
identification of the interfaces between each system and all other 
systems or networks, including those not operated by or under the 
control of the agency. 

FISMA also requires each agency to report annually to OMB, selected 
congressional committees, and the Comptroller General on the adequacy 
of its information security policies, procedures, practices, and 
compliance with requirements. In addition, agency heads are required to 
report annually the results of their independent evaluations to OMB, 
except to the extent that an evaluation pertains to a national security 
system; then only a summary and assessment of that portion of the 
evaluation needs to be reported to OMB. 

Responsibilities of NIST: 

Under FISMA, NIST is tasked with developing, for systems other than 
national security systems, standards and guidelines that must include, 
at a minimum (1) standards to be used by all agencies to categorize all 
their information and information systems based on the objectives of 
providing appropriate levels of information security, according to a 
range of risk levels; (2) guidelines recommending the types of 
information and information systems to be included in each category; 
and (3) minimum information security requirements for information and 
information systems in each category. NIST must also develop a 
definition of and guidelines for detection and handling of information 
security incidents as well as guidelines developed in conjunction with 
the Department of Defense and the National Security Agency for 
identifying an information system as a national security system. 

The law also assigns other information security functions to NIST, 
including: 

* providing technical assistance to agencies on elements such as 
compliance with the standards and guidelines and the detection and 
handling of information security incidents; 

* evaluating private-sector information security policies and practices 
and commercially available information technologies to assess potential 
application by agencies; 

* evaluating security policies and practices developed for national 
security systems to assess their potential application by agencies; 
and: 

* conducting research, as needed, to determine the nature and extent of 
information security vulnerabilities and techniques for providing cost- 
effective information security. 

As required by FISMA, NIST has prepared its annual public report on 
activities undertaken in the previous year and planned for the coming 
year. In addition, NIST's FISMA initiative supports the development of 
a program for credentialing public and private sector organizations to 
provide security assessment services for federal agencies. 

Responsibilities of Inspectors General: 

Under FISMA, the inspector general for each agency shall perform an 
independent annual evaluation of the agency's information security 
program and practices. The evaluation should include testing of the 
effectiveness of information security policies, procedures, and 
practices of a representative subset of agency systems. In addition, 
the evaluation must include an assessment of the compliance with the 
act and any related information security policies, procedures, 
standards, and guidelines. For agencies without an inspector general, 
evaluations of non-national security systems must be performed by an 
independent external auditor. Evaluations related to national security 
systems are to be performed by an entity designated by the agency head. 

Responsibilities of OMB: 

FISMA states that the Director of OMB shall oversee agency information 
security policies and practices, including: 

* developing and overseeing the implementation of policies, principles, 
standards, and guidelines on information security; 

* requiring agencies to identify and provide information security 
protections commensurate with risk and magnitude of the harm resulting 
from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information collected or maintained by 
or on behalf of an agency, or information systems used or operated by 
an agency, or by a contractor of an agency, or other organization on 
behalf of an agency; 

* overseeing agency compliance with FISMA to enforce accountability; 
and: 

* reviewing at least annually, and approving or disapproving, agency 
information security programs. 

In addition, the act requires that OMB report to Congress no later than 
March 1 of each year on agency compliance with FISMA. 

Weaknesses in Information Security Place Sensitive Information at Risk: 

Significant weaknesses in information security policies and practices 
threaten the confidentiality, integrity, and availability of critical 
information and information systems used to support the operations, 
assets, and personnel of most federal agencies. These persistent 
weaknesses expose sensitive data to significant risk, as illustrated by 
recent incidents at various agencies. Further, our work and reviews by 
inspectors general note significant information security control 
deficiencies that place a broad array of federal operations and assets 
at risk. Consequently, we have made hundreds of recommendations to 
agencies to address these security control deficiencies. 

Reported Incidents Are on the Rise and Place Sensitive Information at 
Risk: 

Since our report in July 2007, federal agencies have reported a spate 
of security incidents that have put sensitive data at risk, thereby 
exposing the personal information of millions of Americans to the loss 
of privacy and potential harm associated with identity theft. Agencies 
have experienced a wide range of incidents involving data loss or 
theft, computer intrusions, and privacy breaches, underscoring the need 
for improved security practices. The following examples, reported in 
2008 and 2009, illustrate that a broad array of federal information and 
assets remain at risk. 

* In May 2009, the Department of Transportation Inspector General 
issued the results of an audit of Web applications security and 
intrusion detection in air traffic control systems at the Federal 
Aviation Administration (FAA). The inspector general reported that Web 
applications used in supporting air traffic control systems operations 
were not properly secured to prevent attacks or unauthorized access. To 
illustrate, vulnerabilities found in Web application computers 
associated with the Traffic Flow Management Infrastructure System, 
Juneau Aviation Weather System, and the Albuquerque Air Traffic Control 
Tower allowed audit staff to gain unauthorized access to data stored on 
these computers, including program source code and sensitive personally 
identifiable information. In addition, the inspector general reported 
that it found a vulnerability on FAA Web applications that could allow 
attackers to execute malicious codes on FAA users' computers, which was 
similar to an actual incident that occurred in August 2008. In February 
2009, the FAA notified employees that an agency computer had been 
illegally accessed and employee personal identity information had been 
stolen electronically. Two of the 48 files on the breached computer 
server contained personal information about more than 45,000 FAA 
employees and retirees who were on the FAA payrolls as of the first 
week of February 2006. Law enforcement agencies were notified and are 
investigating the data theft. 

* In March 2009, U.S. Congressman Jason Altmire and U.S. Senator Bob 
Casey announced that they had sent a letter to the Under Secretary of 
Defense for Acquisition, Technology, and Logistics, asking for 
additional information on a recent security breach of the presidential 
helicopter, Marine One. According to the announcement, in February 
2009, a company based in Cranberry, Pennsylvania, discovered that 
engineering and communications documents containing key details about 
the Marine One fleet had been downloaded to an Internet Protocol (IP) 
address in Iran. The documents were traced back to a defense contractor 
in Maryland, where an employee most likely downloaded a file-sharing 
program that inadvertently allowed others to access this information. 
According to information from the Congressman's Web site, recent 
reports have said that the federal government was warned last June that 
an Internet Web site with an IP address traced to Iran was actively 
seeking this information. 

* In March 2009, the United States Computer Emergency Readiness Team 
(US-CERT) issued an updated notice to warn agencies and organizations 
of the Conficker/Downadup worm activity and to help prevent further 
compromises from occurring. In the notice, US-CERT warned that the 
Conficker/Downadup worm could infect a Microsoft Windows system from a 
thumb drive, a network share, or directly across a network if the host 
is not patched. 

* According to a March 2009 media release from Senator Bill Nelson's 
office, cyber-invaders thought to be in China hacked into the computer 
network in Senator Nelson's office. There were two attacks on the same 
day in March 2009, and another one in February 2009 that targeted work 
stations used by three of Senator Nelson's staffers. The hackers were 
not able to take any classified information because that information is 
not kept on office computers, a spokesman said. The media release 
stated that similar incursions into computer networks in Congress were 
up significantly in the past few months. 

* The Department of Energy's Office of Health, Safety, and Security 
announced that a password-protected compact disk (CD) had been lost 
during a routine shipment on January 28, 2009. The CD contained 
personally identifiable information for 59,617 individuals who 
currently work or formerly worked at facilities at the Department of 
Energy's Idaho site. The investigation verified that protection 
measures had been applied in accordance with requirements applicable to 
organizations working under cooperative agreements and surmised that 
while the CD had been lost for 8 weeks at the time of the 
investigation, no evidence had been found that revealed that the 
personal information on the lost disk had been compromised. The 
investigation concluded that OMB and Department of Energy requirements 
for managing and reporting the loss of the information had not been 
transmitted to the appropriate organizations and that there was a 
failure to provide timely notifications of the actual or suspected loss 
of information in this incident. 

* In January 2009, the Program Director of the Office of Personnel and 
Management's USAJOBS Web site announced that their technology 
provider's (Monster.com) database had been illegally accessed and 
contact and account data had been taken, including user IDs and 
passwords, e-mail addresses, names, phone numbers, and some basic 
demographic data. The director pointed out that e-mail could be used 
for phishing activity and advised users to change their site login 
password. 

* In December 2008, the Federal Emergency Management Administration was 
alerted to an unauthorized breach of private information when an 
applicant notified it that his personal information pertaining to 
Hurricane Katrina had been posted on the Internet. The information 
posted to Web sites contained a spreadsheet with 16,857 lines of data 
that included applicant names, social security numbers, addresses, 
telephone numbers, e-mail addresses, and other information on disaster 
applicants who had evacuated to Texas. According to the Federal 
Emergency Management Administration, it took action to work with the 
Web site hosting the private information, and have that information 
removed from public view. Additionally, the agency reported that it 
worked to remove the same information from a second Web site. Further, 
the agency stated that while it believed most of the applicant 
information posted on the Web sites were properly released by them to a 
state agency, it did not authorize the subsequent public posting of 
much of this data. 

* In June 2008, the Walter Reed Army Medical Center reported that 
officials were investigating the possible disclosure of personally 
identifiable information through unauthorized sharing of a data file 
containing the names of approximately 1,000 Military Health System 
beneficiaries. Walter Reed officials were notified of the possible 
exposure on May 21 by an outside company. Preliminary results of an 
ongoing investigation identified a computer from which the data had 
apparently been compromised. Data security personnel from Walter Reed 
and the Department of the Army think it is possible that individuals 
named in the file could become victims of identity theft. The 
compromised data file did not include protected health information such 
as medical records, diagnosis, or prognosis for patients. 

* In March 2008, media reports surfaced noting that the passport files 
of three U.S. senators, who were also presidential candidates, had been 
improperly accessed by Department of State employees and contractor 
staff. As of April 2008, the system contained records on about 192 
million passports for about 127 million passport holders. These records 
included personally identifiable information, such as the applicant's 
name, gender, social security number, date and place of birth, and 
passport number. In July 2008, after investigating this incident, the 
Department of State's Office of Inspector General reported many control 
weaknesses--including a general lack of policies, procedures, guidance, 
and training--relating to the prevention and detection of unauthorized 
access to passport and applicant information and the subsequent 
response and disciplinary processes when a potential unauthorized 
access is substantiated. 

When incidents occur, agencies are to notify the federal information 
security incident center--US-CERT. As shown in figure 1, the number of 
incidents reported by federal agencies to US-CERT has risen 
dramatically over the past 3 years, increasing from 5,503 incidents 
reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008 
(slightly more than 200 percent). 

Figure 1: Incidents Reported to US-CERT, FY 2006-FY 2008: 

[Refer to PDF for image: vertical bar graph] 

FY 2006: 5,503; 
FY 2007: 11,910; 
FY 2008: 16,842. 

Source: GAO analysis of US-CERT data. 

[End of figure] 

Agencies report the following types of incidents based on US-CERT- 
defined categories: 

* Unauthorized access: Gaining logical or physical access without 
permission to a federal agency's network, system, application, data, or 
other resource. 

* Denial of service: Preventing or impairing the normal authorized 
functionality of networks, systems, or applications by exhausting 
resources. This activity includes being the victim of or participating 
in a denial of service attack. 

* Malicious code: Installing malicious software (e.g., virus, worm, 
Trojan horse, or other code-based malicious entity) that infects an 
operating system or application. Agencies are not required to report 
malicious logic that has been successfully quarantined by antivirus 
software. 

* Improper usage: Violating acceptable computing use policies. 

* Scans/probes/attempted access: Accessing or identifying a federal 
agency computer, open ports, protocols, service, or any combination of 
these for later exploit. This activity does not directly result in a 
compromise or denial of service. 

Under investigation: Investigating unconfirmed incidents that are 
potentially malicious, or anomalous activity deemed by the reporting 
entity to warrant further review. 

As noted in figure 2, the three most prevalent types of incidents 
reported to US-CERT during fiscal years 2006 through 2008 were 
unauthorized access, improper usage, and investigation (see fig. 2). 

Figure 2: Percentage of Incidents Reported to US-CERT in FY06-FY08 by 
Category: 

[Refer to PDF for image: pie-chart] 

Investigation: 34%; 
Improper usage: 22%; 
Unauthorized access: 18%; 
Malicious code: 14%; 
Scans/probes/attempted access: 12%; 
Denial of service: less than 1%. 

Source: GAO analysis of US-CERT data. 

[End of figure] 

Weaknesses in Controls Highlight Deficiencies in the Implementation of 
Security Policies and Practices: 

Reviews at federal agencies continue to highlight deficiencies in their 
implementation of security policies and procedures. In their fiscal 
year 2008 performance and accountability reports, 20 of the 24 agencies 
indicated that inadequate information security controls were either a 
material weakness or a significant deficiency[Footnote 6] (see fig. 3). 

Figure 3: Number of Major Agencies Reporting Significant Deficiencies 
in Information Security: 

[Refer to PDF for image: pie-chart] 

Significant deficiency: 13; 
Material weakness: 7; 
No significant weakness: 4. 

Source: GAO analysis of agency performance and accountability reports 
for FY 2008. 

[End of figure] 

Similarly, in annual reports required under 31 U.S.C. § 3512 (commonly 
referred to as the Federal Managers' Financial Integrity Act of 1982), 
[Footnote 7] 11 of 24 agencies identified material weaknesses in 
information security. Inspectors general have also noted weaknesses in 
information security, with 22 of 24 identifying it as a "major 
management challenge" for their agency.[Footnote 8] 

Similarly, our audits have identified control deficiencies in both 
financial and nonfinancial systems, including vulnerabilities in 
critical federal systems. For example: 

* In 2009, we reported that security weaknesses at the Securities and 
Exchange Commission continued to jeopardize the confidentiality, 
integrity, and availability of the commission's financial and sensitive 
information and information systems.[Footnote 9] Although the 
commission had made progress in correcting previously reported 
information security control weaknesses, it had not completed action to 
correct 16 weaknesses. In addition, we identified 23 new weaknesses in 
controls intended to restrict access to data and systems. Thus, the 
commission had not fully implemented effective controls to prevent, 
limit, or detect unauthorized access to computing resources. For 
example, it had not always (1) consistently enforced strong controls 
for identifying and authenticating users, (2) sufficiently restricted 
user access to systems, (3) encrypted network services, (4) audited and 
monitored security-relevant events for its databases, and (5) 
physically protected its computer resources. The Securities and 
Exchange Commission also had not consistently ensured appropriate 
segregation of incompatible duties or adequately managed the 
configuration of its financial information systems. As a result, the 
Securities and Exchange Commission was at increased risk of 
unauthorized access to and disclosure, modification, or destruction of 
its financial information, as well as inadvertent or deliberate 
disruption of its financial systems, operations, and services. The 
Securities and Exchange Commission agreed with our recommendations and 
stated that it plans to address the identified weaknesses. 

* In 2009, we reported that the Internal Revenue Service had made 
progress toward correcting prior information security weaknesses, but 
continued to have weaknesses that could jeopardize the confidentiality, 
integrity, and availability of financial and sensitive taxpayer 
information.[Footnote 10] These deficiencies included some related to 
controls that are intended to prevent, limit, and detect unauthorized 
access to computing resources, programs, information, and facilities, 
as well as a control important in mitigating software vulnerability 
risks. For example, the agency continued to, among other things, allow 
sensitive information, including IDs and passwords for mission-critical 
applications, to be readily available to any user on its internal 
network and to grant excessive access to individuals who do not need 
it. In addition, the Internal Revenue Service had systems running 
unsupported software that could not be patched against known 
vulnerabilities. Until those weaknesses are corrected, the Internal 
Revenue Service remains vulnerable to insider threats and is at 
increased risk of unauthorized access to and disclosure, modification, 
or destruction of financial and taxpayer information, as well as 
inadvertent or deliberate disruption of system operations and services. 
The IRS agreed to develop a plan addressing each of our 
recommendations. 

* In 2008, we reported that although the Los Alamos National 
Laboratory--one of the nation's weapons laboratories--implemented 
measures to enhance the information security of its unclassified 
network, vulnerabilities continued to exist in several critical areas, 
including (1) identifying and authenticating users of the network, (2) 
encrypting sensitive information, (3) monitoring and auditing 
compliance with security policies, (4) controlling and documenting 
changes to a computer system's hardware and software, and (5) 
restricting physical access to computing resources.[Footnote 11] As a 
result, sensitive information on the network--including unclassified 
controlled nuclear information, naval nuclear propulsion information, 
export control information, and personally identifiable information-- 
were exposed to an unnecessary risk of compromise. Moreover, the risk 
was heightened because about 300 (or 44 percent) of 688 foreign 
nationals who had access to the unclassified network as of May 2008 
were from countries classified as sensitive by the Department of 
Energy, such as China, India, and Russia. While the organization did 
not specifically comment on our recommendations, it agreed with the 
conclusions. 

* In 2008, we reported that the Tennessee Valley Authority had not 
fully implemented appropriate security practices to secure the control 
systems used to operate its critical infrastructures at facilities we 
reviewed.[Footnote 12] Multiple weaknesses within the Tennessee Valley 
Authority corporate network left it vulnerable to potential compromise 
of the confidentiality, integrity, and availability of network devices 
and the information transmitted by the network. For example, almost all 
of the workstations and servers that we examined on the corporate 
network lacked key security patches or had inadequate security 
settings. Furthermore, Tennessee Valley Authority had not adequately 
secured its control system networks and devices on these networks, 
leaving the control systems vulnerable to disruption by unauthorized 
individuals. In addition, we reported that the network interconnections 
provided opportunities for weaknesses on one network to potentially 
affect systems on other networks. Specifically, weaknesses in the 
separation of network segments could allow an individual who had gained 
access to a computing device connected to a less secure portion of the 
network to be able to compromise systems in a more secure portion of 
the network, such as the control systems. As a result, Tennessee Valley 
Authority's control systems were at increased risk of unauthorized 
modification or disruption by both internal and external threats and 
could affect its ability to properly generate and deliver electricity. 
The Tennessee Valley Authority agreed with our recommendations and 
provided information on steps it was taking to implement them. 

* In 2007, we reported that the Department of Homeland Security had 
significant weaknesses in computer security controls surrounding the 
information systems used to support its U.S. Visitor and Immigrant 
Status Technology (US-VISIT) program for border security.[Footnote 13] 
For example, it had not implemented controls to effectively prevent, 
limit, and detect access to computer networks, systems, and 
information. Specifically, it had not (1) adequately identified and 
authenticated users in systems supporting US-VISIT; (2) sufficiently 
limited access to US-VISIT information and information systems; (3) 
ensured that controls adequately protected external and internal 
network boundaries; (4) effectively implemented physical security at 
several locations; (5) consistently encrypted sensitive data traversing 
the communication network; and (6) provided adequate logging or user 
accountability for the mainframe, workstations, or servers. In 
addition, it had not always ensured that responsibilities for systems 
development and system production had been sufficiently segregated and 
had not consistently maintained secure configurations on the 
application servers and workstations at a key data center and ports of 
entry. As a result, increased risk existed that unauthorized 
individuals could read, copy, delete, add, and modify sensitive 
information--including personally identifiable information--and disrupt 
service on Customs and Border Protection systems supporting the US-
VISIT program. The department stated that it directed Customs and 
Border Protection to complete remediation activities to address each of 
our recommendations. 

Weaknesses Persist in All Major Categories of Controls: 

According to our reports and those of agency inspectors general, 
persistent weaknesses appear in the five major categories of 
information system controls: (1) access controls, which ensure that 
only authorized individuals can read, alter, or delete data; (2) 
configuration management controls, which provide assurance that only 
authorized software programs are implemented; (3) segregation of 
duties, which reduces the risk that one individual can independently 
perform inappropriate actions without detection; (4) continuity of 
operations planning, which provides for the prevention of significant 
disruptions of computer-dependent operations; and (5) an agencywide 
information security program, which provides the framework for ensuring 
that risks are understood and that effective controls are selected and 
properly implemented. Most agencies continue to have weaknesses in each 
of these categories, as shown in figure 4. 

Figure 4: Information Security Weaknesses at 24 Major Agencies for FY 
2008: 

[Refer to PDF for image: vertical bar graph] 

Weakness category: Access control; 
Number of agencies: 23. 

Weakness category: Configuration management; 
Number of agencies: 21, 

Weakness category: Segregation of duties; 
Number of agencies: 14. 

Weakness category: Continuity of operations; 
Number of agencies: 17. 

Weakness category: Security management; 
Number of agencies: 23. 

Source: GAO analysis of IG, agency, and GAO reports. 

[End of figure] 

Access Controls Were Not Adequate: 

Agencies use access controls to limit, prevent, or detect inappropriate 
access to computer resources (data, equipment, and facilities), thereby 
protecting them from unauthorized use, modification, disclosure, and 
loss. Such controls include both electronic and physical controls. 
Electronic access controls include those related to boundary 
protection, user identification and authentication, authorization, 
cryptography, and auditing and monitoring. Physical access controls are 
important for protecting computer facilities and resources from 
espionage, sabotage, damage, and theft. These controls involve 
restricting physical access to computer resources, usually by limiting 
access to the buildings and rooms in which they are housed and 
enforcing usage restrictions and implementation guidance for portable 
and mobile devices. 

At least 23 major federal agencies had access control weaknesses during 
fiscal year 2008. An analysis of our reports reveals that 48 percent of 
information security control weaknesses pertained to access controls 
(see figure 5). For example, agencies did not consistently (1) 
establish sufficient boundary protection mechanisms; (2) identify and 
authenticate users to prevent unauthorized access; (3) enforce the 
principle of least privilege to ensure that authorized access was 
necessary and appropriate; (4) apply encryption to protect sensitive 
data on networks and portable devices; (5) log, audit, and monitor 
security-relevant events; and (6) establish effective controls to 
restrict physical access to information assets. Without adequate access 
controls in place, agencies cannot ensure that their information 
resources are protected from intentional or unintentional harm. 

Figure 5: Control Weaknesses Identified in GAO Reports, May 2007-April 
2009: 

[Refer to PDF for image: pie-chart] 

Access controls: 48%; 
Security management: 31%; 
Configuration management: 18%; 
Contingency planning: 2%; 
Segregation of duties: 1%. 

Source: GAO analysis of prior GAO reports. 

[End of figure] 

Boundary Protection: 

Boundary protection controls logical connectivity into and out of 
networks and controls connectivity to and from network connected 
devices. Agencies segregate the parts of their networks that are 
publicly accessible by placing these components in subnetworks with 
separate physical interfaces and preventing public access to their 
internal networks. Unnecessary connectivity to an agency's network 
increases not only the number of access paths that must be managed and 
the complexity of the task, but the risk of unauthorized access in a 
shared environment. In addition to deploying a series of security 
technologies at multiple layers, deploying diverse technologies at 
different layers helps to mitigate the risk of successful cyber 
attacks. For example, multiple firewalls can be deployed to prevent 
both outsiders and trusted insiders from gaining unauthorized access to 
systems, and intrusion detection technologies can be deployed to defend 
against attacks from the Internet. 

Agencies continue to demonstrate vulnerabilities in establishing 
appropriate boundary protections. For example, two agencies that we 
assessed did not adequately secure channels to connect remote users, 
increasing the risk that attackers will use these channels to gain 
access to restricted network resources. One of these agencies also did 
not have adequate intrusion detection capabilities, while the other 
allowed users of one network to connect to another, higher-security 
network. Such weaknesses in boundary protections impair an agency's 
ability to deflect and detect attacks quickly and protect sensitive 
information and networks. 

User Identification and Authentication: 

A computer system must be able to identify and authenticate different 
users so that activities on the system can be linked to specific 
individuals. When an organization assigns unique user accounts to 
specific users, the system is able to distinguish one user from 
another--a process called identification. The system also must 
establish the validity of a user's claimed identity by requesting some 
kind of information, such as a password, that is known only by the 
user--a process known as authentication. 

Agencies did not always adequately control user accounts and passwords 
to ensure that only valid users could access systems and information. 
In our 2007 FISMA report,[Footnote 14] we noted several weaknesses in 
agencies' identification and authentication procedures. Agencies 
continue to experience similar weaknesses in fiscal years 2008 and 
2009. For example, certain agencies did not adequately enforce strong 
password settings, increasing the likelihood that accounts could be 
compromised and used by unauthorized individuals to gain access to 
sensitive information. In other instances, agencies did not enforce 
periodic changing of passwords or use of one-time passwords or 
passcodes, and transmitted or stored passwords in clear text. Poor 
password management increases the risk that unauthorized users could 
guess or read valid passwords to devices and use the compromised 
devices for an indefinite period of time. 

Authorization: 

Authorization is the process of granting or denying access rights and 
permissions to a protected resource, such as a network, a system, an 
application, a function, or a file. A key component of granting or 
denying access rights is the concept of least privilege, which is a 
basic principle for securing computer resources and information and 
means that users are granted only those access rights and permissions 
that they need to perform their official duties. To restrict legitimate 
users' access to only those programs and files that they need to do 
their work, agencies establish access rights and permissions. "User 
rights" are allowable actions that can be assigned to users or to 
groups of users. File and directory permissions are rules that regulate 
which users can access a particular file or directory and the extent of 
that access. To avoid unintentionally authorizing users access to 
sensitive files and directories, an agency must give careful 
consideration to its assignment of rights and permissions. 

Agencies continued to grant rights and permissions that allowed more 
access than users needed to perform their jobs. Inspectors general at 
12 agencies reported instances where users had been granted excessive 
privileges. In our reviews, we also noted vulnerabilities in this area. 
For example, at one agency, users could inappropriately escalate their 
access privileges to run commands on a powerful system account, many 
had unnecessary and inappropriate access to databases, and other 
accounts allowed excessive privileges and permissions. Another agency 
allowed (on financial applications) generic, shared accounts that 
included the ability to create, delete, and modify users' accounts. 
Approximately 1,100 users at yet another agency had access to mainframe 
system management utilities, although such access was not necessarily 
required to perform their jobs. These utilities provided access to all 
files stored on disk; all programs running on the system, including the 
outputs; and the ability to alter hardware configurations supporting 
the production environment. We uncovered one agency that had provided a 
contractor with system access that was beyond what was needed, making 
the agency vulnerable to incidents on the contractor's network. Another 
agency gave all users of an application full access to the 
application's source code although their responsibilities did not 
require this level of privilege. Such weaknesses in authorization place 
agencies at increased risk of inappropriate access to data and 
sensitive system programs, as well as to the consequent disruption of 
services. 

Cryptography: 

Cryptography[Footnote 15] underlies many of the mechanisms used to 
enforce the confidentiality and integrity of critical and sensitive 
information. A basic element of cryptography is encryption. Encryption 
can be used to provide basic data confidentiality and integrity by 
transforming plain text into cipher text using a special value known as 
a key and a mathematical process known as an algorithm. The National 
Security Agency recommends disabling protocols that do not encrypt 
information transmitted across the network, such as user identification 
and password combinations. 

Agencies did not always encrypt sensitive information on their systems 
or traversing the network. In our reviews of agencies' information 
security, we found that agencies did not always encrypt sensitive 
information. For example, five agencies that we reviewed did not 
effectively use cryptographic controls to protect sensitive resources. 
Specifically, one agency allowed unencrypted protocols to be used on 
its network devices. Another agency did not require encrypted passwords 
for network logins, while another did not consistently provide 
approved, secure transmission of data over its network. These 
weaknesses could allow an attacker, or malicious user, to view 
information and use that knowledge to obtain sensitive financial and 
system data being transmitted over the network. 

Auditing and Monitoring: 

To establish individual accountability, monitor compliance with 
security policies, and investigate security violations, it is crucial 
to determine what, when, and by whom specific actions have been taken 
on a system. Agencies accomplish this by implementing system or 
security software that provides an audit trail, or logs of system 
activity, that they can use to determine the source of a transaction or 
attempted transaction and to monitor users' activities. The way in 
which agencies configure system or security software determines the 
nature and extent of the information that can be provided by the audit 
trail. To be effective, agencies should configure their software to 
collect and maintain audit trails that are sufficient to track security-
relevant events. 

Agencies did not sufficiently log and monitor key security-and audit- 
related events on their network. For example, agencies did not monitor 
critical portions of their networks for intrusions; record successful, 
unauthorized access attempts; log certain changes to data on a 
mainframe (which increases the risk of compromised security controls or 
disrupted operations); and capture all authentication methods and 
logins to a network by foreign nationals. Similarly, 14 agencies did 
not always have adequate auditing and monitoring capabilities. For 
example, one agency did not conduct a baseline assessment of an 
important network. This baseline determines a typical state or pattern 
of network activity. Without this information, the agency could have 
difficulty detecting and investigating anomalous activity to ascertain 
whether or not an attack was under way. Another agency did not perform 
source code scanning or have a process for manual source code reviews, 
which increases the risk that vulnerabilities would not be detected. As 
a result, unauthorized access could go undetected, and if a system is 
modified or disrupted, the ability to trace or recreate events could be 
impeded. 

Physical Security: 

Physical security controls help protect computer facilities and 
resources from espionage, sabotage, damage, and theft. These controls 
restrict physical access to sensitive computing and communications 
resources, usually by limiting access to the buildings and rooms in 
which the resources are housed. Examples of physical security controls 
include perimeter fencing, surveillance cameras, security guards, 
locks, and procedures for granting or denying individuals physical 
access to computing resources. Physical controls also include 
environmental controls such as smoke detectors, fire alarms, 
extinguishers, and uninterruptible power supplies. Considerations for 
perimeter security also include controlling vehicular and pedestrian 
traffic. In addition, visitors' access to sensitive areas must be 
managed appropriately. 

Our analysis of inspector general, GAO, and agency reports has shown 
that nine agencies did not sufficiently restrict physical access to 
sensitive computing and communication resources. The physical security 
measures employed by these agencies often did not comply with their own 
requirements or with federal standards. Access to facilities containing 
sensitive equipment and information was not always adequately 
restricted. For example, at one agency with buildings housing 
classified networks, cars were not stopped and inspected; a sign 
indicated the building's purpose; fencing was scalable; and access to 
buildings containing computer network equipment was not controlled by 
electronic or other means. Agencies did not adequately manage visitors, 
in one instance, placing network jacks in an area where unescorted 
individuals could use them to obtain electronic access to restricted 
computing resources, and in another failing to properly identify and 
control visitors at a facility containing sensitive equipment. Agencies 
did not always remove employees' physical access authorizations to 
sensitive areas in a timely manner when they departed or their work no 
longer required such access. Environmental controls at one agency did 
not meet federal guidelines, with fire suppression capabilities, 
emergency lighting, and backup power all needing improvements. Such 
weaknesses in physical access controls increase the risk that sensitive 
computing resources will inadvertently or deliberately be misused, 
damaged, or destroyed. 

Configuration Management Controls Were Not Always Implemented: 

Configuration management controls ensure that only authorized and fully 
tested software is placed in operation. These controls, which also 
limit and monitor access to powerful programs and sensitive files 
associated with computer operations, are important in providing 
reasonable assurance that access controls are not compromised and that 
the system will not be impaired. These policies, procedures, and 
techniques help ensure that all programs and program modifications are 
properly authorized, tested, and approved. Further, patch management is 
an important element in mitigating the risks associated with software 
vulnerabilities. Up-to-date patch installation could help mitigate 
vulnerabilities associated with flaws in software code that could be 
exploited to cause significant damage--including the loss of control of 
entire systems--thereby enabling malicious individuals to read, modify, 
or delete sensitive information or disrupt operations. 

Twenty-one agencies demonstrated weaknesses in configuration management 
controls. For instance, several agencies did not implement common 
secure configuration policies across their systems, increasing the risk 
of avoidable security vulnerabilities. In addition, agencies did not 
effectively ensure that system software changes had been properly 
authorized, documented, and tested, which increases the risk that 
unapproved changes could occur without detection and that such changes 
could disrupt a system's operations or compromise its integrity. 
Agencies did not always monitor system configurations to prevent 
extraneous services and other vulnerabilities from remaining undetected 
and jeopardizing operations. At least six agencies did not consistently 
update software on a timely basis to protect against known 
vulnerabilities or did not fully test patches before applying them. 
Without a consistent approach to updating, patching, and testing 
software, agencies are at increased risk of exposing critical and 
sensitive data to unauthorized and possibly undetected access. 

Segregation of Duties Was Not Appropriately Enforced: 

Segregation of duties refers to the policies, procedures, and 
organizational structure that helps ensure that one individual cannot 
independently control all key aspects of a process or computer-related 
operation and thereby conduct unauthorized actions or gain unauthorized 
access to assets or records. Proper segregation of duties is achieved 
by dividing responsibilities among two or more individuals or groups. 
Dividing duties among individuals or groups diminishes the likelihood 
that errors and wrongful acts will go undetected because the activities 
of one individual or group will serve as a check on the activities of 
the other. 

At least 14 agencies did not appropriately segregate information 
technology duties. These agencies generally did not assign employee 
duties and responsibilities in a manner that segregated incompatible 
functions among individuals or groups of individuals. For instance, at 
one agency, an individual who enters an applicant's data into a 
financial system also had the ability to hire the applicant. At another 
agency, 76 system users had the ability to create and approve purchase 
orders. Without adequate segregation of duties, there is an increased 
risk that erroneous or fraudulent actions can occur, improper program 
changes can be implemented, and computer resources can be damaged or 
destroyed. 

Continuity of Operations Plans Have Shortcomings: 

An agency must take steps to ensure that it is adequately prepared to 
cope with the loss of operational capabilities due to an act of nature, 
fire, accident, sabotage, or any other disruption. An essential element 
in preparing for such a catastrophe is an up-to-date, detailed, and 
fully tested continuity of operations plan. Such a plan should cover 
all key computer operations and should include planning to ensure that 
critical information systems, operations, and data such as financial 
processing and related records can be properly restored if an emergency 
or a disaster occurs. To ensure that the plan is complete and fully 
understood by all key staff, it should be tested--including unannounced 
tests--and test plans and results documented to provide a basis for 
improvement. If continuity of operations controls are inadequate, even 
relatively minor interruptions could result in lost or incorrectly 
processed data, which could cause financial losses, expensive recovery 
efforts, and inaccurate or incomplete mission-critical information. 

Although agencies have reported increases in the number of systems for 
which contingency plans have been tested, at least 17 agencies had 
shortcomings in their continuity of operations plans. For example, one 
agency's disaster recovery planning had not been completed. 
Specifically, disaster recovery plans for three components of the 
agency were in draft form and had not been tested. Another agency did 
not include a business impact analysis in the contingency plan control, 
which would assist in planning for system recovery. In another example, 
supporting documentation for some of the functional tests at the agency 
did not adequately support testing results for verifying readability of 
backup tapes retrieved during the tests. Until agencies complete 
actions to address these weaknesses, they are at risk of not being able 
to appropriately recover systems in a timely manner from certain 
service disruptions. 

Agencywide Security Programs Were Not Fully Implemented: 

An underlying cause for information security weaknesses identified at 
federal agencies is that they have not yet fully or effectively 
implemented agencywide information security programs. An agencywide 
security program, as required by FISMA, provides a framework and 
continuing cycle of activity for assessing and managing risk, 
developing and implementing security policies and procedures, promoting 
security awareness and training, monitoring the adequacy of the 
entity's computer-related controls through security tests and 
evaluations, and implementing remedial actions as appropriate. Without 
a well-designed program, security controls may be inadequate; 
responsibilities may be unclear, misunderstood, and improperly 
implemented; and controls may be inconsistently applied. Such 
conditions may lead to insufficient protection of sensitive or critical 
resources. 

Twenty-three agencies had not fully or effectively implemented 
agencywide information security programs. Agencies often did not 
adequately design or effectively implement policies for elements key to 
an information security program. Weaknesses in agency information 
security program activities, such as risk assessments, information 
security policies and procedures, security planning, security training, 
system testing and evaluation, and remedial action plans are described 
next. 

Risk Assessments: 

In order for agencies to determine what security controls are needed to 
protect their information resources, they must first identify and 
assess their information security risks. Moreover, by increasing 
awareness of risks, these assessments can generate support for policies 
and controls. 

Agencies have not fully implemented their risk assessment processes. In 
addition, 14 major agencies had weaknesses in their risk assessments. 
Furthermore, they did not always properly assess the impact level of 
their systems or evaluate potential risks for the systems we reviewed. 
For example, one agency had not yet finalized and approved its guidance 
for completing risk assessments. In another example, the agency had not 
properly categorized the risk to its system, because it had performed a 
risk assessment without an inventory of interconnections to other 
systems. Similarly, another agency had not completed risk assessments 
for its critical systems and had not assigned impact levels. In another 
instance, an agency had current risk assessments that documented 
residual risk assessed and potential threats, and recommended 
corrective actions for reducing or eliminating the vulnerabilities they 
had identified. However, that agency had not identified many of the 
vulnerabilities we found and had not subsequently assessed the risks 
associated with them. As a result of these weaknesses, agencies may be 
implementing inadequate or inappropriate security controls that do not 
address the systems' true risk, and potential risks to these systems 
may not be known. 

Policies and Procedures: 

According to FISMA, each federal agency's information security program 
must include policies and procedures that are based on risk assessments 
that cost-effectively reduce information security risks to an 
acceptable level and ensure that information security is addressed 
throughout the life cycle of each agency's information system. The term 
'security policy' refers to specific security rules set up by the 
senior management of an agency to create a computer security program, 
establish its goals, and assign responsibilities. Because policy is 
written at a broad level, agencies also develop standards, guidelines, 
and procedures that offer managers, users, and others a clear approach 
to implementing policy and meeting organizational goals. 

Thirteen agencies had weaknesses in their information security policies 
and procedures. For example, one agency did not have updated policies 
and procedures for configuring operating systems to ensure they provide 
the necessary detail for controlling and logging changes. Another 
agency had not established adequate policies or procedures to implement 
and maintain an effective departmentwide information security program 
or to address key OMB privacy requirements. Agencies also exhibited 
weaknesses in policies concerning security requirements for laptops, 
user access privileges, security incidents, certification and 
accreditation, and physical security. As a result, agencies have 
reduced assurance that their systems and the information they contain 
are sufficiently protected. Without policies and procedures that are 
based on risk assessments, agencies may not be able to cost-effectively 
reduce information security risks to an acceptable level and ensure 
that information security is addressed throughout the life cycle of 
each agency's information system. 

Security Plans: 

FISMA requires each federal agency to develop plans for providing 
adequate information security for networks, facilities, and systems or 
groups of systems. According to NIST 800-18, system security planning 
is an important activity that supports the system development life 
cycle and should be updated as system events trigger the need for 
revision in order to accurately reflect the most current state of the 
system. The system security plan provides a summary of the security 
requirements for the information system and describes the security 
controls in place or planned for meeting those requirements. NIST 
guidance also indicates that all security plans should be reviewed and 
updated, if appropriate, at least annually. Further, appendix III of 
OMB Circular A-130 requires security plans to include controls for, 
among other things, contingency planning and system interconnections. 

System security plans were incomplete or out of date at several 
agencies. For example, one agency had an incomplete security plan for a 
key application. Another agency had only developed a system security 
plan that covered two of the six facilities we reviewed, and the plan 
was incomplete and not up-to-date. At another agency, 52 of the 57 
interconnection security agreements listed in the security plan were 
not current since they had not been updated within 3 years. Without 
adequate security plans in place, agencies cannot be sure that they 
have the appropriate controls in place to protect key systems and 
critical information. 

Specialized Training: 

Users of information resources can be one of the weakest links in an 
agency's ability to secure its systems and networks. Therefore, an 
important component of an agency's information security program is 
providing the required training so that users understand system 
security risks and their own role in implementing related policies and 
controls to mitigate those risks. 

Several agencies had not ensured that all information security 
employees and contractors, including those who have significant 
information security responsibilities, had received sufficient 
training. For example, users of one agency's IT systems had not been 
trained to check for continued functioning of their encryption software 
after installation. At another agency, officials stated that several of 
its components had difficulty in identifying and tracking all employees 
who have significant IT security responsibilities and thus were unable 
to ensure that they received the specialized training necessary to 
effectively perform their responsibilities. Without adequate training, 
users may not understand system security risks and their own role in 
implementing related policies and controls to mitigate those risks. 

System Tests and Evaluations: 

Another key element of an information security program is testing and 
evaluating system controls to ensure that they are appropriate, 
effective, and comply with policies. FISMA requires that agencies test 
and evaluate the information security controls of their major systems 
and that the frequency of such tests be based on risk, but occur no 
less than annually. NIST requires agencies to ensure that the 
appropriate officials are assigned roles and responsibilities for 
testing and evaluating controls over their systems. 

Agencies did not always implement policies and procedures for 
performing periodic testing and evaluation of their information 
security controls. For example, one agency had not adequately tested 
security controls. Specifically, the tests of a major application and 
the mainframe did not identify or discuss the vulnerabilities that we 
had identified during our audit. The same agency's testing did not 
reveal problems with the mainframe that could allow unauthorized users 
to read, copy, change, delete, and modify data. In addition, although 
testing requirements were stated in test documentation, the breadth and 
depth of the test, as well as the results of the test, had not always 
been documented. Also, agencies reported inconsistent testing of 
security controls among components. Without conducting the appropriate 
tests and evaluations, agencies have limited assurance that policies 
and controls are appropriate and working as intended. Additionally, 
there is an increased risk that undetected vulnerabilities could be 
exploited to allow unauthorized access to sensitive information. 

Remedial Action Processes and Plans: 

FISMA requires that agencies' information security programs include a 
process for planning, implementing, evaluating, and documenting 
remedial actions to address any deficiencies in the information 
security policies, procedures, and practices of the agency. 

Since our 2007 FISMA report, we have continued to find weaknesses in 
agencies' plans and processes for remedial actions. Agencies indicated 
that they had corrected or mitigated weaknesses; however, our work 
revealed that those weaknesses still existed. In addition, the 
inspectors general at 14 of the 24 agencies reported weaknesses in the 
plans to document remedial actions. For example, at several agencies, 
the inspector general reported that weaknesses had been identified but 
not documented in the remediation plans. Inspectors general further 
reported that agency plans did not include all relevant information in 
accordance with OMB instructions. We also found that deficiencies had 
not been corrected in a timely manner. Without a mature process and 
effective remediation plans, the risk increases that vulnerabilities in 
agencies' systems will not be mitigated in an effective and timely 
manner. 

Until agencies effectively and fully implement agencywide information 
security programs, federal data and systems will not be adequately 
safeguarded to prevent disruption, unauthorized use, disclosure, and 
modification. Further, until agencies implement our recommendations to 
correct specific information security control weaknesses, their systems 
and information will remain at increased risk of attack or compromise. 

Opportunities Exist for Bolstering Federal Information Security: 

In prior reports,[Footnote 16] we and inspectors general have made 
hundreds of recommendations to agencies for actions necessary to 
resolve prior significant control deficiencies and information security 
program shortfalls. For example, we recommended that agencies correct 
specific information security deficiencies related to user 
identification and authentication, authorization, boundary protections, 
cryptography, audit and monitoring, physical security, configuration 
management, segregation of duties, and continuity of operations 
planning. We have also recommended that agencies fully implement 
comprehensive, agencywide information security programs by correcting 
weaknesses in risk assessments, information security policies and 
procedures, security planning, security training, system tests and 
evaluations, and remedial actions. The effective implementation of 
these recommendations will strengthen the security posture at these 
agencies. Agencies have implemented or are in the process of 
implementing many of our recommendations. 

In March 2009, we reported on 12 key improvements suggested by a panel 
of experts as being essential to improving our national cyber security 
posture (see appendix III).[Footnote 17] The expert panel included 
former federal officials, academics, and private-sector executives. 
Their suggested improvements are intended to address many of the 
information security vulnerabilities facing both private and public 
organizations, including federal agencies. Among these improvements are 
recommendations to develop a national strategy that clearly articulates 
strategic objectives, goals, and priorities and to establish a 
governance structure for strategy implementation. 

Due to increasing cyber security threats, the federal government has 
initiated several efforts to protect federal information and 
information systems. Recognizing the need for common solutions to 
improving security, the White House, OMB, and federal agencies have 
launched or continued several governmentwide initiatives that are 
intended to enhance information security at federal agencies. These key 
initiatives are discussed here. 

* 60-day cyber review: The National Security Council and Homeland 
Security Council recently completed a 60-day interagency review 
intended to develop a strategic framework to ensure that federal cyber 
security initiatives are appropriately integrated, resourced, and 
coordinated with Congress and the private sector. The resulting report 
recommended, among other things, appointing an official in the White 
House to coordinate the nation's cybersecurity policies and activities, 
creating a new national cybersecurity strategy, and developing a 
framework for cyber research and development.[Footnote 18] 

* Comprehensive National Cybersecurity Initiative: In January 2008, 
President Bush began to implement a series of initiatives aimed 
primarily at improving the Department of Homeland Security and other 
federal agencies' efforts to protect against intrusion attempts and 
anticipate future threats.[Footnote 19] While these initiatives have 
not been made public, the Director of National Intelligence stated that 
they include defensive, offensive, research and development, and 
counterintelligence efforts, as well as a project to improve public/ 
private partnerships.[Footnote 20] 

* The Information Systems Security Line of Business: The goal of this 
initiative, led by OMB, is to improve the level of information systems 
security across government agencies and reduce costs by sharing common 
processes and functions for managing information systems security. 
Several agencies have been designated as service providers for IT 
security awareness training and FISMA reporting. 

* Federal Desktop Core Configuration: For this initiative, OMB directed 
agencies that have Windows XP deployed and plan to upgrade to Windows 
Vista operating systems to adopt the security configurations developed 
by the National Institute of Standards and Technology, Department of 
Defense, and Department of Homeland Security. The goal of this 
initiative is to improve information security and reduce overall IT 
operating costs. 

* SmartBUY: This program, led by the General Services Administration, 
is to support enterprise-level software management through the 
aggregate buying of commercial software governmentwide in an effort to 
achieve cost savings through volume discounts. The SmartBUY initiative 
was expanded to include commercial off-the-shelf encryption software 
and to permit all federal agencies to participate in the program. The 
initiative is to also include licenses for information assurance. 

* Trusted Internet Connections Initiative: This effort, directed by OMB 
and led by the Department of Homeland Security, is designed to optimize 
individual agency network services into a common solution for the 
federal government. The initiative is to facilitate the reduction of 
external connections, including Internet points of presence, to a 
target of 50. 

We currently have ongoing work that addresses the status, planning, and 
implementation efforts of several of these initiatives. 

Agencies Continue to Report Progress in Implementing Requirements: 

Federal agencies reported increased compliance in implementing key 
information security control activities for fiscal year 2008; however, 
inspectors general at several agencies noted shortcomings with 
agencies' implementation of information security requirements. OMB also 
reported that agencies' were increasingly performing key activities. 
Specifically, agencies reported increases in the number and percentage 
of systems that had been certified and accredited,[Footnote 21] the 
number and percentage of employees and contractors receiving security 
awareness training, and the number and percentage of systems with 
tested contingency plans. However, the number and percentage of systems 
that had been tested and evaluated at least annually decreased slightly 
and the number and percentage of employees who had significant security 
responsibilities and had received specialized training decreased 
significantly (see figure 6). Consistent with previous years, 
inspectors general continued to identify weaknesses with the processes 
and practices agencies have in place to implement FISMA requirements. 
Although OMB took steps to clarify its reporting instructions to 
agencies for preparing fiscal year 2008 reports, the instructions did 
not request inspectors general to report on agencies' effectiveness of 
key activities and did not always provide clear guidance to inspectors 
general. 

Figure 6: Reported Data for Selected Performance Metrics for 24 Major 
Agencies: 

[Refer to PDF for image: multiple vertical bar graph] 

Metric: Security awareness training; 
Fiscal year 2005: 81%; 
Fiscal year 2006: 91%; 
Fiscal year 2007: 84%; 
Fiscal year 2008: 89%. 

Metric: Specialized security training; 
Fiscal year 2005: 82%; 
Fiscal year 2006: 86%; 
Fiscal year 2007: 90%; 
Fiscal year 2008: 76%. 

Metric: Periodic testing and evaluation; 
Fiscal year 2005: 73%; 
Fiscal year 2006: 88%; 
Fiscal year 2007: 95%; 
Fiscal year 2008: 93%. 

Metric: Tested contingency plans; 
Fiscal year 2005: 61%; 
Fiscal year 2006: 77%; 
Fiscal year 2007: 86%; 
Fiscal year 2008: 91%. 

Metric: Agencies with 96-100 percent complete inventories; 
Fiscal year 2005: 54%; 
Fiscal year 2006: 75%; 
Fiscal year 2007: 79%; 
Fiscal year 2008: 88%. 

Metric: Certification and Accreditation; 
Fiscal year 2005: 85%; 
Fiscal year 2006: 88%; 
Fiscal year 2007: 92%; 
Fiscal year 2008: 96%. 

Source: GAO analysis of IG and agency data. 

[End of figure] 

Agencies Report Mixed Progress in Implementing Security Awareness and 
Specialized Training: 

Federal agencies rely on their employees to protect the 
confidentiality, integrity, and availability of the information in 
their systems. It is critical for system users to understand their 
security roles and responsibilities and to be adequately trained to 
perform them. FISMA requires agencies to provide security awareness 
training to personnel, including contractors and other users of 
information systems that support agency operations and assets. This 
training should explain information security risks associated with 
their activities and their responsibilities in complying with agency 
policies and procedures designed to reduce these risks. In addition, 
agencies are required to provide appropriate training on information 
security to personnel who have significant security responsibilities. 

Agencies reported a slight increase in the percentage of employees and 
contractors who received security awareness training. According to 
agency reports, 89 percent of total employees and contractors had 
received security awareness training in 2008 compared to 84 percent of 
employees and contractors in 2007. While this change marks an 
improvement between fiscal years 2007 and 2008, the percentage of 
employees and contractors receiving security awareness training is 
still below the 91 percent reported for 2006. In addition, seven 
inspectors general reported disagreement with the percentage of 
employees and contractors receiving security awareness training 
reported by their agencies. Additionally, several inspectors general 
reported specific weaknesses related to security awareness training at 
their agencies; for example, one inspector general reported that the 
agency lacked the ability to document and track which system users had 
received awareness training, while another inspector general reported 
that training did not cover the recommended topics. 

Governmentwide, agencies reported a lower percentage of employees who 
had significant security responsibilities who had received specialized 
training. In fiscal year 2008, 76 percent of these employees had 
received specialized training compared with 90 percent of these 
employees in fiscal year 2007. Although the governmentwide percentage 
decreased, the majority of the 24 agencies reported increasing or 
unchanging percentages of employees receiving specialized training; 8 
of the 24 agencies reported percentage decreases (see figure 7). 

[See PDF for image] 

[End of figure] 

Figure 7: Specialized Training for 24 Major Agencies: 

[Refer to PDF for image: vertical bar graph] 

Increased: 12 agencies; 
No change: 4 agencies; 
Decreased: 8 agencies. 

Source: GAO analysis of agency data. 

[End of figure] 

At least 12 inspectors general reported weaknesses related to 
specialized security training. One of the inspectors general reported 
that some groups did not have a training program for personnel who have 
critical IT responsibilities and another inspector general reported 
that the agency was unable to effectively track contractors who needed 
specialized training. Decreases in the number of individuals receiving 
specialized training at some federal agencies combined with continuing 
deficiencies in training programs could limit the ability of agencies 
to implement security measures effectively. Providing for the 
confidentiality, integrity, and availability of information in today's 
highly networked environment is not an easy or trivial task. The task 
is made that much more difficult if each person who owns, uses, relies 
on, or manages information and information systems does not know or is 
not properly trained to carry out his or her specific responsibilities. 

Weaknesses Reported in Testing and Evaluating System Security Controls: 

Periodically evaluating the effectiveness of security policies and 
controls and acting to address any identified weaknesses are 
fundamental activities that allow an agency to manage its information 
security risks proactively, rather than reacting to individual problems 
ad hoc after a violation has been detected or an audit finding has been 
reported. Management control testing and evaluation as part of a 
program review is an additional source of information that can be 
considered along with controls testing and evaluation in inspector 
general and other independent audits to help provide a more complete 
picture of an agency's security posture. FISMA requires that federal 
agencies periodically test and evaluate the effectiveness of their 
information security policies, procedures, and practices as part of 
implementing an agencywide security program. This testing is to be 
performed with a frequency depending on risk, but no less than 
annually, and consists of testing management, and operational and 
technical controls for every system identified in the agency's required 
inventory of major information systems. For the annual FISMA reports, 
OMB requires that agencies identify the number of agency and contractor 
systems for which security controls have been tested. 

In 2008, federal agencies reported testing and reviewing security 
controls for 93 percent of their systems, a slight decline from 95 
percent in 2007. Despite this percentage remaining above 90 percent, 
inspectors general continued to identify deficiencies in agencies' 
testing and evaluation of security controls for their systems. For 
example, one agency's inspector general reported that systems owners 
only reviewed documents to assess security controls and did not use 
other assessment methods as suggested by NIST guidance, such as 
selecting samples for testing and interviewing responsible parties. 
Another inspector general identified instances where the agency did not 
document the test results in the system's security test and evaluation 
report. In addition, two inspectors general reported that their 
agencies had not always tested the controls for their systems at least 
annually. As a result, agencies may not have reasonable assurance that 
controls have been implemented correctly, are operating as intended, 
and are producing the desired outcome with respect to meeting the 
security requirements of the agency. 

Agencies Reported Testing More Contingency Plans, but Inspectors 
General often Cited Weaknesses: 

Continuity of operations planning ensures that agencies will be able to 
perform essential functions during any emergency or situation that 
disrupts normal operations. It is important that these plans be clearly 
documented, communicated to potentially affected staff, and updated to 
reflect current operations. In addition, testing contingency plans is 
essential to determining whether the plans will function as intended in 
an emergency situation. FISMA requires that agencywide information 
security programs include plans and procedures to ensure continuity of 
operations for information systems that support the operations and 
assets of the agency. To show the status of implementing contingency 
plans testing, OMB requires that agencies report the percentage of 
systems that have contingency plans tested in accordance with policy 
and guidance and requests that inspectors general also report this 
percentage for the subset of systems the inspector general selected for 
review. 

Federal agencies reported that 91 percent of their systems had 
contingency plans that had been tested, an increase from 86 percent 
tested in fiscal year 2007. In addition, agencies reported progress in 
the number of high-risk systems with tested contingency plans; 90 
percent of these systems had tested contingency plans, an increase from 
77 percent in fiscal year 2007. Agencies also reported 92 percent of 
moderate-risk systems, 90 percent of low-risk systems, and 96 percent 
of uncategorized systems with tested contingency plans. 

While agencies reported higher percentages of tested contingency plans, 
14 inspectors general reported weaknesses in their agencies' 
contingency planning development and testing. For example, the 
inspector general of one agency reported that contingency plans were 
missing required elements. Regarding the testing of contingency plans, 
another inspector general reported that the agency had not ensured that 
the contractor had tested contingency plans or periodically conducted 
quality testing. At another agency, the inspector general reported that 
the agency had not performed a full, comprehensive disaster recovery 
test to ensure that essential and critical systems and applications 
could be recovered. Without developing contingency plans and ensuring 
that they are tested, an agency increases its risk that it will not be 
able to effectively recover and continue operations when an emergency 
occurs. 

Agencies Reported More Systems, but Deficiencies Were Identified in 
Inventory Processes: 

In fiscal year 2008, 24 major agencies reported a total of 10,587 
systems, composed of 8,685 agency and 1,902 contractor systems as shown 
by impact level in table 1. This represents a slight increase in the 
total number of systems from fiscal year 2007. Specifically, the number 
of agency systems decreased slightly and the number of contractor 
systems increased by 40 percent. 

Table 1: Total Number of Agency and Contractor Systems in FY 2007 and 
FY 2008 by Impact Level: 

Impact level: High; 
Agency: FY07: 1,089; 
Agency: FY08: 1,043; 
Contractor: FY07: 121; 
Contractor: FY08: 113; 
Total: FY07: 1,210; 
Total: FY08: 1,156. 

Impact level: Moderate; 
Agency: FY07: 3,264; 
Agency: FY08: 3,556; 
Contractor: FY07: 513; 
Contractor: FY08: 535; 
Total: FY07: 3,777; 
Total: FY08: 4,091. 

Impact level: Low; 
Agency: FY07: 4,351; 
Agency: FY08: 3,943; 
Contractor: FY07: 334; 
Contractor: FY08: 738; 
Total: FY07: 4,685; 
Total: FY08: 4,681. 

Impact level: Not categorized; 
Agency: FY07: 229; 
Agency: FY08: 143; 
Contractor: FY07: 384; 
Contractor: FY08: 516; 
Total: FY07: 613; 
Total: FY08: 659. 

Impact level: Total; 
Agency: FY07: 8,933; 
Agency: FY08: 8,685; 
Contractor: FY07: 1,352; 
Contractor: FY08: 1,902; 
Total: FY07: 10,285; 
Total: FY08: 10,587. 

Source: GAO analysis of agency FY 2007 and FY 2008 FISMA reports. 

[End of table] 

Eleven inspectors general identified weaknesses in their agencies' 
inventory process. For example, one inspector general agreed that its 
agency's inventory accurately captured the number of active systems, 
but indicated the inventory had also included systems in development, 
which were not labeled as such and therefore could not be labeled and 
inventoried accurately. Another inspector general reported that its 
agency had not verified the inventory information reported by its 
components, but had instead relied on an honor system of reporting. 
Other weaknesses included contractor systems not listed in the 
inventory or an agency not having interfaces to other systems 
identified in its inventory. Without complete, accurate inventories, 
agencies cannot efficiently maintain and secure their systems. 

Agencies Reported Higher Percentages, but Inspectors General Highlight 
Weaknesses in the Quality of Certifications and Accreditations: 

OMB has continued to emphasize its long-standing policy of requiring a 
management official to formally authorize (accredit) an information 
system to process information and accept the risk associated with its 
operation based on a formal evaluation (certification) of the system's 
security controls. For the annual FISMA reports, OMB requires agencies 
to identify the number of systems and impact levels authorized for 
processing after completing certification and accreditation. OMB 
requests that inspectors general also report this percentage for the 
subset of systems reviewed. In addition, OMB asks the inspectors 
general to rate the quality of the agency's certification and 
accreditation process on a scale of failing to excellent. Inspectors 
general may also indicate which aspects of the certification and 
accreditation process have been considered in determining that rating, 
such as the security plan, system impact level, system test and 
evaluation, security control testing, incident handling, security 
awareness training, configurations/patching, and other items. OMB's 
annual reporting template also allows the inspectors general to comment 
on their agencies' certification and accreditation processes. 

Federal agencies reported higher percentages of systems that have been 
certified and accredited than in 2007. For fiscal year 2008, 96 percent 
of the agencies' systems were reported as being certified and 
accredited, as compared with 92 percent in 2007. In addition, agencies 
reported certifying and accrediting 98 percent of their high-risk 
systems, an increase from 95 percent in 2007. 

Although agencies continue to report higher percentages of certified 
and accredited systems, inspectors general continue to report mixed 
results in the quality of the certification and accreditation processes 
at their agencies. To illustrate, 17 inspectors general reported 
specific weaknesses in their agency's certification and accreditation 
processes. For example, two inspectors general rated their agencies' 
certification and accreditation process as poor or failing, while both 
of those agencies reported that more than 90 percent of their systems 
had been certified and accredited. In another example, the inspector 
general of one agency stated that systems had been authorized to 
operate without sufficient testing of the adequacy of mandatory 
security controls. Inspectors general also cited other weaknesses, such 
as the security plan not providing an adequate basis for certification 
and accreditation and the risk assessment not identifying risks for 
vulnerabilities exposed by previous testing. Without ensuring the 
complete certification and accreditation of a system, agency officials 
may not have the most complete, accurate, and trustworthy information 
possible on the security status of their information systems in order 
to make timely, credible, risk-based decisions on whether to authorize 
operation of those systems. 

Agencies Report Having Configuration Management Policies, but Did Not 
Always Implement Them: 

Risk-based policies and procedures cost-effectively reduce information 
security risks to an acceptable level and ensure that information 
security is addressed throughout the life cycle of each information 
system in an information security program; a key aspect of these 
policies and procedures is having minimally acceptable configuration 
standards. Configuration standards can minimize the security risks 
associated with specific software applications widely used in an agency 
or across agencies. Because IT products are often intended for a wide 
variety of audiences, restrictive security controls are usually not 
enabled by default, making many of the products vulnerable before they 
are used. 

FISMA requires each agency to have policies and procedures that ensure 
compliance with minimally acceptable system configuration requirements, 
as determined by the agency. In fiscal year 2008, for the first time, 
OMB required agencies to report on whether they had implemented 
security configurations prescribed under OMB's memorandum for Windows 
Vista and XP operating systems.[Footnote 22] For annual FISMA 
reporting, OMB requires agencies to report whether they have an 
agencywide security configuration policy; the extent to which they have 
implemented common security configurations, including those available 
from the NIST Web site, on applicable systems; and whether or not they 
have adopted and implemented Windows XP and Vista standard 
configurations, documented deviations, and implemented the settings. 
OMB also requested inspectors general to report on their agencies' 
implementation of these configurations. 

Reporting by agencies and inspectors general illustrates that, while 
many agencies had configuration policies, those policies had not always 
been implemented. All 24 major federal agencies reported that they had 
an agencywide security configuration policy. Even though 22 inspectors 
general agreed that their agency had such a policy, they did not agree 
that the implementation was always as high as the agencies had 
reported. For example, 12 agencies reported implementing common 
security configurations 96 to 100 percent of the time, but only 6 
inspectors general reported this. In another example, only one agency 
reported implementing common security configurations 0 to 50 percent of 
the time, while seven inspectors general reported this level of 
implementation for their agencies. In addition, only seven agencies and 
six inspectors general reported that the agency had implemented 
standard security settings. If minimally acceptable configuration 
requirements policies are not properly implemented and applied to 
systems, agencies will not have assurance that products have been 
configured adequately to protect those systems, which could make them 
more vulnerable. 

Most Agencies Reported Following Security Incident Procedures, but 
Weaknesses in Procedures Continue at Selected Agencies: 

Although strong controls may not block all intrusions and misuse, 
agencies can reduce the risks associated with such events if they take 
steps to detect and respond to them before significant damage occurs. 
Accounting for and analyzing security problems and incidents are also 
effective ways for an agency to improve its understanding of threats 
and the potential costs of security incidents, and doing so can 
pinpoint vulnerabilities that need to be addressed so that they are not 
exploited again. 

FISMA requires that agencies' security programs include procedures for 
detecting, reporting, and responding to security incidents. NIST states 
that agencies are responsible for determining specific ways to meet 
these requirements. For FISMA reporting, OMB requires agencies to state 
whether or not the agency follows documented policies and procedures 
for reporting incidents internally, to the US-Computer Emergency 
Readiness Team (US-CERT), and to law enforcement. OMB also requires 
agencies to indicate additional information about their incident 
detection and monitoring capabilities, including what tools and 
technologies the agency uses for incident detection. For FISMA 
reporting, inspectors general are also requested to state whether or 
not their agencies follow documented policies and procedures for 
reporting incidents internally, to US-CERT, and to law enforcement. 

All of the agencies reported that they had followed policies and 
procedures for reporting incidents internally and to law enforcement 
during fiscal year 2008, and only one agency reported that it had not 
followed documented policies and procedures for reporting incidents to 
US-CERT. 

While the majority of inspectors general continue to report that their 
agencies are following documented procedures for identifying and 
reporting incidents internally as well as to US-CERT and to law 
enforcement, there was a slight increase in the number of inspectors 
general who reported that their agencies were not following these 
procedures. Six inspectors general noted that their agency was not 
following procedures for internal incident reporting compared to five 
in fiscal year 2007. Four inspectors general noted that their agency 
was not following reporting procedures to US-CERT compared to two in 
2007, and two noted that their agency was not following reporting 
procedures to law enforcement compared to one in 2007. 

At least 12 inspectors general also noted specific weaknesses in 
incident procedures such as a lack of fully documented policies and 
procedures for responding to security incidents, a lack of control 
procedures to ensure that audit trails were being maintained and 
reviewed, and instances where incidents were not always handled and 
reported in accordance with requirements. An incident response 
capability is necessary for rapidly detecting incidents, minimizing 
loss and destruction, mitigating the weaknesses that were exploited, 
and restoring computing services. Without proper incident response and 
documentation, agencies risk losing valuable information needed to 
prevent future exploits and to understand the nature and cost of the 
threats directed at them. 

Agencies Report Improvements in Remedial Actions, but Processes Could 
Be Strengthened: 

Developing remedial action plans is key to ensuring that remedial 
actions are taken to address significant deficiencies and reduce or 
eliminate known vulnerabilities. These plans should list the weaknesses 
and show the estimated resource needs and the status of corrective 
actions. The plans are intended to assist agencies in identifying, 
assessing, prioritizing, and monitoring the progress of corrective 
efforts for security weaknesses found in programs and systems. FISMA 
requires that agency information security programs include a process 
for planning, implementing, evaluating, and documenting remedial 
actions to address any deficiencies in information security policies, 
procedures, and practices. In addition, OMB requires agencies to report 
quarterly regarding their remediation efforts for all programs and 
systems where a security weakness has been identified. It also requests 
that inspectors general assess and report annually on whether their 
agency has developed, implemented, and managed an agencywide process 
for these plans. 

Inspectors general reported an increase in the number of agencies that 
had developed and implemented plans of action and milestones (POA&M) 
when weaknesses were identified. For 2008, 13 inspectors general 
reported that their agency had developed POA&Ms 96 to 100 percent of 
the time when weaknesses were identified; up from 11 inspectors general 
reporting this in 2007. However, many still cited weaknesses with their 
agency's POA&M process. Several mentioned that their agency did not 
always include weaknesses or vulnerabilities identified through 
security controls testing or inspector general reviews in the POA&M. 
They also reported that their agency did not always properly track 
weaknesses because the status of individual weaknesses was not always 
accurate. Without a sound remediation process, agencies cannot be 
assured that information security weaknesses have been efficiently and 
effectively corrected. 

Inspectors General Report Using Professional Standards for Conducting 
Independent Evaluations More, but Opportunities to Improve Consistency 
Remain: 

An increasing number of inspectors general reported conducting annual 
independent evaluations in accordance with professional standards and 
provided additional information about the effectiveness of their 
agency's security programs. FISMA requires agency inspectors general or 
their independent external auditors to perform an independent 
evaluation of the information security programs and practices of the 
agency to determine the effectiveness of the programs and practices. We 
have previously reported[Footnote 23] that the annual inspector general 
independent evaluations lacked a common approach and that the scope and 
methodology of the evaluations varied across agencies. We noted that 
there was an opportunity to improve these evaluations by conducting 
them in accordance with audit standards or a common approach and 
framework. 

In fiscal year 2008, 16 of 24 inspectors general cited using 
professional standards to perform the annual FISMA evaluations, up from 
8 inspectors general who cited using standards the previous year. Of 
the 16 inspectors general, 13 reported performing evaluations that were 
in accordance with generally accepted government auditing standards, 
while the other 3 indicated using the "Quality Standards for 
Inspections" issued by the President's Council on Integrity and 
Efficiency.[Footnote 24] The remaining eight inspectors general cited 
using internally developed standards or did not indicate whether they 
had performed their evaluations in accordance with professional 
standards. 

In addition, an increasing number of inspectors general provided 
supplemental information about their agency's information security 
policies and practices. To illustrate, 21 of 24 inspectors general 
reported additional information about the effectiveness of their 
agency's security controls and programs that was above and beyond what 
was requested in the OMB template, an increase from the 18 who had 
provided such additional information in their fiscal year 2007 reports. 
The additional information included descriptions of significant control 
deficiencies and weaknesses in security processes that provided 
additional context to the agency's security posture. 

Although inspectors general reported using professional standards more 
frequently, their annual independent evaluations occasionally lacked 
consistency. For example, 

* Three inspectors general provided only template responses and did not 
identify the scope and methodology of their evaluation. (These three 
inspectors general were also among those who had not reported 
performing their evaluation in accordance with professional standards.) 

* Descriptions of the controls evaluated during the review as 
documented in the scope and methodology sections differed. For example, 
according to their FISMA reports, a number of inspectors general stated 
that their evaluations included a review of policies and procedures, 
whereas others did not indicate whether policies and procedures had 
been reviewed. Additionally, multiple inspectors general also indicated 
that technical vulnerability assessments had been conducted as part of 
the review, whereas others did not indicate whether such an assessment 
had been part of the review. 

* Eleven inspectors general indicated that their FISMA evaluations 
considered the results of previous information security reviews, 
whereas 13 inspectors general did not indicate whether they considered 
other information security work, if any. 

The development and use of a common framework or adherence to auditing 
standards could provide improved effectiveness, increased efficiency, 
quality control, and consistency in inspector general assessments. 

Opportunities Remain for OMB to Improve Annual Reporting and Oversight 
of Agency Information Security Programs: 

Although OMB has supported several governmentwide initiatives and 
provided additional guidance to help improve information security at 
agencies, opportunities remain for it to improve its annual reporting 
and oversight of agency information security programs. FISMA specifies 
that OMB, among other responsibilities, is to develop policies, 
principles, standards, and guidelines on information security and 
report to Congress not later than March 1 of each year on agencies' 
implementation of FISMA. Each year, OMB provides instructions to 
federal agencies and their inspectors general for preparing their FISMA 
reports and then summarizes the information provided by the agencies 
and the inspectors general in its report to Congress. 

Over the past 4 years, we have reported[Footnote 25] that, while the 
periodic reporting of performance measures for FISMA requirements and 
related analysis provides valuable information on the status and 
progress of agency efforts to implement effective security management 
programs, shortcomings in OMB's reporting instructions limited the 
utility of the annual reports. Accordingly, we recommended that OMB 
improve reporting by clarifying reporting instructions; develop 
additional metrics that measure control effectiveness; request 
inspectors general to assess the quality of additional information 
security processes such as system test and evaluation, risk 
categorization, security awareness training, and incident reporting; 
and require agencies to report on additional key security activities 
such as patch management. Although OMB has taken some actions to 
enhance its reporting instructions, it has not implemented most of the 
recommendations, and thus further actions need to be taken to fully 
address them. 

In addition to the previously reported shortcomings, OMB's reporting 
instructions for fiscal year 2008 did not sufficiently address several 
processes key to implementing an agencywide security program and were 
sometimes unclear. For example, the reporting instructions did not 
request inspectors general to provide information on the quality or 
effectiveness of agencies' processes for developing and maintaining 
inventories, providing specialized security training, and monitoring 
contractors. For these activities, inspectors general were requested to 
report only on the extent to which agencies had implemented the 
activity but not on the effectiveness of those activities. Providing 
information on the effectiveness of the processes used to implement the 
activities could further enhance the usefulness of the data for 
management and oversight purposes. 

OMB's guidance to inspectors general for rating agencies' certification 
and accreditation processes was not clear. In its reporting 
instructions, OMB requests inspectors general to rate their agency's 
certification and accreditation process using the terms "excellent," 
"good," "satisfactory," "poor," or "failing." However, the reporting 
instructions do not define or identify criteria for determining the 
level of performance for each rating. OMB also requests inspectors 
general to identify the aspect(s) of the certification and 
accreditation process they included or considered in rating the quality 
of their agency's process. Examples OMB included were security plan, 
system impact level, system test and evaluation, security control 
testing, incident handling, security awareness training, and security 
configurations (including patch management). While this information is 
helpful and provides insight on the scope of the rating, inspectors 
general were not requested to comment on the quality or effectiveness 
of these items. Additionally, not all inspectors general considered the 
same aspects in reviewing the certification and accreditation process, 
yet all were allowed to provide the same rating. Without clear 
guidelines for rating these processes, OMB and Congress may not have a 
consistent basis for comparing the progress of an agency over time or 
against other agencies. 

In its report to Congress for fiscal year 2008, OMB did not fully 
summarize the findings from the inspectors general independent 
evaluations or identify significant deficiencies in agencies' 
information security practices. FISMA requires OMB to provide a summary 
of the findings of agencies' independent evaluations and significant 
deficiencies in agencies' information security practices. Inspectors 
general often document their findings and significant information 
security control deficiencies in reports that support their 
evaluations. However, OMB did not summarize and present this 
information in its annual report to Congress. Most of the inspectors 
general information summarized in the annual report was taken from the 
"yes" or "no" responses or from questions having a predetermined range 
of percentages as stipulated by OMB's reporting template. Thus, 
important information about the implementation of agency information 
security programs and the vulnerabilities and risks associated with 
federal information systems was not provided to Congress in OMB's 
annual report. This information could be useful in determining whether 
agencies are effectively implementing information security policies, 
procedures, and practices. As a result, Congress may not be fully 
informed about the state of federal information security. 

OMB also did not approve or disapprove agencies' information security 
programs. FISMA requires OMB to review agencies' information security 
programs at least annually and approve or disapprove them. OMB 
representatives informed us that they review agencies' FISMA reports 
and interact with agencies whenever an issue arises that requires their 
oversight. However, representatives stated that they do not explicitly 
or publicly declare that an agency's information security program has 
been approved or disapproved. As a result, a mechanism for establishing 
accountability and holding agencies accountable for implementing 
effective programs was not used. 

Conclusions: 

Weaknesses in information security controls continue to threaten the 
confidentiality, integrity, and availability of the sensitive data 
maintained by federal agencies. These weaknesses, including those for 
access controls, configuration management, and segregation of duties, 
leave federal agency systems and information vulnerable to external as 
well as internal threats. The White House, OMB, and federal agencies 
have initiated actions intended to enhance information security at 
federal agencies. However, until agencies fully and effectively 
implement information security programs and address the hundreds of 
recommendations that we and agency inspectors general have made, 
federal systems will remain at an increased and unnecessary risk of 
attack or compromise. 

Despite these weaknesses, federal agencies have continued to report 
progress in implementing key information security requirements. While 
NIST, inspectors general, and OMB have all made progress toward 
fulfilling their statutory requirements, the current reporting process 
does not produce information to accurately gauge the effectiveness of 
federal information security activities. OMB's annual reporting 
instructions did not cover key security activities and were not always 
clear. Finally, OMB did not include key information about findings and 
significant deficiencies identified by inspectors general in its 
governmentwide report to Congress and did not approve or disapprove 
agency information security programs. Shortcomings in reporting and 
oversight can result in insufficient information being provided to 
Congress and diminish its ability to monitor and assist federal 
agencies in improving the state of federal information security. 

Recommendations for Executive Action: 

We recommend that the Director of the Office of Management and Budget 
take the following four actions: 

* Update annual reporting instructions to request inspectors general to 
report on the effectiveness of agencies' processes for developing 
inventories, monitoring contractor operations, and providing 
specialized security training. 

* Clarify and enhance reporting instructions to inspectors general for 
certification and accreditation evaluations by providing them with 
guidance on the requirements for each rating category. 

* Include in OMB's report to Congress, a summary of the findings from 
the annual independent evaluations and significant deficiencies in 
information security practices. 

* Approve or disapprove agency information security programs after 
review. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, the Federal Chief 
Information Officer (CIO)[Footnote 26] generally agreed with our 
overall assessment of information security at the agencies. He also 
identified actions that OMB is taking to clarify its reporting guidance 
and to consider more effective security performance metrics. These 
actions are consistent with the intent of two of our recommendations, 
that OMB clarify and enhance reporting instructions and request 
inspectors general to report on additional measures of effectiveness. 

The Federal CIO did not address our recommendation to include a summary 
of the findings and significant security deficiencies in its report to 
Congress and did not concur with GAO's conclusion that OMB does not 
approve or disapprove agencies' information security management 
programs on an annual basis. He indicated that OMB reviews all agency 
and IG FISMA reports annually; reviews quarterly information on the 
major agencies' security programs; and uses this information, and other 
reporting, to evaluate agencies security programs. The Federal CIO 
advised that concerns are communicated directly to the agencies. We 
acknowledge that these are important oversight activities. However, as 
we reported, OMB did not demonstrate that it approved or disapproved 
agency information security programs, as required by FISMA. 
Consequently, a mechanism for holding agencies accountable for 
implementing effective programs is not being effectively used. 

We are sending copies of this report to the Office of Management and 
Budget and other interested parties. In addition, this report will be 
available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you have any questions regarding this report, please contact me at 
(202) 512-6244 or by e-mail at wilshuseng@gao.gov. Contact points for 
our Office of Congressional Relations and Public Affairs may be found 
on the last page of this report. Key contributors to this report are 
listed in appendix IV. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

In accordance with the Federal Information Security Management Act of 
2002 (FISMA) requirement that the Comptroller General report 
periodically to Congress, our objectives were to evaluate (1) the 
adequacy and effectiveness of agencies' information security policies 
and practices and (2) federal agency implementation of FISMA 
requirements. 

To assess the adequacy and effectiveness of agency information security 
policies and practices, we analyzed our related reports issued from May 
2007 through April 2009. We also reviewed and analyzed the information 
security work and products of agency inspectors general. Further, we 
reviewed and summarized weaknesses identified in our reports and that 
of inspectors general using five major categories of information 
security controls: (1) access controls, (2) configuration management 
controls, (3) segregation of duties, (4) continuity of operations 
planning, and (5) agencywide information security programs. Our reports 
generally used the methodology contained in the Federal Information 
System Controls Audit Manual.[Footnote 27] We also examined information 
provided by the U.S. Computer Emergency Readiness Team (US-CERT) on 
reported security incidents. 

To assess the implementation of FISMA requirements, we reviewed and 
analyzed the provisions of the act[Footnote 28] and the mandated annual 
FISMA reports from the Office of Management and Budget (OMB), the 
National Institute of Standards and Technology (NIST), and the CIOs and 
IGs of 24 major federal agencies for fiscal years 2007 and 2008. We 
also examined OMB's FISMA reporting instructions and other OMB and NIST 
guidance. 

We also held discussions with OMB representatives and agency officials 
from the National Institute of Standards and Technology and the 
Department of Homeland Security's US-CERT to further assess the 
implementation of FISMA requirements. We did not verify the accuracy of 
the agencies' responses; however, we reviewed supporting documentation 
that agencies provided to corroborate information provided in their 
responses. We did not include systems categorized as national security 
systems in our review, nor did we review the adequacy or effectiveness 
of the security policies and practices for those systems. 

We conducted this performance audit from December 2008 to May 2009 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

[End of section] 

Appendix II: Comments from the Office of Management and Budget: 

Executive Office Of The President: 
Office Of Management And Budget: 
Washington, D.C. 20503: 

June 23, 2009: 

Gregory Wilshusen: 
Director: 
The Government Accountability Office: 
441 G Street, Northwest: 
Washington, D.C. 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on your draft report, 
"Information Security: Agencies Continue to Report Progress, but Need 
to Mitigate Persistent Weaknesses" (GAO-09-546). 

We agree that agencies have shown progress in compliance with the 
Federal Information Security Management Act (FISMA) and that they need 
to continue to work to improve their information security postures. 
FISMA is the foundation of Federal information security activities, and 
we appreciate GAO's thoughtful analysis. We also agree that improved 
consistency in the reporting of the Inspectors General would contribute 
to a clearer picture of information security in the Federal government. 

OMB is committed to the vision of a secure Federal government, and we 
are taking steps to make that vision a reality. We have initiated a 
review of the language in the current reporting instructions to 
identify and clarify confusion in the annual reporting. We are in 
discussions with both the Information Security and Identity Management 
Committee of the CIO Council and the Council of Inspectors General on 
Integrity and Efficiency (CIGIE). Both entities have provided comments 
and participated in discussions about the forthcoming FY 2009 guidance 
to agencies. As part of this initiative, OMB has requested that the 
CIGIE provide definitions for the categories used in the annual 
reporting guidance or suggest alternatives. 

In addition to clarifying of the current guidance, OMB is also 
undertaking a thorough review of the current reporting metrics. While 
these metrics may have made sense when FISMA was enacted, they are 
largely focused on compliance and as such are trailing, rather than 
leading, indicators. Instead, we need metrics that give insight into 
agencies' security postures and possible vulnerabilities on an on-going 
basis. 

To evaluate new metrics, we are taking a collaborative approach. We are 
working with the community of Federal agency Chief Information Officers 
and Chief Information Security Officers, as well as the Inspectors 
General and the National Institute of Standards and Technology, to 
consider more effective security performance metrics--ones that show 
current status and are predictive in nature. In addition, we are 
reaching out to a broad array of organizations, across the public and 
private sectors and academia. 

In addition, the current annual reporting process is both manual and 
cumbersome. Currently, the more than 160 agencies that report under 
FISMA send in more than 200 spreadsheets. OMB is planning to move FISMA 
reporting to an internet-enabled database for FY 2009 reporting. This 
automation will allow the collection of more evaluative metrics, such 
as performance metrics. 

While OMB is fully agrees with GAO on the need for agencies to continue 
to improve their information security and comply with FISMA, we do not 
concur with GAO's conclusion that OMB does not review and approve or 
disapprove agencies' information security management programs on an 
annual basis. OMB reviews all agency and IG FISMA reports annually. For 
the major agencies, OMB also receives and reviews quarterly information 
on their security programs. OMB uses this information, and other 
reporting, to evaluate agencies' security management programs. Concerns 
are communicated directly to the agencies. 

Our nation's security and economic prosperity depend on the stability 
and integrity of Federal communications and information infrastructure. 
Safeguarding these important interests will require balanced decision-
making that integrates and harmonizes our national and economic 
security objectives with our privacy rights, civil liberties, and open 
government. As a first step, the President directed a 60-day review of 
cybersecurity policies and efforts throughout the government. OMB 
worked closely with other White House offices on this review. The 
President has accepted the recommendations of the review, including the 
appointment of a presidential advisor for cybersecurity and the update 
of the National Plan to Secure Cyberspace. OMB will continue to be 
involved in and support these efforts. 

Thank you again for the opportunity to comment on this draft report and 
to discuss our work on the implementation of FISMA. 

Sincerely, 

Signed by: 

Vivek Kundra: 
Chief Information Officer: 

[End of section] 

Appendix III: Cybersecurity Experts Highlighted Key Improvements for 
Strengthening the Nation's Cyber Security: 

In March 2009, we convened a panel of experts to discuss how to improve 
key aspects of the national cyber security strategy and its 
implementation as well as other critical aspects of the strategy, 
including areas for improvement. The experts, who included former 
federal officials, academics, and private-sector executives, 
highlighted 12 key improvements that are, in their view, essential to 
improving the strategy and our national cyber security posture. These 
improvements are in large part consistent with our previously mentioned 
reports and extensive research and experience in this area. 

Table 2: Key Improvements Needed to Strengthen the Nation's 
Cybersecurity Posture: 

Cyber security improvement: 1. Develop a national strategy that clearly 
articulates strategic objectives, goals, and priorities; 
Description: The strategy should, among other things, (1) include well-
defined strategic objectives, (2) provide understandable goals for the 
government and the private sector (end game), (3) articulate cyber 
priorities among the objectives, (4) provide a vision of what a secure 
cyber space should be in the future, (5) seek to integrate federal 
government capabilities, (6) establish metrics to gauge whether 
progress is being made against the strategy, and (7) provide an 
effective means for enforcing action and accountability when there are 
progress shortfalls. According to expert panel members, the CNCI 
provides a good set of tactical initiatives focused on improving 
primarily federal cyber security; however, it does not provide 
strategic objectives, goals, and priorities for the nation as a whole. 

Cyber security improvement: 2. Establish White House responsibility and 
accountability for leading and overseeing national cyber security 
policy; 
Description: The strategy makes the Department of Homeland Security 
(DHS) the focal point for cyber security; however, according to expert 
panel members, DHS has not met expectations and has not provided the 
high-level leadership needed to raise cyber security to a national 
focus. Accordingly, panelists stated that to be successful and to send 
the message to the nation and cyber critical infrastructure owners that 
cyber security is a priority, this leadership role needs to be elevated 
to the White House. In addition, to be effective, the office must have, 
among other things, commensurate authority--for example, over budgets 
and resources--to implement and employ incentives that will encourage 
action. 

Cyber security improvement: 3. Establish a governance structure for 
strategy implementation; 
Description: The strategy establishes a public/private partnership 
governance structure that includes 18 critical infrastructure sectors, 
corresponding government and sector coordinating councils, and cross-
sector councils. However, according to panelists, this structure is 
government-centric and largely relies on personal relationships to 
instill trust to share information and take action. In addition, 
although all sectors are not of equal importance in regard to their 
cyber assets and functions, the structure treats all sectors and all 
critical cyber assets and functions equally. To ensure effective 
strategy implementation, experts stated that the partnership structure 
should include a committee of senior government representatives (for 
example, the Departments of Defense, Homeland Security, Justice, State, 
and the Treasury and the White House) and private-sector leaders 
representing the most critical cyber assets and functions. Expert panel 
members also suggested that this committee's responsibilities should 
include measuring and periodically reporting on progress in achieving 
the goals, objectives, and strategic priorities established in the 
national strategy and building consensus to hold involved parties 
accountable when there are progress shortfalls. 

Cyber security improvement: 4. Publicize and raise awareness about the 
seriousness of the cyber security problem; 
Description: Although the strategy establishes cyberspace security 
awareness as a priority, experts stated that many national leaders in 
business and government, including in Congress, who can invest 
resources to address cyber security problems are generally not aware of 
the severity of the risks to national and economic security posed by 
the inadequacy of our nation's cyber security posture and the 
associated intrusions made more likely by that posture. Expert panel 
members suggested that an aggressive awareness campaign is needed to 
raise the level of knowledge of leaders and the general populace that 
protecting our information and systems from cyber attack is ongoing. 

Cyber security improvement: 5. Create an accountable, operational cyber 
security organization; 
Description: DHS established the National Cyber Security Division 
(within the Office of Cybersecurity and Communications) to be 
responsible for leading national day-to-day cyber security efforts; 
however, according to panelists, this has not enabled DHS to become the 
national focal point as envisioned. Panel members stated that currently 
the Department of Defense and other organizations within the 
intelligence community that have significant resources and capabilities 
have come to dominate federal efforts. They told us that there also 
needs to be an independent cyber security organization that leverages 
and integrates the capabilities of the private sector, civilian 
government, law enforcement, military, intelligence community, and the 
nation's international allies to address incidents against the nation's 
critical cyber systems and functions. However, there was not a 
consensus among our expert panel members regarding where this 
organization should reside. 

Cyber security improvement: 6. Focus more actions on prioritizing 
assets and functions, assessing vulnerabilities, and reducing 
vulnerabilities than on developing additional plans; 
Description: The strategy recommends actions to identify critical cyber 
assets and functions, but panelists stated that efforts to identify 
which cyber assets and functions are most critical to the nation have 
been insufficient. According to panel members, inclusion in cyber 
critical infrastructure protection efforts and lists of critical assets 
are currently based on the willingness of the person or entity 
responsible for the asset or function to participate and not on 
substantiated technical evidence. In addition, the current strategy 
establishes vulnerability reduction as a key priority; however, 
according to panelists, efforts to identify and mitigate known 
vulnerabilities have been insufficient. They stated that greater 
efforts should be taken to identify and eliminate common 
vulnerabilities and that there are techniques available that should be 
used to assess vulnerabilities in the most critical, prioritized cyber 
assets and functions. 

Cyber security improvement: 7. Bolster public/private partnerships 
through an improved value proposition and use of incentives; 
Description: While the strategy encourages action by owners and 
operators of critical cyber assets and functions, panel members stated 
that there are not adequate economic and other incentives (i.e., a 
value proposition) for greater investment and partnering in cyber 
security. Accordingly, panelists stated that the federal government 
should provide valued services (such as offering useful threat or 
analysis and warning information) or incentives (such as grants or tax 
reductions) to encourage action by and effective partnerships with the 
private sector. They also suggested that public and private sector 
entities use means such as cost-benefit analyses to ensure the 
efficient use of limited cyber security-related resources. 

Cyber security improvement: 8. Focus greater attention on addressing 
the global aspects of cyberspace; 
Description: The strategy includes recommendations to address the 
international aspects of cyber space but, according to panelists, the 
United States is not addressing global issues impacting how cyber space 
is governed and controlled. They added that, while other nations are 
actively involved in developing treaties, establishing standards, and 
pursuing international agreements (such as on privacy), the United 
States is not aggressively working in a coordinated manner to ensure 
that international agreements are consistent with U.S. practice and 
that they address cyber security and cyber crime considerations. Panel 
members stated that the United States should pursue a more coordinated, 
aggressive approach so that there is a level playing field globally for 
U.S. corporations and enhanced cooperation among government agencies, 
including law enforcement. In addition, a panelist stated that the 
United States should work towards building consensus on a global cyber 
strategy. 

Cyber security improvement: 9. Improve law enforcement efforts to 
address malicious activities in cyberspace; 
Description: The strategy calls for improving investigative 
coordination domestically and internationally and promoting a common 
agreement among nations on addressing cyber crime. According to one 
panelist, some improvements in domestic law have been made (e.g., 
enactment of the PROTECT Our Children Act of 2008), but implementation 
of this act is a work-in-process due to its recent passage. Panel 
members also stated that current domestic and international law 
enforcement efforts, including activities, procedures, methods, and 
laws are too outdated and outmoded to adequately address the speed, 
sophistication, and techniques of individuals and groups, such as 
criminals, terrorists, and others who have malicious intent. Improved 
law enforcement is essential to more effectively catch and prosecute 
malicious individuals and groups and, with stricter penalties, deter 
malicious behavior. 

Cyber security improvement: 10. Place greater emphasis on cyber 
security research and development, including consideration of how to 
better coordinate government and private-sector efforts; 
Description: While the strategy recommends actions to develop a 
research and development agenda and coordinate efforts between the 
government and private sector, experts stated that the United States is 
not adequately focusing and funding research and development efforts to 
address cyber security or to develop the next generation of cyber space 
to include effective security capabilities. In addition, the research 
and development efforts currently under way are not being well 
coordinated between government and the private sector. 

Cyber security improvement: 11. Increase the cadre of cyber security 
professionals; 
Description: The strategy includes efforts to increase the number and 
skills of cyber security professionals but, according to panelists, the 
results have not created sufficient numbers of professionals, including 
information security specialists and cyber crime investigators. Expert 
panel members stated that actions to increase the number of 
professionals with adequate cyber security skills should include (1) 
enhancing existing scholarship programs (e.g., Scholarship for Service) 
and (2) making the cyber security discipline a profession through 
testing and licensing. 

Cyber security improvement: 12. Make the federal government a model for 
cyber security, including using its acquisition function to enhance 
cyber security aspects of products and services; 
Description: The strategy establishes securing the government's cyber 
space as a key priority and advocates using federal acquisition to 
accomplish this goal. Although the federal government has taken steps 
to improve the cyber security of agencies (e.g., beginning to implement 
the CNCI initiatives), panelists stated that it still is not a model 
for cyber security. Further, they said the federal government has not 
made changes in its acquisition function and the training of government 
officials in a manner that effectively improves the cyber security 
capabilities of products and services purchased and used by federal 
agencies. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, Charles Vrabel (Assistant 
Director); Debra Conner; Larry Crosland; Sharhonda Deloach; Neil 
Doherty; Kristi Dorsey; Rosanna Guererro; Nancy Glover; Rebecca Eyler; 
Mary Marshall; and Jayne Wilson made key contributions to this report. 

[End of section] 

Related GAO Products: 

Cybersecurity: Continued Federal Efforts Are Needed to Protect Critical 
Systems and Information. [hyperlink, 
http://www.gao.gov/products/GAO-09-835T]. Washington, D.C.: June 25, 
2009. 

Privacy and Security: Food and Drug Administration Faces Challenges in 
Establishing Protections for Its Postmarket Risk Analysis System. 
[hyperlink, http://www.gao.gov/products/GAO-09-355]. Washington, D.C.: 
June 1, 2009. 

Aviation Security: TSA Has Completed Key Activities Associated with 
Implementing Secure Flight, but Additional Actions Are Needed to 
Mitigate Risks. [hyperlink, http://www.gao.gov/products/GAO-09-292]. 
Washington, D.C.: May 13, 2009. 

Information Security: Cyber Threats and Vulnerabilities Place Federal 
Systems at Risk. [hyperlink, http://www.gao.gov/products/GAO-09-661T]. 
Washington, D.C.: May 5, 2009. 

Freedom of Information Act: DHS Has Taken Steps to Enhance Its Program, 
but Opportunities Exist to Improve Efficiency and Cost-Effectiveness. 
[hyperlink, http://www.gao.gov/products/GAO-09-260]. Washington, D.C.: 
March 20, 2009. 

Information Security: Securities and Exchange Commission Needs to 
Consistently Implement Effective Controls. [hyperlink, 
http://www.gao.gov/products/GAO-09-203]. Washington, D.C.: March 16, 
2009. 

National Cyber Security Strategy: Key Improvements Are Needed to 
Strengthen the Nation's Posture. [hyperlink, 
http://www.gao.gov/products/GAO-09-432T]. Washington, D.C.: March 10, 
2009. 

Information Security: Further Actions Needed to Address Risks to Bank 
Secrecy Act Data. [hyperlink, http://www.gao.gov/products/GAO-09-195]. 
Washington, D.C.: January 30, 2009. 

Information Security: Continued Efforts Needed to Address Significant 
Weaknesses at IRS. [hyperlink, http://www.gao.gov/products/GAO-09-136]. 
Washington, D.C.: January 9, 2009. 

Nuclear Security: Los Alamos National Laboratory Faces Challenges in 
Sustaining Physical and Cyber Security Improvements. [hyperlink, 
http://www.gao.gov/products/GAO-08-1180T]. Washington, D.C.: September 
25, 2008. 

Critical Infrastructure Protection: DHS Needs to Better Address Its 
Cyber Security Responsibilities. [hyperlink, 
http://www.gao.gov/products/GAO-08-1157T]. Washington, D.C.: September 
16, 2008. 

Critical Infrastructure Protection: DHS Needs to Fully Address Lessons 
Learned from Its First Cyber Storm Exercise. [hyperlink, 
http://www.gao.gov/products/GAO-08-825]. Washington, D.C.: September 9, 
2008. 

Information Security: Actions Needed to Better Protect Los Alamos 
National Laboratory's Unclassified Computer Network. [hyperlink, 
http://www.gao.gov/products/GAO-08-1001]. Washington, D.C.: September 
9, 2008. 

Cyber Analysis and Warning: DHS Faces Challenges in Establishing a 
Comprehensive National Capability. [hyperlink, 
http://www.gao.gov/products/GAO-08-588]. Washington, D.C.: July 31, 
2008. 

Information Security: Federal Agency Efforts to Encrypt Sensitive 
Information Are Under Way, but Work Remains. [hyperlink, 
http://www.gao.gov/products/GAO-08-525]. Washington, D.C.: June 27, 
2008. 

Information Security: FDIC Sustains Progress but Needs to Improve 
Configuration Management of Key Financial Systems. [hyperlink, 
http://www.gao.gov/products/GAO-08-564]. Washington, D.C.: May 30, 
2008. 

Information Security: TVA Needs to Address Weaknesses in Control 
Systems and Networks. [hyperlink, 
http://www.gao.gov/products/GAO-08-526]. Washington, D.C.: May 21, 
2008. 

Information Security: TVA Needs to Enhance Security of Critical 
Infrastructure Control Systems and Networks. [hyperlink, 
http://www.gao.gov/products/GAO-08-775T]. Washington, D.C.: May 21, 
2008. 

Information Security: Progress Reported, but Weaknesses at Federal 
Agencies Persist. [hyperlink, http://www.gao.gov/products/GAO-08-571T]. 
Washington, D.C.: March 12, 2008. 

Information Security: Securities and Exchange Commission Needs to 
Continue to Improve Its Program. [hyperlink, 
http://www.gao.gov/products/GAO-08-280]. Washington, D.C.: February 29, 
2008. 

Information Security: Although Progress Reported, Federal Agencies Need 
to Resolve Significant Deficiencies. [hyperlink, 
http://www.gao.gov/products/GAO-08-496T]. Washington, D.C.: February 
14, 2008. 

Information Security: Protecting Personally Identifiable Information. 
[hyperlink, http://www.gao.gov/products/GAO-08-343]. Washington, D.C.: 
January 25, 2008. 

Information Security: IRS Needs to Address Pervasive Weaknesses. 
[hyperlink, http://www.gao.gov/products/GAO-08-211]. Washington, D.C.: 
January 8, 2008. 

Veterans Affairs: Sustained Management Commitment and Oversight Are 
Essential to Completing Information Technology Realignment and 
Strengthening Information Security. [hyperlink, 
http://www.gao.gov/products/GAO-07-1264T]. Washington, D.C.: September 
26, 2007. 

Critical Infrastructure Protection: Multiple Efforts to Secure Control 
Systems Are Under Way, but Challenges Remain. [hyperlink, 
http://www.gao.gov/products/GAO-07-1036]. Washington, D.C.: September 
10, 2007. 

Information Security: Sustained Management Commitment and Oversight Are 
Vital to Resolving Long-standing Weaknesses at the Department of 
Veterans Affairs. [hyperlink, http://www.gao.gov/products/GAO-07-1019]. 
Washington, D.C.: September 7, 2007. 

Information Security: Selected Departments Need to Address Challenges 
in Implementing Statutory Requirements. [hyperlink, 
http://www.gao.gov/products/GAO-07-528]. Washington, D.C.: August 31, 
2007. 

Information Security: Despite Reported Progress, Federal Agencies Need 
to Address Persistent Weaknesses. [hyperlink, 
http://www.gao.gov/products/GAO-07-837]. Washington, D.C.: July 27, 
2007. 

Information Security: Homeland Security Needs to Immediately Address 
Significant Weaknesses in Systems Supporting the US-VISIT Program. 
[hyperlink, http://www.gao.gov/products/GAO-07-870]. Washington, D.C.: 
July 13, 2007. 

Information Security: Homeland Security Needs to Enhance Effectiveness 
of Its Program. [hyperlink, http://www.gao.gov/products/GAO-07-1003T]. 
Washington, D.C.: June 20, 2007. 

Information Security: Agencies Report Progress, but Sensitive Data 
Remain at Risk. [hyperlink, http://www.gao.gov/products/GAO-07-935T]. 
Washington, D.C.: June 7, 2007. 

Information Security: Federal Deposit Insurance Corporation Needs to 
Sustain Progress Improving Its Program. [hyperlink, 
http://www.gao.gov/products/GAO-07-351]. Washington, D.C.: May 18, 
2007. 

[End of section] 

Footnotes: 

[1] The 24 major departments and agencies (agencies) are the 
Departments of Agriculture, Commerce, Defense, Education, Energy, 
Health and Human Services, Homeland Security, Housing and Urban 
Development, the Interior, Justice, Labor, State, Transportation, the 
Treasury, and Veterans Affairs; the Environmental Protection Agency, 
General Services Administration, National Aeronautics and Space 
Administration, National Science Foundation, Nuclear Regulatory 
Commission, Office of Personnel Management, Small Business 
Administration, Social Security Administration, and U.S. Agency for 
International Development. 

[2] Most recently, GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 
2009). 

[3] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). 

[4] GAO, Federal Information System Controls Audit Manual (FISCAM), 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: 
February 2009). 

[5] GAO, Executive Guide: Information Security Management: Learning 
from Leading Organizations, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-98-68] (Washington, D.C.: May 
1998). 

[6] A material weakness is a significant deficiency, or combination of 
significant deficiencies, that results in more than a remote likelihood 
that a material misstatement of the financial statements will not be 
prevented or detected. A significant deficiency is a control 
deficiency, or combination of control deficiencies, that adversely 
affects the entity's ability to initiate, authorize, record, process, 
or report financial data reliably in accordance with generally accepted 
accounting principles such that there is more than a remote likelihood 
that a misstatement of the entity's financial statements that is more 
than inconsequential will not be prevented or detected. A control 
deficiency exists when the design or operation of a control does not 
allow management or employees, in the normal course of performing their 
assigned functions, to prevent or detect misstatements on a timely 
basis. 

[7] FMFIA, Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982), now 
codified at 31 U.S.C. § 3512, requires agencies to report annually to 
the President and Congress on the effectiveness of internal controls 
and any identified material weaknesses in those controls. Per OMB, for 
the purposes of FMFIA reporting, a material weakness also encompasses 
weaknesses found in program operations and compliance with applicable 
laws and regulations. Material weaknesses for FMFIA reporting are 
determined by management, whereas material weaknesses reported as part 
of a financial statement audit are determined by independent auditors. 

[8] The Reports Consolidation Act of 2000, Pub. L. No. 106-531, 114 
Stat. 2537 (Nov. 22, 2000), requires inspectors general to include in 
their agencies' performance and accountability reports a statement that 
summarizes what they consider to be the most serious management and 
performance challenges facing their agencies and briefly assesses their 
agencies' progress in addressing those challenges. 31 U.S.C. § 3516(d). 

[9] GAO, Information Security: Securities and Exchange Commission Needs 
to Consistently Implement Effective Controls, [hyperlink, 
http://www.gao.gov/products/GAO-09-203] (Washington, D.C.: Mar. 16, 
2009). 

[10] GAO, Information Security: Continued Efforts Needed to Address 
Significant Weaknesses at IRS, [hyperlink, 
http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 
2009). 

[11] GAO, Information Security: Actions Needed to Better Protect Los 
Alamos National Laboratory's Unclassified Computer Network, [hyperlink, 
http://www.gao.gov/products/GAO-08-1001] (Washington, D.C.: Sept. 9, 
2008). 

[12] GAO, Information Security: TVA Needs to Address Weaknesses in 
Control Systems and Networks, [hyperlink, 
http://www.gao.gov/products/GAO-08-526] (Washington, D.C.: May 21, 
2008) and Information Security: TVA Needs to Enhance Security of 
Critical Infrastructure Controls Systems and Networks, [hyperlink, 
http://www.gao.gov/products/GAO-08-755T] (Washington, D.C.: May 21, 
2008). 

[13] GAO, Information Security: Homeland Security Needs to Immediately 
Address Significant Weaknesses in Systems Supporting the US-VISIT 
Program, [hyperlink, http://www.gao.gov/products/GAO-07-870] 
(Washington, D.C.: July 13, 2007). 

[14] GAO, Information Security: Despite Reported Progress, Federal 
Agencies Need to Address Persistent Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-07-837] (Washington, D.C.: July 27, 
2007). 

[15] Cryptography is used to secure transactions by providing ways to 
ensure data confidentiality, data integrity, authentication of the 
message's originator, electronic certification of data, and 
nonrepudiation (proof of the integrity and origin of data that can be 
verified by a third party). 

[16] See related GAO products for a list of our recent reports on 
information security. 

[17] GAO, National Cybersecurity Strategy: Key Improvements Are Needed 
to Strengthen the Nation's Posture, [hyperlink, 
http://www.gao.gov/products/GAO-09-432T] (Washington, D.C.: Mar. 10, 
2009). 

[18] The White House, Cyberspace Policy Review: Assuring a Trusted and 
Resilient Information and Communications Infrastructure (Washington, 
D.C.: May 29, 2009). 

[19] The White House, National Security Presidential Directive 54/ 
Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8, 
2008). 

[20] Statement of the Director of National Intelligence before the 
Senate Select Committee on Intelligence, Annual Threat Assessment of 
the Intelligence Community for the Senate Select Committee on 
Intelligence (Feb. 12, 2009). 

[21] Certification is a comprehensive assessment of management, 
operational, and technical security controls in an information system, 
made in support of security accreditation, to determine the extent to 
which the controls are implemented correctly, operating as intended and 
producing the desired outcome with respect to meeting the security 
requirements for the system. Accreditation is the official management 
decision to authorize operation of an information system and to 
explicitly accept the risk to agency operations based on implementation 
of controls. 

[22] OMB, Memorandum M-08-22, Guidance on the Federal Desktop Core 
Configuration (Washington, D.C.: August 2008). 

[23] [hyperlink, http://www.gao.gov/products/GAO-07-837] and GAO, 
Information Security: Progress Reported, but Weaknesses at Federal 
Agencies Persist, [hyperlink, http://www.gao.gov/products/GAO-08-571T] 
(Washington, D.C.: Mar. 12, 2008). 

[24] The President's Council on Integrity and Efficiency was 
established by executive order to address integrity, economy, and 
effectiveness issues that transcend individual government agencies and 
increase the professionalism and effectiveness of inspector general 
personnel throughout government. The Inspector General Reform Act of 
2008 combined the council with the Executive Council on Integrity and 
Efficiency to create the Council of Inspectors General on Integrity and 
Efficiency. 

[25] GAO, Information Security: Weaknesses Persist at Federal Agencies 
Despite Progress Made in Implementing Statutory Requirements, 
[hyperlink, http://www.gao.gov/products/GAO-05-552] (Washington, D.C.: 
July 15, 2005); [hyperlink, http://www.gao.gov/products/GAO-07-837]; 
and [hyperlink, http://www.gao.gov/products/GAO-08-571T]. 

[26] On March 5, 2009, the President named a Federal Chief Information 
Officer at the White House to direct the policy and strategic planning 
of federal information technology investments and be responsible for 
oversight of federal technology spending. The Federal CIO also 
establishes and oversees enterprise architecture to ensure system 
interoperability and information sharing and ensure information 
security and privacy across the federal government. 

[27] GAO, Federal Information System Controls Audit Manual, [hyperlink, 
http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: February 
2009). 

[28] Pub. L. No. 107-347, title III, 116 Stat. 2899, 2946 (Dec. 17, 
2002). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: