This is the accessible text file for GAO report number GAO-10-237 
entitled 'Information Security: Concerted Effort Needed to Consolidate 
and Secure Internet Connections at Federal Agencies' which was 
released on April 12, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

March 2010: 

Information Security: 

Concerted Effort Needed to Consolidate and Secure Internet Connections 
at Federal Agencies: 

GAO-10-237: 

GAO Highlights: 

Highlights of GAO-10-237, a report to congressional requesters. 

Why GAO Did This Study: 

To reduce the threat to federal systems and operations posed by cyber 
attacks on the United States, the Office of Management and Budget 
(OMB) launched, in November 2007, the Trusted Internet Connections 
(TIC) initiative, and later, in 2008, the Department of Homeland 
Security’s (DHS) National Cybersecurity Protection System (NCPS), 
operationally known as Einstein, became mandatory for federal agencies 
as part of TIC. For each of these initiatives, GAO was asked to (1) 
identify their goals, objectives, and requirements; (2) determine the 
status of actions federal agencies have taken, or plan to take, to 
implement the initiatives; and (3) identify any benefits, challenges, 
and lessons learned. To do this, GAO reviewed plans, reports, and 
other documents at 23 major executive branch agencies, interviewed 
officials, and reviewed OMB and DHS guidance. 

What GAO Found: 

The goals of TIC are to secure federal agencies’ external network 
connections, including Internet connections, and improve the 
government’s incident response capability by reducing the number of 
agencies’ external network connections and implementing security 
controls over the connections that remain. In implementing TIC, 
agencies could either provide their own access points by becoming an 
access provider or seek service from these providers or an approved 
vendor. To achieve the initiative’s goals, agencies were required to: 

* inventory external connections, 

* establish a target number of TIC access points, 

* develop and implement plans to reduce their connections, 

* implement security capabilities (if they chose to be an access 
provider) addressing such issues as encryption and physical security, 
and; 

* demonstrate to DHS the consolidation of connections and compliance 
with the security capabilities (if they chose to be an access 
provider). 

As of September 2009, none of the 23 agencies had met all of the 
requirements of the TIC initiative. Although most agencies reported 
that they have made progress toward reducing their external 
connections and implementing critical security capabilities, most 
agencies have also experienced delays in their implementation efforts. 
For example, the 16 agencies that chose to become access providers 
reported that they had reduced their number of external connections 
from 3,286 to approximately 1,753. Further, agencies have not 
demonstrated that they have fully implemented the required security 
capabilities. Throughout their reduction efforts, agencies have 
experienced benefits, such as improved security and network 
management. However, they have been challenged in implementing TIC 
because OMB did not promptly communicate the number of access points 
for which they had been approved and DHS did not always respond to 
agency queries on security capabilities in a timely manner. Agencies’ 
experiences with implementing TIC offered OMB and DHS lessons learned, 
such as the need to define program requirements before establishing 
deadlines and the usefulness of sponsoring collaborative meetings for 
agencies’ implementation efforts. 

Einstein is intended to provide DHS with an increased awareness of 
activity, including possible security incidents, on federal networks 
by providing intrusion detection capabilities that allow DHS to 
monitor and analyze agencies’ incoming and outgoing Internet traffic. 
As of September 2009, fewer than half of the 23 agencies had executed 
the required agreements with DHS, and Einstein 2 had been deployed to 
6 agencies. Agencies that participated in Einstein 1 improved 
identification of incidents and mitigation of attacks, but DHS will 
continue to be challenged in understanding whether the initiative is 
meeting all of its objectives because it lacks performance measures 
that address how agencies respond to alerts. 

What GAO Recommends: 

GAO is making recommendations to OMB to promptly communicate the 
number of approved connections for agencies, and to DHS aimed at 
improving communication and performance measures. OMB concurred with 
GAO’s findings, conclusions, and recommendations. DHS concurred with 
GAO’s recommendations and also provided technical comments. 

View [hyperlink, http://www.gao.gov/products/GAO-10-237] or key 
components. For more information, contact Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Agencies Have Made Progress toward Consolidating and Reducing 
Connections, but Inconsistent Communication from OMB and DHS Has Led 
to Challenges: 

DHS Has Deployed Einstein to Six Agencies, but Faces Challenges with 
Meeting Program Goals: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Reported Status of Consolidation by 19 Agencies: 

Table 2: Number of Critical Security Capabilities Reported as 
Implemented by Access Provider Agencies: 

Figures: 

Figure 1: Interaction of TIC and Einstein: 

Figure 2: Comparison of Reported Consolidation by 16 Access Provider 
Agencies: 

Abbreviations: 

DHS: Department of Homeland Security: 

GSA: General Services Administration: 

NCPS: National Cybersecurity Protection System: 

OMB: Office of Management and Budget: 

TIC: Trusted Internet Connections: 

US-CERT: United States Computer Emergency Readiness Team: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

March 12, 2010: 

The Honorable Joseph I. Lieberman: Chairman: 
The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Thomas R. Carper: 
Chairman: 
Subcommittee on Federal Financial Management, Government Information, 
Federal Services, and International Security: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

Pervasive and sustained cyber attacks against the United States 
continue to pose a potentially devastating impact on federal systems 
and operations. The need for a vigilant approach to information 
security is demonstrated by a dramatic increase in reports of security 
incidents, the wide availability of hacking tools, and steady advances 
in the sophistication and effectiveness of attack technology. As 
recently as July 2009, press accounts reported that a widespread and 
coordinated attack over the course of several days targeted Web sites 
operated by major government agencies, including the Departments of 
Homeland Security and Defense, the Federal Aviation Administration, 
and the Federal Trade Commission, causing disruptions to the public 
availability of government information. In addition, the Director of 
National Intelligence testified in February 2009 that foreign nations 
and criminals had targeted government and private-sector networks to 
gain a competitive advantage or potentially disrupt or destroy them, 
and that terrorist groups had expressed a desire to use cyber attacks 
as a means to target the United States.[Footnote 1] Such attacks and 
threats highlight the importance of developing a concerted response to 
safeguard federal information systems. 

To improve the effectiveness of information security across the 
federal government, in November 2007, the Office of Management and 
Budget (OMB) announced the Trusted Internet Connections (TIC) 
initiative, and in 2003 the Department of Homeland Security (DHS) 
established the Einstein program, recently incorporated into the 
National Cybersecurity Protection System (NCPS). TIC is intended to 
improve security by reducing and consolidating external network 
connections and by providing centralized monitoring at a select group 
of access providers, while Einstein is an intrusion detection system 
that provides an automated process for DHS to analyze computer network 
traffic information from agencies. In January 2008, these programs 
were incorporated into the Comprehensive National Cybersecurity 
Initiative.[Footnote 2] 

At your request, we evaluated key elements of the implementation of 
TIC and Einstein at federal agencies. For each of these initiatives, 
we (1) identified the goals, objectives, and requirements for the 
initiatives; (2) determined the status of the actions federal agencies 
have taken, or plan to take, to implement the initiatives; and (3) 
identified the benefits, challenges, and lessons learned in 
implementing the initiatives. 

To accomplish our objectives, we examined OMB memorandums and DHS 
guidance in order to identify program requirements, which we confirmed 
through interviews with OMB and DHS officials. We obtained and 
analyzed plans, status reports, and other documents and interviewed 
officials from 23 of the 24 federal agencies listed in the Chief 
Financial Officers Act.[Footnote 3] The Department of Defense was not 
included in our review because it was not required to implement TIC or 
Einstein. The initiatives include additional agencies which were not 
included in our review. 

We conducted this performance audit between December 2008 and March 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. Further 
details of our objectives, scope, and methodology are included in 
appendix I. 

Background: 

As computer technology has advanced, federal agencies have become 
dependent on computerized information systems to carry out their 
operations and to process, maintain, and report essential information. 
Virtually all federal operations are supported by computer systems and 
electronic data, and agencies would find it difficult, if not 
impossible, to carry out their missions, deliver services to the 
public, and account for their resources without these cyber assets. 
Information security is thus especially important for federal agencies 
to ensure the confidentiality, integrity, and availability of their 
systems and data. Conversely, ineffective information security 
controls can result in significant risk to a broad array of government 
operations and assets, as the following examples illustrate: 

* Computer resources could be used for unauthorized purposes or to 
launch attacks on other computer systems. 

* Sensitive information, such as personally identifiable information, 
intellectual property, and proprietary business information could be 
inappropriately disclosed, browsed, or copied for purposes of identity 
theft, espionage, or other types of crime. 

* Critical operations, such as those supporting critical 
infrastructure, national defense, and emergency services, could be 
disrupted. 

* Data could be added, modified, or deleted for purposes of fraud, 
subterfuge, or disruption. 

Due to the growing cyber-based threats to federal systems and critical 
infrastructure, the persistent nature of information security 
vulnerabilities, and the associated risks, we continue to designate 
information security as a governmentwide high-risk issue in our most 
recent biennial report to Congress,[Footnote 4] a designation we have 
made in each report since 1997. In July 2009, we reported[Footnote 5] 
that almost all 24 major federal agencies had weaknesses in 
information security controls and that an underlying reason for these 
weaknesses is that agencies have not fully implemented their 
information security programs as required under the Federal 
Information Security Management Act.[Footnote 6] As a result, federal 
systems and sensitive information are at increased risk of 
unauthorized access and disclosure, modification, or destruction, as 
well as inadvertent or deliberate disruption of system operations and 
services. 

We have previously reported that federal agencies have experienced 
security breaches in their networks, potentially allowing sensitive 
information to be compromised, and systems, operations, and services 
to be disrupted. These examples illustrate that a broad array of 
federal information and critical infrastructures are at risk:[Footnote 
7] 

* The Department of State experienced a breach on its unclassified 
network, which daily processes about 750,000 e-mails and instant 
messages from more than 40,000 employees and contractors at 100 
domestic and 260 overseas locations. 

* The Nuclear Regulatory Commission confirmed that in January 2003, 
the Microsoft SQL Server worm known as "Slammer" infected a private 
computer network at the idled Davis-Besse nuclear power plant in Oak 
Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. 

* Officials at the Department of Commerce's Bureau of Industry and 
Security discovered a security breach in July 2006. In investigating 
this incident, officials were able to review firewall logs for an 8- 
month period prior to the initial detection of the incident, but were 
unable to clearly define the amount of time that perpetrators were 
inside its computers, or find any evidence to show that data was lost 
as a result. 

Because the threats have persisted and grown, in January 2008 the 
President issued National Security Presidential Directive 54/Homeland 
Security Presidential Directive 23, establishing the Comprehensive 
National Cybersecurity Initiative,[Footnote 8] a set of projects with 
the objective of safeguarding federal executive branch government 
information systems by reducing potential vulnerabilities, protecting 
against intrusion attempts, and anticipating future threats against 
the federal government's networks. Under the initiative, DHS is to 
lead several projects to better secure civilian federal government 
networks, while other agencies, including OMB, the Department of 
Defense, the Office of the Director of National Intelligence, and 
other agencies have key roles in other projects, including monitoring 
military systems and classified networks, overseeing intelligence 
community systems and networks, and spearheading advanced technology 
research and development. The initiative's 12 projects can be grouped 
into three focus areas: 

* Establishing front lines of defense. This focus area includes 
initiatives intended to protect the perimeter of federal networks, 
such as consolidating connections and deploying intrusion detection 
and prevention systems. 

* Defend against full spectrum of threats. This focus area includes 
activities intended to protect national security and intelligence- 
related information and systems across the federal government. 

* Shape the future environment. The initiatives in this area are 
focused on expansion of cybersecurity education and research and 
development efforts for future technologies and cybersecurity 
strategies. 

Two primary initiatives under the establishing front lines of defense 
focus area are TIC and Einstein. 

Trusted Internet Connections: 

In November 2007, OMB announced the TIC initiative.[Footnote 9] 
Directed by OMB with assistance from DHS, this effort is intended to 
improve the federal government's security posture and incident 
response capability by reducing and consolidating external network 
connections, including Internet connections, currently in use by the 
government, and by centrally monitoring the traffic passing through 
these connections for potentially malicious activity. All federal 
agencies in the executive branch, except for the Department of 
Defense, are required to implement the initiative. Although the 
initiative is intended to secure connections to the Internet, other 
external connections to potentially unsecured systems must also be 
routed through an approved TIC access point,[Footnote 10] even if they 
do not pass through the Internet.[Footnote 11] 

Agencies may implement TIC by serving as their own access provider or 
by obtaining services from another source. Agencies may choose one of 
four service options: 

* Single service: The agency provides services to its own bureaus and 
components only. 

* Multi-service: The agency provides services to its own bureaus and 
components as well as to other agencies. 

* Seeking service: The agency obtains services from a multi-service 
agency or through the Networx program. This program, managed by the 
General Services Administration (GSA), provides an acquisition vehicle 
for agencies to procure telecommunication, network, wireless, and 
information technology security services, including TIC services, from 
among multiple vendors. 

* Hybrid: The agency both provides services to its own bureaus and 
components and obtains additional services from a Networx provider. 

Of the 23 agencies in our review, 16 have chosen to be a TIC access 
provider: specifically, 12 have chosen the single service option, 1 
chose the multi-service option, and 3 have chosen the hybrid approach. 
The remaining seven agencies have chosen to seek service from another 
access provider.[Footnote 12] 

Einstein: 

NCPS, operationally known as Einstein,[Footnote 13] was created in 
2003 by the United States Computer Emergency Readiness Team (US-CERT) 
[Footnote 14] in order to aid in its ability to help reduce and 
prevent computer network vulnerabilities across the federal 
government. The initial version of Einstein provided an automated 
process for collecting, correlating, and analyzing agencies' computer 
network traffic information from sensors installed at their Internet 
connections. The Einstein sensors collected network flow records 
[Footnote 15] at participating agencies, which were then analyzed by 
US-CERT to detect certain types of malicious activity. It then 
coordinated with the appropriate agencies to mitigate those threats 
and vulnerabilities. US-CERT also used the information from the 
sensors to create analyses of cross-governmental trends, offering 
departments and agencies an aggregate picture of external threats 
against the federal government's networks. Participation in the 
program was initially voluntary for federal agencies. 

In 2008, DHS developed the current iteration of Einstein--Einstein 2-- 
which incorporated network intrusion detection technology into the 
capabilities of the initial version of the system. Einstein 2 monitors 
for specific predefined signatures[Footnote 16] of known malicious 
activity at federal agency Internet connections and alerts US-CERT 
when specific malicious network activity matching the predetermined 
signatures is detected. According to US-CERT, the signatures are not 
typically included in commercially available databases of known attack 
signatures, but are developed by US-CERT to look for specific 
malicious activity based on previous analysis. In addition, 
participation in Einstein became mandatory as part of the TIC 
initiative. 

Currently being piloted by DHS, Einstein 3 is intended to be an 
intrusion prevention system that is to automatically detect and 
respond appropriately to cyber threats before harm is done. Using 
signatures developed from critical information about foreign cyber 
threats as determined by the National Security Agency, the system is 
to draw on commercial technology and specialized government technology 
to conduct real-time full packet inspection and threat-based decision 
making on traffic entering or leaving federal agency networks. It is 
also intended to support enhanced information sharing by US-CERT with 
federal agencies by giving DHS the ability to provide agencies with 
automated alerts of detected network intrusion attempts. 

Ultimately, TIC and Einstein are intended to work together to build 
successive layers of defense mechanisms in the federal government's 
information technology infrastructures. When Einstein is deployed at a 
TIC location, it monitors inbound and outbound network traffic. Once 
TIC is fully implemented across the federal government, all traffic 
passing between the federal civilian networks and the Internet is to 
be monitored for malicious activity by US-CERT using Einstein and its 
supporting processes. Figure 1 illustrates how TIC portals interact 
with the Einstein sensors and the Internet. 

Figure 1: Interaction of TIC and Einstein: 

[Refer to PDF for image: illustration] 

Single service provider: 
Agency A network: 
* Agency A TIC; 
- Einstein; 
* Agency A TIC; 
- Einstein; 
Connected to Internet. 

Multi-service provider: 
Agency B network: 
* Agency B TIC; 
- Einstein; 
* Agency B TIC; 
- Einstein; 
Connected to Internet. 

Seeking service: 
Agency C network: connects through Agency B TIC; 
Agency G network: connects through Networx vendor; 
Agency G network: connects through Networx vendor; 
Agency G network: connects through Networx vendor. 

Networx vendor: 
* Networx vendor TIC; 
- Einstein; 
* Networx vendor TIC; 
- Einstein; 
Connected to Internet. 

Hybrid approach: 
Agency G network: 
* Agency G TIC; 
- Einstein; 
* Agency G TIC; 
- Einstein; 
Connected to Internet. 

Source: GAO analysis based on DHS data. 

[End of figure] 

Agencies Have Made Progress toward Consolidating and Reducing 
Connections, but Inconsistent Communication from OMB and DHS Has Led 
to Challenges: 

OMB and DHS established requirements to meet the initiative's goals of 
securing agencies' external connections and improving the government's 
incident response capability. However, as of September 2009, none of 
the 23 agencies had met all of the requirements. Throughout their 
efforts, agencies have experienced benefits and challenges as well as 
learned lessons. 

TIC Aims to Improve the Security of Federal Connections to the 
Internet: 

The primary goals of the TIC initiative are (1) to secure federal 
agency external connections using a common set of security controls 
and (2) to improve the federal government's incident response 
capability. To achieve these goals, the initiative has the following 
objectives: 

* reduce and consolidate external connections,[Footnote 17] including 
connections to the Internet, across the federal government; 

* define and maintain baseline security capabilities for TIC access 
providers; and: 

* establish a compliance program to monitor agency adherence to TIC 
policy. 

Agencies Were Required to Develop and Implement Plans to Consolidate 
and Secure External Connections: 

To achieve these objectives, agencies were required to: 

* Inventory agency external connections. Agencies were required to 
provide their connection inventories to DHS by January 8, 2008. 

* Identify and justify target number of external access points. Each 
agency was to submit their target number to DHS by April 15, 2008. 
They were also required to provide a justification indicating why the 
requested number of external access points was necessary to support 
their missions. 

* Develop and implement plans to consolidate external connections. OMB 
required agencies to develop and submit initial plans for 
consolidating their external connections to DHS by January 8, 2008. In 
addition, agencies were required to update their plans in April 2008. 
Access provider agencies were required to provide updated plans to DHS 
in October 2008, and all agencies were required to provide updated 
plans to DHS in September 2009. 

When it announced the initiative in November 2007, OMB required that 
agencies' initial plans have a target completion date of June 2008 for 
reducing and consolidating their external connections. OMB later 
revised its target deadline for implementation of TIC across the 
federal government to December 2009. 

* Implement security capabilities. To ensure that each TIC access 
point would be secure, OMB required[Footnote 18] agencies that planned 
to be an access provider to evaluate their ability to meet 74 security 
capabilities and to report this information to DHS by April 2008. The 
74 security capabilities include technical capabilities, such as 
encryption of Internet traffic and the use of firewalls; capabilities 
related to availability, such as the presence of an uninterrupted 
power source; physical access controls; and capabilities that describe 
how an access provider maintains an acceptable level of service. Of 
the 74 capabilities, 51 are designated as critical, 14 are designated 
as important, and 9 are categorized as desired. Of the 51 critical 
capabilities, 40 are required for both single service and multi-
service access providers. The 11 capabilities required only for multi-
service access providers address the interaction with external 
customers, such as service level agreements, communication, and 
reporting. 

OMB provided a template for agencies to report whether they currently 
met each of the capabilities and to indicate their plans for 
addressing any critical capabilities they did not meet. Once agencies 
determined whether to be an access provider or to seek service from 
another provider, they were required to do one of the following: 

- Access provider agencies were required to develop plans for 
implementing any of the critical TIC capabilities that they did not 
yet have in place. They were required to report on their progress 
toward implementing the critical capabilities to DHS in October 2008 
and September 2009. 

- Agencies that are seeking service from other access providers were 
not required to implement the critical capabilities; however, they 
were required to acquire TIC services from a multi-service access 
provider or a commercial vendor that had met the security capabilities 
through the Networx contract. 

* Demonstrate consolidation of connections and implementation of TIC 
security capabilities. Access provider agencies, along with Networx 
vendors that offer TIC services, are required to undergo a TIC 
Compliance Validation review, in which DHS assesses the degree to 
which the access provider meets the critical security capabilities and 
has consolidated its connections to approved TIC access points. If any 
capabilities are not fully implemented or if further consolidation is 
required, the access provider is granted Initial Operating Capability 
status and is required to develop plans to address the shortcomings 
and to submit the plans to DHS. All access providers are required to 
be re-assessed periodically to ensure the capabilities are still being 
met. All access provider agencies were required to schedule the on-
site review with DHS by September 25, 2009. 

Agencies Have Not Fully Implemented All Requirements of TIC and 
Progress Has Been Slower Than Planned: 

None of the 23 agencies has met all of the requirements of the TIC 
initiative, and most agencies have experienced delays in their plans 
for reducing and consolidating connections. However, most agencies 
reported that they have made progress toward reducing and 
consolidating their external connections and implementing security 
capabilities. In addition, several access provider agencies have made 
more progress toward implementing the capabilities than others. The 
following describes the status of each requirement. 

All Agencies Submitted Connection Inventories: 

The 23 agencies in our review reported that they initially identified 
a total of 3,482 external connections. According to DHS, each agency 
submitted the required inventories, although four submitted the 
inventories after the January 2008 deadline. Two agencies told us that 
they discovered additional connections after submitting the initial 
inventory. 

Access Provider Agencies Requested 73 TIC Access Points, but OMB 
Approved 32: 

In April 2008, the 16 access provider agencies requested a total of 73 
TIC access points. There were a variety of factors that influenced how 
agencies decided how many access points to request. For example, 
multiple agencies told us that they chose the number and location of 
their access points based on the location of existing data centers. 
Agencies also considered the need for redundant connections, 
geographic separation between connection sites, the business needs of 
the agency, and cost factors. 

In response to these requests, OMB approved 2 external access points 
for each access provider agency, a total of 32 TIC access points for 
the 16 agencies in our review.[Footnote 19] OMB and DHS established a 
process for these agencies to request additional access points. As of 
October 2009, one agency had submitted a request to DHS, and seven 
other agencies indicated that they had plans to do so. 

Progress toward Consolidating Connections Has Been Mixed and Slower 
than Projected: 

Progress reported by individual agencies toward meeting their targeted 
numbers of connections or access points has been mixed, and the 
reported overall progress toward consolidation has been slower than 
expected.[Footnote 20] In submitting their plans, which were due to 
DHS in October 2008 and September 2009, three agencies reported that 
they were at their target number of access points and had no further 
plans to consolidate connections; in addition, one agency did not 
report the status of its consolidation efforts. Of the remaining 19 
agencies, as of September 25, 2009, 6 reported that they had 
consolidated at least 60 percent of their connections and 9 reported 
that they had consolidated fewer than 20 percent of their connections. 
Table 1 shows the consolidation status reported by these 19 agencies 
as of September 25, 2009.[Footnote 21] 

Table 1: Reported Status of Consolidation by 19 Agencies: 

Agency type: Access provider; 
Reported Status of Consolidation: Less than 20%[A]: 6; 
Reported Status of Consolidation: 20% to 39%: 1; 
Reported Status of Consolidation: 40% to 59%: 1; 
Reported Status of Consolidation: 60% to 79%: 6; 
Reported Status of Consolidation: 80% to 100%: 0. 

Agency type: Seeking service; 
Reported Status of Consolidation: Less than 20%[A]: 3; 
Reported Status of Consolidation: 20% to 39%: 1; 
Reported Status of Consolidation: 40% to 59%: 1; 
Reported Status of Consolidation: 60% to 79%: 0; 
Reported Status of Consolidation: 80% to 100%: 0. 

Agency type: Total; 
Reported Status of Consolidation: Less than 20%[A]: 9; 
Reported Status of Consolidation: 20% to 39%: 2; 
Reported Status of Consolidation: 40% to 59%: 2; 
Reported Status of Consolidation: 60% to 79%: 6; 
Reported Status of Consolidation: 80% to 100%: 0. 

Source: GAO analysis of agency data. 

[A] One access provider agency reported that it was less than 20 
percent consolidated on September 25, 2009, but that it expected to 
consolidate to its target of two connections by September 30, 2009. 

[End of table] 

Overall, the reported progress toward consolidating connections was 
slower than projected, and agencies delayed their future plans for 
consolidation. In October 2008, the 16 access provider agencies, which 
were authorized a total of 32 TIC access points by OMB, projected in 
their plans of action and milestones that they would consolidate from 
their initial reported total of 3,286 external connections to a 
maximum of 1,528 connections by September 2009. However, in their 
September 2009 plans of action and milestones, these agencies reported 
that they had consolidated to a maximum of 1,753 connections--225 more 
than they had planned. In addition, agencies projected in their 
October 2008 plans that they would have consolidated to a maximum of 
764 external connections by OMB's revised deadline of December 31, 
2009. However, in September 2009 they anticipated that they would 
still have a maximum of 1,374 connections by that date--610 more than 
originally planned--and had significantly revised their projections 
for consolidation through November 2010. As agencies continue to 
consolidate their connections, their future projections for 
consolidation are likely to be revised further. Figure 2 indicates the 
estimated overall progress that access provider agencies reported 
toward reducing connections as of October 2008 and September 2009, 
their planned future consolidation, and how both their plans and 
reported progress have changed between October 2008 and September 
2009.[Footnote 22] 

Figure 2: Comparison of Reported Consolidation by 16 Access Provider 
Agencies: 

[Refer to PDF for image: multiple line graph] 

Number of connections: 

Date: 1/31/2008; 
October 2008 reported schedule: 3,215; 
September 2009 reported actual consolidation: 3,215. 

Date: 2/29/2008; 
October 2008 reported schedule: 3,178; 
September 2009 reported actual consolidation: 3,180. 

Date: 3/31/2008; 
October 2008 reported schedule: 3,144; 
September 2009 reported actual consolidation: 3,146. 

Date: 4/30/2008; 
October 2008 reported schedule: 3,103; 
September 2009 reported actual consolidation: 3,146. 

Date: 5/31/2008; 
October 2008 reported schedule: 3,103; 
September 2009 reported actual consolidation: 3,146. 

Date: 6/30/2008; 
October 2008 reported schedule: 3,078; 
September 2009 reported actual consolidation: 3,140. 

Date: 7/31/2008; 
October 2008 reported schedule: 3,007; 
September 2009 reported actual consolidation: 3,105. 

Date: 8/31/2008; 
October 2008 reported schedule: 3,007; 
September 2009 reported actual consolidation: 3,105. 

Date: 9/30/2008; 
October 2008 reported schedule: 3,003; 
September 2009 reported actual consolidation: 3,105. 

Date: 10/31/2008; 
October 2008 reported schedule: 3,003; 
September 2009 reported actual consolidation: 3,105. 

Date: 11/30/2008; 
October 2008 reported schedule: 3,003; 
September 2009 reported actual consolidation: 3,105. 

Date: 12/31/2008; 
October 2008 reported schedule: 2,621; 
September 2009 reported actual consolidation: 2,748. 

Date: 1/31/2009; 
October 2008 reported schedule: 2,575; 
September 2009 reported actual consolidation: 2,748. 

Date: 2/28/2009; 
October 2008 reported schedule: 2,534; 
September 2009 reported actual consolidation: 2,746. 

Date: 3/31/2009; 
October 2008 reported schedule: 2,312; 
September 2009 reported actual consolidation: 2,544. 

Date: 4/30/2009; 
October 2008 reported schedule: 1,996; 
September 2009 reported actual consolidation: 2,272. 

Date: 5/31/2009; 
October 2008 reported schedule: 1,953; 
September 2009 reported actual consolidation: 2,266. 

Date: 6/30/2009; 
October 2008 reported schedule: 1,604; 
September 2009 reported actual consolidation: 1,872. 

Date: 7/31/2009; 
October 2008 reported schedule: 1,604; 
September 2009 reported actual consolidation: 1,872. 

Date: 8/31/2009; 
October 2008 reported schedule: 1,594; 
September 2009 reported actual consolidation: 1,865. 

Date: 9/30/2009; 
October 2008 reported schedule: 1,528; 
September 2009 reported actual consolidation: 1,753. 

Date: 10/31/2009; 
October 2008 reported schedule: 1,254; 
September 2009 projected schedule: 1,717. 

Date: 11/30/2009; 
October 2008 reported schedule: 1,248; 
September 2009 projected schedule: 1,710. 

Date: 12/31/2009; 
October 2008 reported schedule: 764; 
September 2009 projected schedule: 1,374. 

Date: 1/31/2010; 
October 2008 reported schedule: 748; 
September 2009 projected schedule: 1,310. 

Date: 2/28/2010; 
October 2008 reported schedule: 744; 
September 2009 projected schedule: 1,286. 

Date: 3/31/2010; 
October 2008 reported schedule: 744; 
September 2009 projected schedule: 1,284. 

Date: 4/30/2010; 
October 2008 reported schedule: 744; 
September 2009 projected schedule: 1,196. 

Date: 5/31/2010; 
October 2008 reported schedule: 744; 
September 2009 projected schedule: 1,196. 

Date: 6/30/2010; 
October 2008 reported schedule: 706; 
September 2009 projected schedule: 1,172. 

Date: 7/31/2010; 
October 2008 reported schedule: 706; 
September 2009 projected schedule: 1,138. 

Date: 8/31/2010; 
October 2008 reported schedule: 706; 
September 2009 projected schedule: 1,116. 

Date: 9/30/2010v
October 2008 reported schedule: 585; 
September 2009 projected schedule: 1,059. 

Date: 10/31/2010; 
October 2008 reported schedule: 585; 
September 2009 projected schedule: 1,026. 

Date: 11/30/2010; 
October 2008 reported schedule: 585; 
September 2009 projected schedule: 1,026. 

Date: 12/31/2010; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 1/31/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 2/28/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 3/31/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 4/30/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 5/31/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 6/30/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 7/31/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 8/31/2011; 
October 2008 reported schedule: 550; 
September 2009 projected schedule: 700. 

Date: 9/30/2011; 
October 2008 reported schedule: 435; 
September 2009 projected schedule: 645. 

Date: 10/31/2011; 
October 2008 reported schedule: 435; 
September 2009 projected schedule: 627. 

Date: 11/30/2011; 
October 2008 reported schedule: 435v
September 2009 projected schedule: 627. 

Date: 12/31/2011; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 505. 

Date: 1/31/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 505. 

Date: 2/29/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 505. 

Date: 3/31/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 505. 

Date: 4/30/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 505. 

Date: 5/31/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 505. 

Date: 6/30/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 505. 

Date: 7/31/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 487. 

Date: 8/31/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 487. 

Date: 9/30/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 487. 

Date: 10/31/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 487. 

Date: 11/30/2012; 
October 2008 reported schedule: 337; 
September 2009 projected schedule: 487. 

Date: 12/31/2012; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 389. 

Date: 1/31/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 389. 

Date: 2/28/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 389. 

Date: 3/31/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 371. 

Date: 4/30/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 371. 

Date: 5/31/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 371. 

Date: 6/30/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 371. 

Date: 7/31/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 371. 

Date: 8/31/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 371. 

Date: 9/30/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 371. 

Date: 10/31/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 353. 

Date: 11/30/2013; 
October 2008 reported schedule: 238; 
September 2009 projected schedule: 353. 

Date: 12/31/2013; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 1/31/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 2/28/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 3/31/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 4/30/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 5/31/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 6/30/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 7/31/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 8/31/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 9/30/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 10/31/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 11/30/2014; 
October 2008 reported schedule: 140; 
September 2009 projected schedule: 238. 

Date: 12/31/2014; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 1/31/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 2/28/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 3/31/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 4/30/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 5/31/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 6/30/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 7/31/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 8/31/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 9/30/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 10/31/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 11/30/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 238. 

Date: 12/31/2015; 
October 2008 reported schedule: 46; 
September 2009 projected schedule: 140. 

Source: GAO estimate based on agency reported data. 

Note: In this figure, both of the reported schedules begin at 3,215 
connections because one agency reported that it had consolidated 71 
connections by January 2008. In addition, at the time of our review, 
one access provider agency had not submitted its September 2009 
progress report to DHS. As a result, the September 2009 projections 
for this agency were based on an earlier progress report that may not 
represent the agency's current status or plans. 

[End of figure] 

Few Agencies Have Reported Implementing All Required Security 
Capabilities: 

As of September 2009, only 3 of the 16 access provider agencies have 
reported implementing all 40 required critical security 
capabilities.[Footnote 23] The other 13 agencies have implemented most 
of the capabilities, but their progress in addressing the remaining 
capabilities has varied. For example, of those agencies that had not 
implemented all of the critical capabilities, six reported meeting no 
additional capabilities between April 2008 and September 2009. Table 2 
describes access provider agencies' reported progress toward 
implementing the capabilities. 

Table 2: Number of Critical Security Capabilities Reported as 
Implemented by Access Provider Agencies: 

Agency: A; 
Capabilities reported as implemented in April 2008: 27; 
Capabilities reported as implemented in September 2009: 27; 
Change between April 2008 and September 2009: 0. 

Agency: B; 
Capabilities reported as implemented in April 2008: 32; 
Capabilities reported as implemented in September 2009: 32; 
Change between April 2008 and September 2009: 0. 

Agency: C; 
Capabilities reported as implemented in April 2008: 33; 
Capabilities reported as implemented in September 2009: 34; 
Change between April 2008 and September 2009: 1. 

Agency: D; 
Capabilities reported as implemented in April 2008: 33; 
Capabilities reported as implemented in September 2009: 35; 
Change between April 2008 and September 2009: 2. 

Agency: E; 
Capabilities reported as implemented in April 2008: 33; 
Capabilities reported as implemented in September 2009: 36; 
Change between April 2008 and September 2009: 3. 

Agency: F; 
Capabilities reported as implemented in April 2008: 34; 
Capabilities reported as implemented in September 2009: 38; 
Change between April 2008 and September 2009: 4. 

Agency: G; 
Capabilities reported as implemented in April 2008: 35; 
Capabilities reported as implemented in September 2009: 37; 
Change between April 2008 and September 2009: 2. 

Agency: H; 
Capabilities reported as implemented in April 2008: 37; 
Capabilities reported as implemented in September 2009: 37[A]; 
Change between April 2008 and September 2009: 0. 

Agency: I; 
Capabilities reported as implemented in April 2008: 37; 
Capabilities reported as implemented in September 2009: 38; 
Change between April 2008 and September 2009: 1. 

Agency: J; 
Capabilities reported as implemented in April 2008: 37; 
Capabilities reported as implemented in September 2009: 39; 
Change between April 2008 and September 2009: 2. 

Agency: K; 
Capabilities reported as implemented in April 2008: 38; 
Capabilities reported as implemented in September 2009: 38; 
Change between April 2008 and September 2009: 0. 

Agency: L; 
Capabilities reported as implemented in April 2008: 38; 
Capabilities reported as implemented in September 2009: 38; 
Change between April 2008 and September 2009: 0. 

Agency: M; 
Capabilities reported as implemented in April 2008: 38; 
Capabilities reported as implemented in September 2009: 40; 
Change between April 2008 and September 2009: 2. 

Agency: N; 
Capabilities reported as implemented in April 2008: 39; 
Capabilities reported as implemented in September 2009: 39; 
Change between April 2008 and September 2009: 0. 

Agency: O; 
Capabilities reported as implemented in April 2008: 40; 
Capabilities reported as implemented in September 2009: 40; 
Change between April 2008 and September 2009: N/A. 

Agency: P; 
Capabilities reported as implemented in April 2008: 40; 
Capabilities reported as implemented in September 2009: 40; 
Change between April 2008 and September 2009: N/A. 

Source: GAO analysis of agency-provided data. 

[A] At the time of our review, agency H had not submitted its 
September 2009 plan to DHS. This reported number is from an earlier 
plan that the agency provided to us. 

[End of table] 

Examples of the capabilities that agencies most frequently reported 
not having implemented included having secure facilities in place to 
handle classified information, being able to filter specific types of 
Internet traffic, and participating in the Einstein program. 

Between October 2008 and September 2009, agencies delayed their plans 
for implementing the critical security capabilities. Of the 13 access 
provider agencies that had not implemented all of the required 
capabilities as of September 2009, 6 agencies delayed their expected 
planned dates for implementing the remaining critical capabilities 
between approximately 10 months and 3 years. As of September 2009, 
nine of these agencies were reporting that they expected to complete 
implementation of the remaining critical security capabilities between 
September 2009 and December 2010, one expected to complete its efforts 
in December 2013, and three did not project a date by which they 
expected to complete implementation. 

Agencies Have Not Demonstrated Full Compliance with TIC Capabilities 
or Completed Consolidation Efforts: 

Agencies have not demonstrated full compliance with TIC capabilities. 
As of September 2009, DHS had conducted TIC Compliance Validation 
reviews at 6 of the 16 agencies in our review that are required to 
undergo a review, and the remaining 10 had been scheduled to be 
evaluated between October 2009 and May 2010.[Footnote 24] 

The results of the reviews indicated that information that agencies 
had reported was not always accurate. Specifically, although agencies 
had reported that certain capabilities were in place, the results for 
five of the six agencies that completed reviews indicated that several 
of these capabilities had not been fully implemented. For example, one 
agency's results showed that it had not fully implemented 10 critical 
capabilities, including 7 that it had previously reported as complete. 
In addition, the results for another agency showed that it had a large 
number of connections that it had not previously reported; the agency 
originally reported 119 connections, but after the review it 
identified 403 external connections. As indicated earlier, agencies 
are required to develop plans to address any shortcomings identified 
in the review and to submit their plans to DHS. 

Agencies Experienced Benefits and Lessons Learned in Implementing TIC, 
but Challenges Remain in Complying with Requirements: 

While the TIC initiative offers benefits to agencies, such as improved 
network security, agencies have been challenged in complying with the 
requirements of the initiative, in part because of shortcomings in 
communication by OMB and DHS. In addition, agencies' experiences in 
implementing TIC offers valuable lessons learned for OMB and DHS that 
may increase the likelihood of the initiative's success. 

Benefits in Improved Security and Network Management Are Anticipated: 

Although agencies are still in the process of implementing TIC, the 
initiative offers benefits to agencies. 

Improved Network Security. TIC will improve security at agencies by 
reducing the number of access points that have to be monitored. 
Several agencies indicated that consolidating connections and 
centralizing security monitoring at TIC access points should make it 
easier to monitor traffic and protect their networks from attacks. In 
addition, officials from another agency stated that the consolidation 
of external connections had made the agency's network perimeter more 
secure. 

Improved Network Management. The initiative has also helped improve 
agencies' management of their networks. Several agencies stated that 
implementing TIC by consolidating their external connections is 
beneficial because it has forced them to gain a greater awareness of 
their overall network environment. Another agency anticipated that TIC 
implementation would reduce complexity in its network, making it 
simpler to manage. 

Agencies Faced Challenges with Implementing TIC Requirements: 

Agencies continue to face challenges in implementing TIC, including 
implementing the initiative with incomplete information about the 
number of access points for which they have been approved and about 
the technical security capabilities. Further, DHS will continue to 
face challenges in knowing whether the access points are adequately 
secured. 

Implementing the initiative with incomplete information. Best 
practices for program management, established by the Project 
Management Institute in The Standard for Program Management,[Footnote 
25] state that the information that program stakeholders need should 
be made available in a timely manner throughout the life cycle of a 
program. In addition, our Internal Control Management and Evaluation 
Tool [Footnote 26] states that when communicating with other agencies, 
managers should provide timely information that is relevant to the 
requester's needs. However, in some circumstances, agencies have been 
unable to effectively plan for implementing the initiative because OMB 
did not always consistently communicate the number of TIC access 
points for which agencies had been approved in a timely manner and DHS 
did not always promptly respond to agencies' questions about the 
required security capabilities. 

OMB did not consistently inform agencies about the number of TIC 
access points for which they had been approved until more than a year 
after it required agencies to submit their requested number. In a memo 
issued in September 2009,[Footnote 27] OMB announced that access 
provider agencies were each allowed two access points, 17 months after 
its April 2008 deadline for agencies to submit their requested number 
of trusted connections. However, between April 2008 and September 
2009, OMB's communication of the number of access points it had 
approved for agencies was inconsistent. Specifically, 

* Several agencies told us that OMB, or DHS rather than OMB, verbally 
told them about the number of access points for which they had been 
approved but did not provide them with written confirmation of the 
approved number. 

* One agency said that it received an e-mail from DHS, as opposed to 
OMB, stating that its top two to three locations had been approved; 
however, officials from the agency indicated that the agency was not 
informed of the exact number of approved access points. 

* A few other agencies stated that OMB never informed them of the 
number of approved access points, either verbally or in writing. 

OMB addressed these shortcomings by issuing the memo in September 
2009; however, any further inconsistencies in communication by OMB 
could cause additional challenges for agencies. In the memo, OMB also 
informed access provider agencies about the process for submitting an 
evidence-based rationale to DHS to request additional TIC access 
points. In this process, OMB is responsible for notifying agencies of 
its final decision on how many additional access points the agency is 
to be allowed. As described earlier, several agencies indicated that 
they planned to request additional access points. However, even with 
this process in place, agencies may still be uncertain about the 
number of access points for which they have been approved if prior 
inconsistencies in communication from OMB resurface. For example, 
although one agency's request for additional access points was sent to 
OMB in April 2009, as of December 2009 agency officials indicated that 
they not been told whether the agency's request had been approved. 
Without consistent and timely communication of the results of agency 
requests for additional access points by OMB, agencies that requested 
additional access points will continue to face challenges with 
implementation of TIC. 

In addition, DHS often did not promptly respond to agency questions 
about the technical aspects of securing TIC access points, further 
complicating agency implementation efforts. Although a few agencies 
that have asked DHS questions about the meaning of specific terms in 
the security capabilities or about guidance for implementation stated 
that DHS answered their questions effectively, four agencies stated 
that DHS has often been slow to respond to questions about the 
capabilities, or in some cases has not responded at all. Specifically, 
one agency noted that DHS took a year to produce answers to frequently 
asked questions that were generated in an inter-agency working group. 
Three other agencies told us that they still have not received answers 
to questions that they submitted to DHS on specific security 
capabilities such as data storage requirements, inspection of 
encrypted traffic, and participation in the Einstein program. DHS 
officials acknowledged that its communications with agencies had not 
been timely because it had limited staff at the beginning of the 
initiative. 

Without consistent and timely communication from OMB and DHS, agencies 
may not be able to effectively execute plans for consolidating their 
external connections and securing their TIC access points. 

Ensuring that critical capabilities have been implemented. DHS will be 
challenged to know whether access providers have adequately secured 
their access points because it does not directly test the capabilities 
in its compliance validation reviews. The National Institute of 
Standards and Technology state[Footnote 28]s that organizations should 
conduct assessments to determine the extent to which controls are 
implemented correctly, operating as intended, and producing the 
desired outcome with respect to meeting the security requirements for 
the system. During its reviews, DHS conducts document reviews, 
interviews, and observation of agency processes, but does not conduct 
direct testing of the capabilities to determine if they are 
effectively implemented, operating as intended, and achieving desired 
results. Even with this limited testing, five of the six reviews that 
DHS conducted showed that agencies had not fully implemented critical 
security capabilities that had previously been reported as 
implemented. However, without directly testing the capabilities, DHS 
could be unaware of additional weaknesses that its more limited 
reviews may not have identified. 

In addition, in at least three of the six reviews that it conducted at 
agencies, DHS did not evaluate all of the trusted connection 
locations. Specifically, in one agency's review, DHS evaluated only 
one of the agency's two security operations centers and one of its 
four TIC locations. According to DHS, the other center and three 
locations were not evaluated because the agency asserted that its 
other sites were identical to the ones evaluated. For another agency, 
DHS evaluated a security operations center and a telecommunications 
facility at the agency but did not examine controls at either of the 
agency's TIC access point locations. A third agency was only evaluated 
at one of its two TIC locations. DHS officials indicated that in 
designing the method for TIC compliance reviews, it was decided that 
the initial round of reviews would include only the most mature TIC 
locations and supporting network and operations centers. Without 
evaluating all agency locations in its compliance reviews, DHS cannot 
be assured that agencies have implemented critical capabilities at all 
locations. 

Defining Requirements and Effective Communication Offer Lessons 
Learned for OMB and DHS as the Initiative Moves Forward: 

Agencies' experiences in implementing TIC offer valuable lessons 
learned for OMB and DHS. 

Defining requirements clearly and early prove useful for agency 
planning. OMB and DHS did not always use sound program management 
principles when planning the TIC initiative. According to The Standard 
for Program Management, during the planning phase, program 
requirements should be developed before schedules are defined. 
However, OMB and DHS did not define certain fundamental requirements 
before establishing initial deadlines for the initiative. For example, 
DHS did not define the meaning of "external connection" until April 
2009, 17 months after the initiative was announced and 10 months after 
the initial June 2008 deadline for reducing external connections to 
authorized levels. This resulted in DHS determining during a 
compliance validation review that one agency had not reported a number 
of external connections that needed to be consolidated. DHS officials 
acknowledged that this was due to confusion over the definition of 
what constituted an external connection. In addition, the technical 
security capabilities that would be required for access providers were 
still being defined when agencies developed their required initial 
implementation plans and were not finalized until April 2008, 5 months 
after the initiative was announced. As a result, several agencies 
stated that it was difficult for them to plan for TIC implementation. 
In going forward, defining any key future requirements prior to 
establishing deadlines will be critical to the initiative's success. 

Collaborative meetings aided implementation. DHS and OMB sponsored 
several collaborative meetings during the initiative that many 
agencies found beneficial for their implementation of TIC. 
Specifically, several agencies stated that the meetings of the inter-
agency TIC technical working group were helpful. For example, one 
agency said that DHS provided updates about the initiative during the 
meetings. Another agency noted that the meetings provided additional 
specificity on aspects of the program. Several agencies also stated 
that the meetings provided a forum for agencies to discuss issues 
related to TIC with one another, allowing them to gain insight from 
other agencies. One of these agencies found the meetings to be helpful 
because it was able to provide feedback to DHS about the technical 
capabilities. Another agency noted that it had recently participated 
in conference calls with DHS that helped to address its technical 
questions related to implementing the critical capabilities. In the 
future, continuing such effective communication increases the chances 
of the initiative's success. 

Meeting business needs with a reduced number of connections is complex 
and time-consuming. As indicated earlier, the 16 access provider 
agencies in our review are reporting that they are reducing and 
consolidating from 3,286 external connections. Reducing to the 
approved total of 32 TIC access points is a complex and time-consuming 
effort for most agencies. For example, one agency indicated that 
implementing the infrastructure required to support its mission would 
require 4 years to complete. Two other agencies noted that 
implementing the initiative required them to make significant changes 
to their existing network architecture. In addition, for several 
agencies, determining how to meet their business needs within the 
technical constraints of TIC has been a complex task. For example, 
three agencies stated that they needed more than two TIC access points 
to ensure that their networks would remain operational in the event of 
a disaster. One of these agencies explained that its high performance 
and capacity requirements would not be met with only two access 
points. The complex effort required for agencies to implement the 
initiative while still meeting their business needs has led to 
significant delays in agencies' plans for implementation. As indicated 
earlier, the access provider agencies have reported that they have 
consolidated fewer connections than they originally planned and have 
significantly revised their future plans for consolidation. 
Recognizing that agencies may desire more than two access points, as 
noted earlier, OMB and DHS established a process for agencies to 
submit an evidence-based rationale for obtaining additional access 
points. 

DHS Has Deployed Einstein to Six Agencies, but Faces Challenges with 
Meeting Program Goals: 

Einstein is intended to provide DHS with an increased awareness of 
activity, including possible security incidents, on federal networks. 
As of September 2009, fewer than half of the 23 agencies had executed 
the required agreements with DHS, and Einstein 2 had been deployed to 
six agencies. Agencies that participated in Einstein 1 improved 
identification of incidents and mitigation of attacks, but DHS 
continues to face challenges with meeting the goals of the initiative. 

Einstein Is to Provide Increased Awareness of Activity on Agency 
Networks: 

The goal for Einstein is to provide US-CERT with a higher level of 
awareness of activity on federal networks. By implementing this 
initiative, DHS intended to achieve the following objectives: 

* provide an automated process for collecting, correlating, and 
analyzing computer network traffic information from participating 
federal agencies; 

* provide US-CERT with a means to observe potential malicious activity 
in computer network traffic entering and exiting participating 
agencies' computer networks; 

* increase US-CERT's situational awareness of federal agency computer 
networks through correlation of activity across the entire federal 
enterprise; and: 

* incorporate intrusion detection technology (i.e., the Einstein 
sensors and signature-monitoring capabilities) capable of alerting US- 
CERT to the presence of malicious or potentially harmful computer 
network activity in federal agencies' network traffic. 

DHS and Agencies Are Required to Take Various Actions before Einstein 
2 Can Be Deployed: 

To accomplish these objectives, for Einstein 2, agencies are required 
to meet the following two requirements:[Footnote 29] 

* Execute a memorandum of agreement with DHS. This agreement 
establishes the responsibilities of deployment and operation of the 
sensor between the participating federal agency and DHS. 

* Execute a service level agreement with DHS. This agreement defines 
the roles, responsibilities, and points of contact, as well as 
describes the services, hours of operation, and performance levels 
provided to the agency. It also requires agencies to update US-CERT 
regularly on the status of ongoing investigations related to alerts. 

Agencies were required to report on the status of these agreements to 
DHS in September 2009. 

In addition, the TIC access provider agencies are required to meet two 
additional requirements: 

* Execute an interconnection security agreement with DHS. Describes 
the interconnection between the agency and DHS and the security 
controls required and implemented to protect the confidentiality, 
integrity, and availability of the systems and data. Agencies were 
required to report on their status in completing this agreement to DHS 
in September 2009. 

* Perform a site assessment. Provides a technical description of the 
agency's network and how the network connects to the agency's Internet 
service providers. 

Vendors that intend to provide TIC services to agencies under the 
Networx contract are also required to complete a memorandum of 
agreement, an interconnection security agreement, and a site 
assessment. 

With the required agreements in place,[Footnote 30] DHS is to deploy 
Einstein sensors to access provider agencies and Networx vendors. When 
deploying the sensors, DHS is to use a site deployment checklist to 
verify that the Einstein equipment is installed and configured 
appropriately. After the sensors are operational, US-CERT is to begin 
monitoring and analyzing results. 

Einstein 2 Has Been Deployed to Six Agencies, but DHS and Agencies Did 
Not Always Complete Required Activities: 

As of September 2009, DHS had deployed Einstein 2 at six access 
provider agencies included in our review and at three Networx vendors. 
According to DHS, the sensors at five of the six agencies were 
operational as of September 2009; it had not activated the sensors at 
one agency because it was waiting for the agency to complete required 
agreements. 

Agencies that had operational sensors had completed certain required 
agreements, but not all agencies had executed all required agreements. 
All five agencies with operational sensors had executed memorandums of 
agreement and interconnection security agreements with DHS as 
required. However, three of the five agencies had not executed service 
level agreements. According to DHS officials, these agencies were 
still in the process of negotiating the agreements. However, the 
agreements define key requirements for the initiative, including how 
US-CERT is to notify agencies of potential incidents and how agencies 
are to respond to these notifications, including what information must 
be provided to US-CERT in support of investigations related to 
Einstein alerts. Without these agreements in place between agencies 
and DHS, agencies may not receive the information needed to address 
security incidents detected by Einstein, and DHS may not obtain the 
information it needs from agencies in order to fully meet the 
objective of improving situational awareness. 

DHS and the agencies also did not always complete deployment 
checklists. Although all five of the agencies had performed required 
site assessments, the site deployment checklists for two agencies had 
not been signed by officials from the agency or from DHS verifying 
that the sensors had been installed and configured appropriately. As a 
result, DHS and agency management cannot be assured that the Einstein 
equipment has been installed and configured appropriately. 

Because these sensors had only recently been deployed, we did not 
evaluate the extent to which US-CERT was collecting and analyzing data 
and reporting alerts to agencies for Einstein 2. 

Not all of the remaining 17 agencies reported their status toward 
submitting required agreements to DHS in September 2009. Only a few 
have reported completing required agreements with DHS, while several 
have not yet reported their plans for submitting agreements.[Footnote 
31] Specifically: 

* Four agencies reported that they had completed and submitted their 
memorandums of agreement to DHS, and 4 reported that they expected to 
submit them within a year; however, nine did not project a date by 
which they expected to submit them. 

* One agency reported that it had submitted its service level 
agreement to DHS, and 4 reported that they expected to submit them 
between December 2009 and September 2010; however, 12 did not project 
a date by which they expected to submit the agreement. 

* Two of the 10 remaining agencies required to execute interconnection 
security agreements[Footnote 32] reported that they had submitted them 
to DHS, and 1 reported that it expected to submit the agreement within 
the next year; however, 7 did not project a date by which they 
expected to submit the agreements. 

Although DHS required agencies to report their status toward executing 
required agreements in September 2009, it did not establish milestones 
for agencies to submit the agreements. According to The Standard for 
Program Management, the actual completion of program activities and 
milestones should be tracked against a planned timeline in order to 
ensure that the program produces its required deliverables on time. 
However, DHS had not established any milestones for agencies to submit 
these agreements. As indicated earlier, these agreements establish key 
responsibilities and controls that are necessary for successful 
operation of the sensors. Without establishing milestones for these 
agreements, DHS could face delays in deploying and activating Einstein 
sensors. 

Einstein Has Proven Beneficial to Providing Security, but DHS Faces 
Ongoing Challenges with Meeting Program Goals: 

Agencies have benefited from Einstein alerts, and their experiences 
have provided DHS with valuable lessons; however, DHS may be 
challenged in meeting program goals as the system is deployed at more 
agencies. 

Einstein Provided Security Benefits for Agencies: 

Although Einstein 2 has only been deployed at 6 agencies, the 12 
agencies that participated in Einstein 1 realized benefits in the 
following areas: 

Identifying incidents. US-CERT provided alerts to agencies from its 
analysis of the data from the Einstein 1 sensors, which contained 
information about potential cyber attacks or incidents against the 
agency's networks. Several agencies observed that the alerts from US- 
CERT were helpful or contained useful information about potential 
incidents, including information that could be used to trace potential 
incidents to specific locations on the network. For some agencies, 
Einstein identified incidents that agencies' intrusion detection 
systems had not found, increasing their ability to mitigate potential 
attacks. 

Providing cross-agency view. For Einstein 1, US-CERT provided reports 
based on a correlation of sensor data from all of the participating 
agencies. Several agencies said US-CERT's ability to aggregate 
Einstein data from multiple agencies was beneficial for identifying 
potential attacks against government networks. 

Using sensor data. In addition to receiving alerts generated by US- 
CERT's analysis, agencies had the ability to access the sensor data 
directly via a Web portal. Several agencies indicated that they used 
this data to look for potential incidents on their own. 

DHS Faces Challenges with Meeting Einstein Goals and Providing 
Adequate Analysis: 

As DHS deploys Einstein across the government, it faces the following 
challenges: 

Understanding whether alerts are valid. Although one of the objectives 
of Einstein is to improve situational awareness of activity across the 
federal government, DHS will be challenged in understanding the extent 
to which this objective is being met because it lacks performance 
measures for Einstein 2 that address whether or not agencies report 
that the alerts represent actual incidents. For Einstein 1, agencies 
did not always inform US-CERT of how they responded to the alerts. As 
a result, US-CERT did not know whether these alerts represented false 
positives or actual incidents. We have previously reported that 
performance measures are most meaningful when they are linked with 
organizational goals.[Footnote 33] DHS's performance measures for 
Einstein 2 indicate the time required for the system to detect known 
cyber events and to generate automated notifications once the events 
are detected, but they do not indicate agencies' responses to alerts. 
Establishing such measures would help DHS better understand whether 
the alerts are valid, helping it to better determine the extent to 
which the initiative is meeting its objective of improving situational 
awareness. 

Having staff with required skills to monitor and analyze data. DHS 
will be challenged to have staff with the appropriate skills to 
fulfill its analysis and incident response mission as Einstein 2 is 
deployed across the government. As more agencies receive sensors, the 
amount of data that US-CERT will be responsible for analyzing will 
drastically increase. DHS recognizes that staff with appropriate 
analytical skills will be required in order to handle the increased 
workload, but it has not developed a staffing plan to address its need 
to acquire and retain qualified analysts at US-CERT. Although the 
department announced in October 2009 that it plans to hire up to 1,000 
new cybersecurity professionals over the next 3 years, we previously 
reported in July 2008 that obtaining and retaining adequately trained 
cyber analysts is an ongoing challenge to US-CERT that hinders its 
ability to respond to increasingly fast, nimble, and sophisticated 
cyber attacks. At that time, we recommended that the department 
address the challenges that have impeded it from expeditiously hiring 
sufficiently trained cyber analysts and developing strategies for 
hiring and retaining highly qualified cyber analysts.[Footnote 34] 
Although DHS indicated that it plans to expedite the hiring and on-
boarding process for new analysts and to offer appropriate training 
opportunities for its analysts, it has not yet provided evidence that 
it has taken these actions. Until DHS addresses our prior 
recommendation by developing strategies for hiring and retaining cyber 
analysts, US-CERT may lack staff with appropriate skills to analyze 
the Einstein data, increasing the risk that attacks against federal 
networks could go undetected. 

Additional Information from US-CERT Helped Agencies, Providing 
Valuable Lessons Learned: 

Agencies' experiences with the initial version of Einstein provided 
DHS with lessons learned for future versions of the initiative. 

Detailed and timely information from alerts proved useful. Several 
agencies' experiences with Einstein 1 improved over time because 
information provided by US-CERT increased in its timeliness and 
detail. Although some agencies said that the alerts and reports that 
US-CERT provided were not always timely and useful, a few agencies 
observed that the information had improved over time. For example, one 
agency stated that the alerts lacked sufficient contextual 
information, making it difficult to determine whether the alerts were 
identifying false positives or actual incidents; however, several 
agencies indicated that the alerts had since improved in their 
usefulness. In addition, although several agencies noted that the 
alerts were not very timely when the sensors were first installed, a 
few indicated that the timeliness had improved for more recent alerts. 
Going forward, continuing to provide appropriate and timely 
information from the alerts will prove useful for agencies. 

Access to sensor data proved useful for agencies. Further, several 
agencies that had direct access to the flow records from the Einstein 
sensor found that it was helpful in detecting potential incidents. DHS 
stated that all agencies participating in Einstein 2 will also have 
access to the flow data, which could provide similar benefits. 
However, not all agencies were aware that they would have access to 
this data. Making them aware of this and of the data's possible 
benefits could aid agencies in improving their monitoring of potential 
incidents. 

Conclusions: 

TIC and Einstein are ambitious efforts that can help improve security 
and situational awareness across the federal government. However, in 
implementing the initiatives, federal agencies have faced challenges. 
For TIC, OMB did not consistently communicate the number of access 
points for which agencies had been approved, and DHS did not always 
provide timely answers to agency questions about technical 
capabilities. In addition, because DHS does not conduct direct testing 
of the capabilities or evaluate all possible locations in its 
validation reviews, it cannot be assured that all critical 
capabilities have been implemented. For Einstein, the initiative could 
fail to fully meet the objective of increasing US-CERT's situational 
awareness because DHS did not always ensure that key agreements were 
executed with agencies. DHS could also be challenged in determining 
whether the initiative is meeting this objective without performance 
measures that indicate whether the alerts provided to agencies 
represent actual incidents. Without improvements in program management 
and communication from OMB and DHS, federal agencies will continue to 
be faced with challenges in implementing these initiatives that could 
ultimately jeopardize their ability to reduce and secure Internet 
connections. 

With agencies still in the process of implementing TIC and DHS in the 
early stages of deploying Einstein 2, the success of such large-scale 
initiatives will be in large part determined by the extent to which 
DHS, OMB, and other federal agencies work together to address the 
challenges of these efforts and to apply lessons learned during the 
initial stages of implementation. Although this will not guarantee the 
success of TIC and Einstein, doing so will enhance the chances that 
the initiatives will meet their goals of reducing, consolidating, and 
securing federal Internet connections. 

Recommendations for Executive Action: 

In order to ensure that federal agencies continue to have adequate 
information about the number of connections for which they have been 
approved, we recommend that the Director of OMB take the following two 
actions: 

* Communicate its final decisions on agency requests for additional 
TIC access points in a consistent and timely manner. 

* Assess the efficacy of, and take steps to apply as appropriate, the 
lesson learned during the initial implementation of TIC regarding the 
need to define future requirements before establishing deadlines. 

In addition, in order to further ensure that federal agencies have 
adequate, sufficient, and timely information to successfully meet the 
goals and objectives of the TIC and Einstein programs, we recommend 
that the Secretary of Homeland Security take the following six actions: 

* Provide agencies with timely responses to their questions seeking 
clarification on TIC security capabilities. 

* Enhance TIC compliance validations by including (1) direct testing 
and evaluation of the critical capabilities and (2) evaluation of the 
capabilities at all agency TIC locations. 

* Before activating Einstein sensors, ensure that both DHS and 
participating agencies (1) execute required service level agreements 
and (2) sign site deployment checklists. 

* Establish milestones for agencies to submit required Einstein 
agreements. 

* To better understand whether Einstein alerts are valid, develop 
additional performance measures that indicate how agencies respond to 
alerts. 

* Assess the efficacy of, and take steps to apply as appropriate, 
lessons learned during the initial implementation of these initiatives 
such as the need to (1) define future requirements for TIC before 
establishing deadlines and (2) make agencies aware of their ability to 
access Einstein flow data. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to OMB and DHS for their review and 
comment. In providing e-mail comments on a draft of this report, the 
lead information technology policy analyst from OMB's Office of E- 
Government and Information Technology stated that OMB concurred with 
the report's findings, conclusions, and two recommendations addressed 
to OMB. In e-mail comments provided by an audit liaison from DHS's 
Office of Cybersecurity and Communications, DHS concurred with the six 
recommendations addressed to DHS. DHS also provided technical 
comments, which we have incorporated into this report as appropriate. 
We also provided a draft of this report to the 22 other agencies 
included in our review. Of the 22, 15 responded that they did not have 
any comments; 1 provided technical comments, which we addressed as 
appropriate; and 6 did not respond. 

As agreed with your office, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
after its date. At that time, we will send copies to interested 
congressional committees, secretaries of the Departments of 
Agriculture, Education, Energy, Health and Human Services, Homeland 
Security, Housing and Urban Development, the Interior, Labor, State, 
Transportation, the Treasury, and Veterans Affairs; the Attorney 
General; the administrators of the Environmental Protection Agency, 
General Services Administration, National Aeronautics and Space 
Administration, Small Business Administration, and the U.S. Agency for 
International Development; the Chairman of the Nuclear Regulatory 
Commission; the Commissioner of the Social Security Administration; 
and the directors of the National Science Foundation, Office of 
Management and Budget, and Office of Personnel Management. The report 
also is available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions regarding this report, please 
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this report. Key contributors to this report 
are listed in appendix II. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The scope of our review covered two initiatives: Trusted Internet 
Connections (TIC) and the National Cybersecurity Protection System 
(NCPS) program, operationally known as Einstein. For each initiative, 
our objectives were to (1) identify their goals, objectives, and 
requirements; (2) determine the status of the actions federal agencies 
have taken, or plan to take, to implement them; and (3) identify the 
benefits, challenges, and lessons learned in implementing each 
initiative. 

For TIC, to address the first objective, we obtained and reviewed 
applicable policies and memorandums issued by the Office of Management 
and Budget (OMB) and guidance, reports, and other documentation 
provided by the Department of Homeland Security (DHS). We also held 
discussions with OMB and DHS representatives concerning the goals, 
objectives, and requirements of the initiative. To understand the 
options for agencies seeking to acquire TIC services through the 
Networx contract, we obtained and reviewed relevant documents 
regarding Networx and interviewed officials from the General Services 
Administration. 

To address the second objective for TIC, we reviewed statements of 
capability, plans of action and milestones, and other relevant 
documents for 23 of the 24 agencies[Footnote 35] listed in the Chief 
Financial Officers Act of 1990[Footnote 36] to determine if reporting 
requirements were met. We also reviewed these documents to determine 
reported progress toward the reduction and consolidation of external 
connections and implementation of critical capabilities and analyzed 
them to estimate the overall progress reported by agencies. We also 
reviewed documentation from DHS to determine whether agencies 
submitted the required documents. In addition, we reviewed the results 
of six TIC Compliance Validation reviews and interviewed officials 
from DHS to understand how the department assesses agencies' degree of 
compliance with TIC and to determine the extent to which the 
information reported in agency plans of action and milestones was 
accurate. 

To address the third objective for TIC, we interviewed officials from 
each agency, DHS, and OMB. In addition, we obtained written responses 
to follow-up questions from each agency. We also examined plans of 
action and milestones and other relevant documents from each agency 
and reviewed policies and guidance from OMB and DHS to identify any 
additional benefits, challenges, or lessons learned. Further, we 
interviewed officials from agency inspectors general to obtain 
information on any benefits, challenges, or lessons learned that they 
had identified related to the initiative. 

For Einstein, to address the first objective, we obtained and reviewed 
applicable policies, guidance, and other documentation provided by 
DHS. We also held discussions with DHS officials concerning the goals, 
objectives, and requirements of the initiative. 

To address the second objective for Einstein, we reviewed plans of 
action and milestones for each agency to determine whether reporting 
requirements were met. In addition, we examined required agreements 
and site assessments for the six agencies where Einstein 2 was 
deployed to verify their completion. We also interviewed officials and 
obtained written information from DHS and from each agency to obtain 
additional information on the status of implementation. 

To address the third objective for Einstein, we interviewed officials 
from DHS and from each agency. In addition, we obtained and reviewed 
written responses to follow-up questions from each agency. We also 
examined policies, guidance, and other documentation from DHS to 
identify any additional benefits, challenges, or lessons learned. 
Further, we interviewed officials from agency inspectors general to 
obtain information on any benefits, challenges, or lessons learned 
that they had identified related to the initiative. 

We conducted this performance audit from December 2008 to March 2010 
in Washington, D.C., in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives. 

[End of section] 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, Jeffrey Knott (Assistant 
Director); John Bainbridge; William Cook; Kami Corbett; Neil Doherty; 
Rebecca Eyler; Nancy Glover; Valerie Hopkins; Lee McCracken; Zsaroq 
Powe; and Shawn Ward made key contributions to this report. 

[End of section] 

Footnotes: 

[1] Director of National Intelligence, Annual Threat Assessment of the 
Intelligence Community for the Senate Select Committee on 
Intelligence, statement before the Senate Select Committee on 
Intelligence (Feb. 12, 2009). 

[2] The Comprehensive National Cybersecurity Initiative consists of 12 
projects intended to improve DHS's and other federal agencies' efforts 
to safeguard federal executive branch government information systems 
by reducing potential vulnerabilities, protecting against intrusion 
attempts, and anticipating future threats against the federal 
government's networks. 

[3] The 24 agencies subject to the act are the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Justice, Labor, State, Transportation, the Treasury, and 
Veterans Affairs; the Environmental Protection Agency, General 
Services Administration, National Aeronautics and Space 
Administration, National Science Foundation, Nuclear Regulatory 
Commission, Office of Personnel Management, Small Business 
Administration, Social Security Administration, and U.S. Agency for 
International Development. 

[4] GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 
2009). 

[5] GAO, Information Security: Agencies Continue to Report Progress, 
but Need to Mitigate Persistent Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-09-546] (Washington, D.C.: July 17, 
2009). 

[6] The Federal Information Security Management Act was enacted as 
title III, E-Government Act of 2002, Pub L. No. 107-347, 116 Stat. 
2899, 2946 (Dec. 17, 2002). 

[7] GAO, Information Security: Progress Reported, but Weaknesses at 
Federal Agencies Persist, [hyperlink, 
http://www.gao.gov/products/GAO-08-571T] (Washington, D.C.: Mar. 12, 
2008). 

[8] GAO, Cybersecurity: Progress Made but Challenges Remain in 
Defining and Coordinating the Comprehensive National Initiative, 
[hyperlink, http://www.gao.gov/products/GAO-10-338] (Washington, D.C.: 
Feb. 1, 2010). 

[9] OMB, Implementation of Trusted Internet Connections (TIC), M-08-05 
(Washington, D.C.: Nov. 20, 2007). 

[10] According to DHS officials, each authorized TIC access point may 
include one or more external connections. 

[11] Examples of connections that are not required to be routed 
through an approved TIC include (1) dedicated connections to agency 
remote offices that do not pass through the Internet, (2) connections 
made using technology that provides a secure communication mechanism 
for data transmitted across public networks (i.e., virtual private 
networks), and (3) connections with other agencies where both agencies 
have implemented TIC. 

[12] Although OMB originally designated 17 of the 23 agencies in our 
review as TIC access providers, one of these agencies has since chosen 
to seek service from another access provider. 

[13] According to DHS officials, in December of 2008, the Einstein 
program was incorporated into NCPS, a larger collection of systems 
that includes not only the Einstein sensors, but also other systems 
providing data correlation and analysis. 

[14] Established by DHS, the US-CERT serves as a focal point for the 
government's interaction with federal and nonfederal entities on a 24- 
hour-a-day, 7-day-a-week basis regarding cyber-related analysis, 
warning, information sharing, major incident response, and national- 
level recovery efforts. It is charged with aggregating and 
disseminating cybersecurity information to improve warning of and 
response to incidents, increasing coordination of response 
information, reducing vulnerabilities, and enhancing prevention and 
protection. In addition, US-CERT collects incident reports from all 
federal agencies and assists agencies in their incident response 
efforts. 

[15] Network flow records are records of communications made to an 
organization's IT systems. The records identify the source and 
destination Internet Protocol addresses used in the communication, the 
source and destination ports, the time the communication occurred, and 
the protocol used to communicate. 

[16] Signatures are recognizable, distinguishing patterns associated 
with cyber attacks, such as a binary string associated with a computer 
virus or a particular set of keystrokes used to gain unauthorized 
access to a system. 

[17] When the initiative was first announced in November 2007, OMB set 
a target number of 50 connections across the federal government. 
However, OMB officials have since stated that the target number is no 
longer applicable and that a new target has not been established. 

[18] OMB, Guidance for Trusted Internet Connection Statement of 
Capability Form (SOC), M-08-16 (Washington, D.C.: Apr. 4, 2008). 

[19] The seven agencies in our review that are seeking service from 
other providers were not authorized a specific number of access points. 

[20] As of September 2009, six access provider agencies were targeting 
more access points than the number for which they had been approved by 
OMB. 

[21] At the time of our review, one access provider agency had not 
submitted its September 2009 progress report to DHS; the status of its 
consolidation effort, reflected in the table, is based on its July 
2009 progress report. 

[22] Seeking service agencies are not included in this figure. 

[23] The one multi-service access provider agency reported that it had 
implemented all of the 11 additional critical security capabilities 
required for multi-service access providers. 

[24] According to DHS officials, only one of the four participating 
Networx vendors had passed a review and could offer TIC services to 
agencies. 

[25] Project Management Institute, The Standard for Program 
Management, Second Edition (Newton Square, Pa.: 2008). 

[26] GAO, Internal Control Management and Evaluation Tool, [hyperlink, 
http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August 
2001). 

[27] OMB, Update on the Trusted Internet Connections Initiative, M-09- 
32 (Washington, D.C.: Sept. 17, 2009). 

[28] National Institute of Standards and Technology: Recommended 
Security Controls for Federal Information Systems, Special Publication 
800-53 Revision 3 (Gaithersburg, Md.: December 2007). 

[29] For Einstein 1, DHS required participating agencies to complete a 
memorandum of agreement, interconnection security agreement, and a 
site assessment before receiving a sensor. 

[30] Although agencies are required to complete a service level 
agreement, DHS officials stated that it is not necessary for it to be 
completed before the Einstein sensors are deployed. 

[31] One access provider agency did not submit its updated plan to DHS 
in September 2009. 

[32] The seven agencies seeking service from other access providers 
are not required to execute interconnection security agreements. 

[33] GAO, Information Security: Concerted Effort Needed to Improve 
Federal Performance Measures, [hyperlink, 
http://www.gao.gov/products/GAO-09-617] (Washington, D.C.: Sept. 14, 
2009). 

[34] GAO, Cyber Analysis and Warning: DHS Faces Challenges in 
Establishing a Comprehensive National Capability, [hyperlink, 
http://www.gao.gov/products/GAO-08-588] (Washington, D.C.: July 31, 
2008). 

[35] The Department of Defense was not included in our review because 
it was not required to implement TIC or Einstein. 

[36] 31 U.S.C. §901(b). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: