This is the accessible text file for GAO report number GAO-11-43 
entitled 'Information Security: Federal Agencies Have Taken Steps to 
Secure Wireless Networks, but Further Actions Can Mitigate Risk' which 
was released on November 30, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office:
GAO: 

Report to Congressional Committees: 

November 2010: 

Information Security: 

Federal Agencies Have Taken Steps to Secure Wireless Networks, but 
Further Actions Can Mitigate Risk: 

GAO-11-43: 

GAO Highlights: 

Highlights of GAO-11-43, a report to congressional committees. 

Why GAO Did This Study: 

Over the past several years, federal agencies have rapidly adopted the 
use of wireless technologies for their information systems. In a 2005 
report, GAO recommended that the Office of Management and Budget 
(OMB), in its role overseeing governmentwide information security, 
take several steps to help agencies better secure their wireless 
networks. 

GAO was asked to update its prior report by (1) identifying leading 
practices and state-of-the-art technologies for deploying and 
monitoring secure wireless networks and (2) assessing agency efforts 
to secure wireless networks, including their vulnerability to attack.
To do so, GAO reviewed publications, guidance, and other documentation 
and interviewed subject matter experts in wireless security. GAO also 
analyzed policies and plans and interviewed agency officials on 
wireless security at 24 major federal agencies and conducted 
additional detailed testing at these 5 agencies: the Departments of 
Agriculture, Commerce, Transportation, and Veterans Affairs, and the 
Social Security Administration. 

What GAO Found: 

GAO identified a range of leading security practices for deploying and 
monitoring secure wireless networks and technologies that can help 
secure these networks. The leading practices include the following: 

* comprehensive policies requiring secure encryption and establishing 
usage restrictions, implementation practices, and access controls; 

* a risk-based approach for wireless deployment and monitoring; 

* a centralized wireless management structure that is integrated with 
the management of the existing wired network; 

* configuration requirements for wireless networks and devices; 

* incorporation of wireless and mobile device security in training; 
* use of encryption, such as a virtual private network for remote 
access; 

* continuous monitoring for rogue access points and clients; and; 

* regular assessments to ensure wireless networks are secure. 

Agencies have taken steps to secure their wireless networks, but more 
can be done to improve security and to limit vulnerability to attack. 
Specifically, application was inconsistent among the agencies for most 
of the following leading practices: 

* Most agencies developed policies to support federal guidelines and 
leading practices, but gaps existed, particularly with respect to dual-
connected laptops and mobile devices taken on international travel. 

* All agencies required a risk-based approach for management of 
wireless technologies. 

* Many agencies used a decentralized structure for management of 
wireless, limiting the standardization that centralized management can 
provide. 

* The five agencies where GAO performed detailed testing generally 
securely configured wireless access points but had numerous weaknesses 
in laptop and smartphone configurations. 

* Most agencies were missing key elements related to wireless security 
in their security awareness training. 

* Twenty agencies required encryption, and eight of these agencies 
specified that a virtual private network must be used; four agencies 
did not require encryption for remote access. 

* Many agencies had insufficient practices for monitoring or 
conducting security assessments of their wireless networks. 

Existing governmentwide guidelines and oversight efforts do not fully 
address agency implementation of leading wireless security practices. 
Until agencies take steps to better implement these leading practices, 
and OMB takes steps to improve governmentwide oversight, wireless 
networks will remain at an increased vulnerability to attack. 

What GAO Recommends: 

GAO is making two recommendations to OMB to enhance governmentwide 
oversight and four recommendations to the Department of Commerce for 
additional guidelines related to wireless security. The Department of 
Commerce concurred with GAO’s recommendations. OMB did not provide 
comments on the report. 

View [hyperlink, http://www.gao.gov/products/GAO-11-43] or key 
components. For more information, contact Gregory Wilshusen at (202) 
512-6244 or wilshuseng@gao.gov or Nabajyoti Barkakati at (202) 512-
4499 or barkakatin@gao.gov. 

Contents: 

Letter: 

Background: 

Comprehensive Policies, Use of Secure Technologies, Risk-Based 
Approach, Training, and Monitoring Among Leading Practices for 
Deploying and Monitoring Secure Wireless Networks: 

Agencies Have Acted to Secure Wireless Networks, but Additional Steps 
Are Needed to Effectively Mitigate Security Challenges: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Department of Commerce: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Tables: 

Table 1: Examples of Network Security Threats: 

Table 2: Wireless Security Guidelines Identified in NIST Guidelines: 

Table 3: Guidelines in NIST Publications Addressing Recommendations 
from GAO-05-383: 

Table 4: Leading Practices for Securing Wireless Networks and 
Technologies: 

Figures: 

Figure 1: Example of a Wireless Infrastructure Mode Network: 

Figure 2: Example of Wireless Ad Hoc Networking: 

Figure 3: Dual-Connect Attack Scenario: 

Figure 4: Wireless Man-in-the-Middle Attack Scenario: 

Figure 5: Smartphone Data Attack Scenario: 

Abbreviations: 

DISA: Defense Information Systems Agency: 

DHS: Department of Homeland Security: 

EAP: extensible authentication protocol: 

FDCC: Federal Desktop Core Configuration: 

FIPS: Federal Information Processing Standards: 

FISMA: Federal Information Security Management Act: 

IEEE: Institute of Electrical and Electronics Engineers: 

IT: information technology: 

IPv6: Internet protocol version 6: 

NIST: National Institute of Standards and Technology: 

OMB: Office of Management and Budget: 

PDA: personal digital assistant: 

SP: Special Publications: 

VPN: virtual private network: 

WEP: wired equivalent privacy: 

WiMAX: Worldwide Interoperability for Microwave Access: 

WPA: Wi-Fi Protected Access: 

WLAN: wireless local area network: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

November 30, 2010: 

The Honorable Richard J. Durbin:
Chairman:
The Honorable Susan Collins:
Ranking Member:
Subcommittee on Financial Services and General Government:
Committee on Appropriations:
United States Senate: 

The Honorable José E. Serrano:
Chairman:
The Honorable Jo Ann Emerson:
Ranking Member:
Subcommittee on Financial Services and General Government:
Committee on Appropriations:
House of Representatives: 

In the last several years, federal agencies have increasingly adopted 
the use of wireless technologies. While wireless technologies provide 
many potential benefits, including greater flexibility for a mobile 
workforce and ease of installation and use, they also pose significant 
risks to information and systems. Wireless technologies use radio 
waves instead of direct physical connections to transmit data between 
networks and devices. As a result, without proper security 
precautions, these data can be more easily intercepted and altered 
than if being transmitted through physical connections. 

We have previously reported on the security of wireless networks at 
federal agencies in 2005.[Footnote 1] The conference report 
accompanying the Financial Services and General Government 
Appropriations Act, 2010, directed us to update our 2005 report.
[Footnote 2] Accordingly, our objectives for this report were to: (1) 
identify leading practices and state-of-the-art technologies for 
deploying and monitoring secure wireless networks and (2) assess 
agency efforts to secure wireless networks, including their 
vulnerability to attack. 

To identify leading practices and state-of-the-art technologies for 
deploying and monitoring secure wireless networks, we obtained and 
reviewed publications, guidance, and other documentation, and 
interviewed private and federal subject matter experts. To assess 
agency efforts to secure wireless networks, we reviewed agency 
documents and conducted structured interviews with agency officials to 
learn about the wireless posture at 24 major federal 
agencies.[Footnote 3] We supplemented these questions with site visits 
and detailed testing of wireless security controls at five of the 
agencies. 

We conducted this performance audit from January 2010 to November 
2010, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. Appendix I 
contains additional details on the objectives, scope, and methodology 
of our review. 

Background: 

The advantages of wireless technology for federal agencies include 
increased flexibility, easier installation, and easier scalability 
than wired technologies. If a federal agency has installed a wireless 
infrastructure, users with wireless-enabled devices can more easily 
connect to the agency's network throughout its facilities. In 
addition, agency employees traveling with wireless-enabled devices may 
be able to connect to an agency network via any one of the many public 
Internet access points or hot spots. Installation can be easier and 
less costly because the network can be established without having to 
pull cables through walls or ceilings or modify the physical network 
infrastructure. Wireless networks can also be easily scaled from small 
peer-to-peer networks to very large enterprise networks. For example, 
an agency can greatly expand the size of its wireless network and the 
number of users it can serve by increasing the number of access 
points. The following wireless technologies are commonly used by 
federal agencies: 

* wireless local area network (WLAN)--a group of wireless networking 
nodes within a limited geographic area that serve as an extension to 
existing wired local area networks; 

* wireless personal area network--used to establish small-scale 
wireless networks such as those using Bluetooth®, which is an open 
standard for short-range communication; and: 

* wireless cellular networks--a telecommunications network managed by 
a service provider that supports smartphones, which offer the ability 
to provide data such as e-mail and Web browsing wirelessly over 
cellular networks, and cellular data cards, which provide Internet 
connectivity to laptop computers. 

Wireless Local Area Networks: 

WLANs are generally composed of two basic elements: access points and 
other wireless-enabled client devices, such as laptop computers. These 
elements rely on radio transmitters and receivers to communicate with 
each other. Access points are physically wired to a conventional 
network and provide a means for wireless devices to connect to them. 
WLANs that are based on the Institute of Electrical and Electronics 
Engineers[Footnote 4] (IEEE) 802.11 standards are also known as Wi-Fi. 

WLANs are characterized by one of the following two basic structures, 
referred to as infrastructure mode and ad hoc mode: 

* Infrastructure mode. By deploying one or more access points that 
broadcast overlapping signals, an organization can achieve broad 
wireless network coverage. Infrastructure mode enables a laptop or 
other mobile device to be moved about freely while maintaining access 
to the resources of the wired network (see figure 1). 

Figure 1: Example of a Wireless Infrastructure Mode Network: 

[Refer to PDF for image: illustration] 

The illustration depicts a traditional wired network with wireless 
access points and mobile devices connecting to that point. 

Sources: GAO; Microsoft Visio and Art Explosion (images). 

[End of figure] 

* Ad hoc mode. This type of wireless structure allows wireless devices 
that are near one another to easily interconnect. In ad hoc mode, 
wireless-enabled devices can share network functionality without the 
use of an access point or a wired network connection (see figure 2). 

Figure 2: Example of Wireless Ad Hoc Networking: 

[Refer to PDF for image: illustration] 

The illustration depicts mobile devices sharing network functionality 
without the use of an access point. 

Sources: GAO; Microsoft Visio and Art Explosion (images). 

[End of figure] 

After approval of the initial IEEE 802.11 standard in 1997, IEEE 
released several 802.11 amendments to increase WLAN network speeds to 
be more comparable to that of wired networks. The 802.11 standard and 
these subsequent amendments include security features known 
collectively as wired equivalent privacy (WEP). However, 
configurations that use WEP have significant security flaws. 

To address these flaws, IEEE released the 802.11i security standard in 
2004, which specifies security components that work together with 
802.11 transmission standards. The IEEE 802.11i security standard 
supports wireless connections that provide moderate to high levels of 
assurance against WLAN security threats through the use of different 
cryptographic techniques. 

While IEEE was developing 802.11i, the Wi-Fi Alliance[Footnote 5] 
developed the Wi-Fi Protected Access (WPA) security certification as 
an interim means to improve security over WEP. The protocols used 
under the WPA certification address vulnerabilities of WEP, but the 
certification does not require support for strong encryption. 

In conjunction with the ratification of the 802.11i security standard 
in 2004, the Wi-Fi Alliance introduced WPA2--the interoperability 
certification for 802.11i. The WPA2 certification extends the security 
capabilities offered by WPA to include all requirements of the 802.11i 
standard. Both WPA and WPA2 offer two modes of operation: Personal and 
Enterprise. WPA2-Personal protects unauthorized network access by 
using a preshared password as a key for network setup and access, 
while WPA2-Enterprise verifies network users through an authentication 
server. In most cases, WPA2-Enterprise is recommended to eliminate the 
continuous process of generating, deploying, and replacing outdated 
passwords. Although WPA2-Enterprise-certified products provide more 
security protections than WEP and WPA, recent reports revealed that 
wireless networks protected with WPA2-Enterprise encryption can also 
be susceptible to attacks. 

Most recently, in 2009, IEEE ratified the 802.11w-2009 standard, which 
further increases the overall security of 802.11-based networks. 
Specifically, 802.11w-2009 provides improved protection for WLANs by 
defining additional encryption security features to help prevent 
incidents such as denial of service attacks against WLANs. 

Wireless Personal Area Networks: 

Wireless personal area networks provide wireless connectivity to 
devices such as telephone headsets or computer keyboards within close 
proximity. Bluetooth is commonly used to establish these types of 
networks. Several versions of the Bluetooth standard have been adopted 
by the Bluetooth Special Interest Group.[Footnote 6] 

Each Bluetooth device must operate in one of the four security modes 
defined by the Bluetooth standard. Each version of Bluetooth supports 
some, but not all, of these modes. 

Wireless Cellular Networks: 

Cellular networks are managed by service providers who provide 
coverage based on dividing a large geographical service area into 
smaller areas of coverage called cells. As a mobile phone moves from 
one cell to another, a cellular arrangement requires active 
connections to be monitored and effectively passed along between cells 
to maintain the connection. 

In addition to cellular phones, cellular networks support smartphones 
and cellular data cards. Smartphones offer more functionality than 
basic cellular phones, including e-mail and other office productivity 
applications and have extended expansion capabilities through 
peripheral card slots and other built-in wireless communications such 
as Bluetooth and Wi-Fi. Cellular data cards allow laptop users to 
connect to the Internet anywhere cellular service is available. 
However, cellular data cards can only access the Internet if the user 
is within the service provider's network coverage area. 

Federal Agencies Make Widespread Use of Wireless Technologies: 

Agencies reported significant use of WLANs to extend working mobility 
for employees and contractors. For example, 18 agencies reported using 
WLANs in a variety of ways. Five agencies reported having wireless 
networks available for headquarters along with field offices or 
components. Twelve other agencies reported that components have 
different wireless practices than headquarters. For example, one major 
agency reported no WLANs at its headquarters, but it has components 
that use them. Further, several agencies use wireless networks for 
more limited purposes than connecting to the core agency network. 
Specifically, five agencies reported offering WLANs that connect 
directly to the Internet for use in conference rooms or other public 
spaces. Another agency reported using wireless access points to 
provide Internet connectivity at outdoor construction sites. 

Personal area networks using Bluetooth technology were also reported 
by many agencies. Specifically, 14 agencies reported using Bluetooth 
devices. Ten agencies reported permitting cellular phone users to 
connect wireless headsets, and four agencies reported permitting 
wireless keyboards or mice. 

Agencies also reported extensive use of smartphones and cellular data 
cards. All 24 agencies we queried reported using smartphones, 
primarily the BlackBerry® brand. Agencies' smartphone management 
structures included: management through a central server located at 
the department level or at the component level and one component or 
office providing smartphone management to another office. Seventeen 
agencies reported using cellular data cards to provide Internet 
connectivity to user laptops. These cards and services are typically 
provided by commercial telecommunications carriers. 

Wireless Technologies Are Susceptible to Security Risks: 

Without proper safeguards, computer systems are vulnerable to 
individuals and groups with malicious intent who can intrude and use 
their access to obtain sensitive information, commit fraud, disrupt 
operations, or launch attacks against other computer systems and 
networks. The risk to these systems is well-founded for a number of 
reasons, including the dramatic increase in reports of security 
incidents, the ease of obtaining and using hacking tools, and steady 
advances in the sophistication and effectiveness of attack technology. 
Table 1 provides a compilation of threats to wireless and wired 
networks as identified by the National Institute of Standards and 
Technology (NIST). 

Table 1: Examples of Network Security Threats: 

Denial-of-service: 
Preventing or limiting the normal use or management of networks or 
network devices. 

Eavesdropping: 
Passively monitoring network communications for data, including 
authentication credentials. 

Man-in-the-middle: 
Actively impersonating multiple legitimate parties, such as appearing 
as a client to an access point and appearing as an access point to a 
client. Allows attacker to intercept communications between an access 
point and a client, thereby obtaining authentication credentials and 
data. 

Masquerading: 
Impersonating an authorized user and gaining unauthorized privileges. 

Message modification: 
Altering a legitimate message by deleting, adding to, changing, or 
reordering it. 

Message replay: 
Passively monitoring transmissions and retransmitting messages, acting 
as if the attacker were a legitimate user. 

Misappropriation: 
Stealing or making unauthorized use of a service. 

Traffic analysis: 
Passively monitoring transmissions to identify communication patterns 
and participants. 

Source: GAO analysis of NIST data. 

[End of table] 

Wireless networks also face challenges that are unique to their 
environment. A significant difference between wireless and wired 
networks is the relative ease of intercepting WLAN transmissions. For 
WLANs, attackers only need to be in range of wireless transmissions 
and do not have to gain physical access to the network or remotely 
compromise systems on the network. WLANs also have to protect against 
the deployment of unauthorized wireless devices, such as access 
points, that are configured to appear as part of an agency's wireless 
network infrastructure. In implementing wireless networks, federal 
agencies need to address these challenges to maintain the 
confidentiality, integrity, and availability of the information. 

Bluetooth-enabled devices are susceptible to general networking 
threats and are also threatened by more specific Bluetooth-related 
attacks such as bluesnarfing, which enables attackers to gain access 
to a Bluetooth-enabled device by exploiting a software flaw in older 
devices. 

Smartphones are also susceptible to general networking threats and 
face additional security risks. Those risks include those caused by 
their size and portability, as well as the availability of different 
wireless interfaces and associated services. For example, the size and 
portability of smartphones can result in the loss of physical control 
of a device that could reveal sensitive data to an unauthorized user. 

Recent articles released by the media reinforce the need for federal 
agencies to secure their wireless networks and devices. Examples of 
reported incidents and risks include the following: 

* A retail company admitted in 2007 that hackers located and tested 
wireless networks for vulnerabilities and installed programs on these 
networks to steal the credit card information of more than 45 million 
consumers. 

* An assessment of wireless vulnerability conducted in 2008 at 27 
airports that had wireless networks found that personal information 
could be leaked because only 3 percent of hot spot users used a 
virtual private network (VPN)[Footnote 7] to encrypt their data. 

* In 2009, a counterintelligence official described how smartphones 
could have been tagged, tracked, monitored, and exploited at the 2008 
Beijing Olympics. The malicious software could have also posed a 
threat to e-mail servers in the United States. 

Scenarios Provide Examples of Attacks Using Wireless Vulnerabilities: 

The following scenarios (figs. 3-5) provide examples of well-known 
attacks used to exploit vulnerabilities in wireless technologies. 
These scenarios do not represent all possible attacks on wireless 
technology vulnerabilities. 

In a dual-connect scenario (see figure 3), the attacker exploits 
insecure laptop configurations to gain unauthorized access to an 
organization's core network. 

Figure 3: Dual-Connect Attack Scenario: 

[Refer to PDF for image: illustration] 

1) A target laptop has a wired connection to the agency network. With 
wireless enabled, the target laptop automatically looks for any 
previously connected wireless networks by network name. 

2) An attacker with a scanning tool can identify wireless network 
names and deploy a rogue wireless access point with the same name as 
one of the previously connected wireless networks. 

3) While still connected to the agency network, the target laptop 
automatically connects to the rogue wireless access point, creating a 
dual connection, i.e., the target laptop has both an active wired and 
wireless connection. 

4) While connected to the rogue wireless access point, the target 
laptop can be probed and vulnerabilities exploited that could provide 
an attacker with access to the agency network through the target 
laptop. [Agency core wired network] 

5) With unauthorized access to an agency network, an attacker is 
capable of destroying, modifying, or copying sensitive information. 

Source: GAO; Art Explosion (images). 

[End of figure] 

Wireless man-in-the-middle attacks (see figure 4) use an insecure 
laptop configuration to intercept or alter information transmitted 
wirelessly between the target laptop and a wireless access point. 

Figure 4: Wireless Man-in-the-Middle Attack Scenario: 

[Refer to PDF for image: illustration] 

1) While located between a target laptop and a legitimate wireless 
access point, an attacker impersonates the legitimate access point. 

2) The target laptop unintentionally connects to the rogue wireless 
access point, which acts as a man-in-the-middle, reading and then 
relaying information to the legitimate access point. 

3) The rogue wireless access point can then intercept network 
communications between the target laptop and the legitimate access 
point. 

4) As a result, the attacker could read and modify sensitive data in 
transmission, or inject malicious code to infect the target laptop. 

Source: GAO; Art Explosion (images). 

[End of figure] 

Attacks on smartphones (see figure 5) can involve stealing data or 
injecting malicious code using phone storage cards. 

Figure 5: Smartphone Data Attack Scenario: 

[Refer to PDF for image: illustration] 

1) Smartphones have the capability to store data on removable storage 
cards. 

2) If this capability is not disabled and the target phone is left 
unattended, an attacker could replace the storage card with a card 
with malicious code or simply remove the storage card with its 
contents that could include sensitive information. 

Source: GAO. 

[End of figure] 

Federal Laws and Guidelines Provide a Framework for Wireless Security 
Policies: 

The Federal Information Security Management Act (FISMA) of 2002 
requires each agency to develop, document, and implement an agencywide 
information security program to provide security for the data and 
information systems that support the agency’s operations and assets. 
[Footnote 8] Significant amounts of agency data are stored on and 
transmitted through wireless devices and networks. Wireless 
technologies are often important parts of the information systems that 
support the agency’s operations and assets. Accordingly, wireless 
technologies are typically encompassed by agency information security 
programs required under FISMA. FISMA also assigns additional 
information security responsibilities for the Office of Management and 
Budget (OMB) and NIST. 

FISMA assigns OMB specific responsibilities, including: 

* overseeing the implementation of policies, standards, and guidelines 
on information security, including ensuring timely agency adoption of 
and compliance with standards; 

* requiring agencies to identify and provide information security 
protections commensurate with the risk and magnitude of the harm 
resulting from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information collected or maintained by 
or on behalf of an agency, or information systems used or operated by 
or on behalf of an agency; 

* overseeing agency compliance with FISMA requirements; 

* reviewing at least annually, and approving or disapproving, agency 
information security programs; and; 

* annual reporting to Congress on agency compliance with the 
requirements of FISMA, including significant deficiencies in agency 
information security practices and planned remedial action to address 
such deficiencies. 

In a July 2010 memo, OMB directed the Department of Homeland Security 
(DHS) to exercise primary responsibility within the executive branch 
for the operational aspects of federal agency cybersecurity with 
respect to the federal information systems that fall within FISMA. 
[Footnote 9] According to the memo, DHS is to oversee the 
implementation of and reporting on information security policies and 
guidance in federal agencies, oversee agency compliance with FISMA, 
and annually review agency cybersecurity programs. OMB will continue 
to report annually to Congress on the progress of agencies’ compliance 
with FISMA. 

According to the Director of Federal Network Security—the DHS official 
responsible for many of DHS’s newly assigned FISMA-related activities—
DHS is beginning its oversight activities through the annual FISMA 
reporting process that federal agencies are required to follow. The 
official stated that the department does not currently have any 
wireless-security-specific activities under way, but that the 
department is planning future activities that may address wireless 
security, including compliance audits and an architecture document. 

Under FISMA, NIST is responsible for developing standards and 
guidelines that include minimum information security requirements. 
Table 2 describes NIST Special Publications (SP) that include 
guidelines intended to secure wireless technologies. 

Table 2: Wireless Security Guidelines Identified in NIST Guidelines: 

NIST SP: 800-48, Guide to Securing Legacy IEEE 802.11 Wireless 
Networks[A]; 
Purpose: Provides guidelines to organizations in securing their legacy 
IEEE 802.11 WLAN that cannot use the IEEE 802.11i standard. 

NIST SP: 800-53, Recommended Security Controls for Federal Information 
Systems and Organizations[B]; 
Purpose: Provides guidelines for selecting and specifying security 
controls for information systems that include wireless access and 
access controls for mobile devices. 

NIST SP: 800-94, Guide to Intrusion Detection and Prevention 
Systems[C]; 
Purpose: Provides a basis for designing, implementing, configuring, 
securing, monitoring, and maintaining intrusion detection and 
prevention systems including a wireless intrusion detection system.[D] 

NIST SP: 800-97, Establishing Wireless Robust Security Networks: A 
Guide to IEEE 802.11i[E]; 
Purpose: Assists organizations in understanding, selecting, and 
implementing technologies based on IEEE 802.11i. 

NIST SP: 800-101, Guidelines on Cell Phone Forensics[F]; 
Purpose: Provides basic information on the preservation, acquisition, 
examination, analysis, and reporting of digital evidence on cell 
phones, relevant to law enforcement, incident response, and other 
types of investigations. 

NIST SP: 800-114, User’s Guide to Securing External Devices for 
Telework and Remote Access[G]; 
Purpose: Provides guidelines for securing external devices used for 
telework including wireless home networks and wireless-enabled 
personal computers. 

NIST SP: 800-120, Recommendation for EAP Methods Used in Wireless 
Network Access Authentication[H]; 
Purpose: Formalizes a set of core security requirements for extensible 
authentication protocol (EAP)[I] for wireless access authentication 
and key establishment. 

NIST SP: 800-121, Guide to Bluetooth Security[J]; 
Purpose: Provides information on the security capabilities of 
Bluetooth and provides recommendations to secure Bluetooth devices 
effectively. 

NIST SP: 800-124, Guidelines on Cell Phone and PDA Security[K]; 
Purpose: Provides an overview of cell phone and personal digital 
assistant (PDA) devices in use today and provides safeguards for 
securing these devices. 

Source: GAO analysis of NIST data. 

[A] NIST, Guide to Securing Legacy IEEE 802.11 Wireless Networks, SP 
800-48 Revision 1 (Gaithersburg, MD: July 2008). 

[B] NIST, Recommended Security Controls for Federal Information 
Systems and Organizations, SP 800-53 Revision 3 (Gaithersburg, MD: 
August 2009). 

[C] NIST, Guide to Intrusion Detection and Prevention Systems (IDPS), 
SP 800-94 (Gaithersburg, MD: February 2007). 

[D] An intrusion detection system monitors the events occurring in a 
computer system or network and analyzes them for signs of possible 
incidents. 

[E] NIST, Establishing Wireless Robust Security Networks: A Guide to 
IEEE 802.11i, SP 800-97 (Gaithersburg, MD: February 2007). 

[F] NIST, Guidelines on Cell Phone Forensics, SP 800-101 
(Gaithersburg, MD: May 2007). 

[G] NIST, User’s Guide to Securing External Devices for Telework and 
Remote Access, SP 800-114 (Gaithersburg, MD: November 2007). 

[H] NIST, Recommendation for EAP Methods Used in Wireless Network 
Access Authentication, SP 800-120 (Gaithersburg, MD: September 2009). 

[I] EAP supports multiple authentication methods used when connecting 
a computer to the Internet. 

[J] NIST, Guide to Bluetooth Security, SP 800-121 (Gaithersburg, MD: 
September 2008). 

[K] NIST, Guidelines on Cell Phone and PDA Security, SP 800-124 
(Gaithersburg, MD: October 2008). 

[End of table] 

NIST is also responsible for administering the United States 
Configuration Baseline, which is an initiative to create security 
configuration baselines for information technology (IT) products 
deployed across federal agencies. 

In addition to NIST guidelines, other federal agencies have developed 
guidance for securing wireless technologies. For example, the 
Department of Defense’s Defense Information Systems Agency (DISA) has 
created a series of security technical implementation guides that 
address general purpose or multiuse technologies. These guides serve 
as configuration standards for the Department of Defense’s wireless 
devices and systems. In addition, DISA has made these guides available 
for other federal agencies to provide them with a baseline level of 
security. 

GAO Has Previously Recommended Improvements to Wireless Network 
Security Guidance: 

In 2005, we reported that federal agencies lacked key controls for 
securing wireless networks.[Footnote 10] We recommended that the 
Director of OMB instruct federal agencies to ensure that wireless 
network security is incorporated into their agencywide information 
security programs, in accordance with FISMA. Specifically, we 
recommended that agencywide security programs should include the 
following security controls. 

* Robust policies for authorizing the use of the wireless networks, 
identifying requirements, and establishing security controls for 
wireless-enabled devices in accordance with NIST guidelines. 

* Security configuration requirements for wireless devices that 
include: 

- security tools, such as encryption, authentication, VPN, and 
firewalls; 

- placement and strength of wireless access points to minimize signal 
leakage; and; 

- physical protection of wireless-enabled devices. 

* Comprehensive monitoring programs, including the use of tools such 
as site surveys and intrusion detection systems to: 

- detect signal leakage; 

- ensure compliance with configuration requirements; 

- ensure only authorized access and use of wireless networks; and 

- identify unauthorized wireless-enabled devices and activities in the 
agency’s facilities. 

* Wireless security training for employees and contractors. 

In response to our recommendations, OMB has instructed federal 
agencies to ensure network security is incorporated into their 
agencywide network security program through the use of NIST 
guidelines. In addition, OMB’s annual FISMA reporting requirements 
state that agencies must follow NIST standards and guidelines for non-
national security programs and information systems. Since our report 
was issued, NIST has released guidelines that address the items 
identified in our recommendations. These guidelines include NIST SP 
800-48, Guide to Securing Legacy IEEE 802.11 Wireless Networks; NIST 
SP 800-53, Recommended Security Controls for Federal Information 
Systems and Organizations; and NIST SP 800-97, Establishing Wireless 
Robust Security Networks: A Guide to IEEE 802.11i (see table 3). 

Table 3: Guidelines in NIST Publications Addressing Recommendations 
from GAO-05-383: 

Recommendation: Establish policies; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Check]; 
NIST SP 800-97: [Check]; 
Area: Establishing wireless networking security policies, such as 
infrastructure and client device security; criteria for identifying 
and implementing security requirements; access controls for portable 
and mobile devices; and establishing and maintaining robust security 
for wireless local area networks. 

Recommendation: Configuration requirements include security tools; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Check]; 
NIST SP 800-97: [Empty]; 
Area: Configuring wireless client device security tools and the use of 
security tools such as personal firewalls, host-based intrusion 
detection and prevention systems for the protection of wireless 
clients; the use of VPNs as an alternative method of achieving 
confidentiality and integrity protection; and security protocols. 

Recommendation: Configuration requirements address access points; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Empty]; 
NIST SP 800-97: [Empty]; 
Area: Establishing access point configuration and awareness of access 
point security concerns, including signal boundary considerations. 

Recommendation: Configuration requirements include physical protection
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Check]; 
NIST SP 800-97: [Empty]; 
Area: Ensuring physical protection of wireless devices such as usage 
restrictions and implementation guidance for organization-controlled 
portable and mobile devices. 

Recommendation: Monitoring programs include tools to detect signal 
leakage; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Empty]; 
NIST SP 800-97: [Empty]; 
Area: Determining criteria for conducting site surveys and the use of 
appropriate wall-mounted antennas to minimize signal leakage. 

Recommendation: Monitoring programs include tools to ensure 
configuration compliance; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Check]; 
NIST SP 800-97: [Empty]; 
Area: Using wireless intrusion detection and prevention systems to 
determine misconfigured clients and using policy driven software 
solutions to ensure client devices and users comply with defined WLAN 
policies. 

Recommendation: Monitoring programs include tools to ensure access is 
authorized; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Check]; 
NIST SP 800-97: [Check]; 
Area: Using wireless intrusion detection and prevention systems to 
determine whether unauthorized users or devices are attempting to 
access, have already accessed, or have compromised the WLAN; and 
performing regular audits using wireless sniffers and other tools to 
determine whether wireless products are transmitting correctly and on 
the correct channels. 

Recommendation: Monitoring programs include tools to identify 
unauthorized access; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Check]; 
NIST SP 800-97: [Check]; 
Area: Using wireless intrusion detection and prevention systems to 
detect suspicious or unauthorized activity and completing site surveys 
to discover any sources of radio interference. 

Recommendation: Security training; 
NIST SP 800-48: [Check]; 
NIST SP 800-53: [Check]; 
NIST SP 800-97: [Check]; 
Area: Establishing wireless security awareness and training for 
employees and contractors to ensure good security practices and 
prevent inadvertent or malicious intrusions into an organization’s 
information systems. 

Source: GAO analysis of NIST data. 

[End of table] 

Comprehensive Policies, Use of Secure Technologies, Risk-Based 
Approach, Training, and Monitoring Among Leading Practices for 
Deploying and Monitoring Secure Wireless Networks: 

Leading practices for deploying and monitoring secure wireless 
networks include comprehensive policies, configuration controls, 
training, and other practices as described in table 4. Many of these 
practices are consistent with the key information security controls 
required for an effective information security program identified in 
our previous reports and reflect wireless-specific aspects of those 
controls. Furthermore, experts identified several emerging 
technologies, such as broadband wireless, third-party device 
management, and IEEE 802.11n-2009/802.11w-2009, as potentially 
important in securing wireless networks in the future. 

Table 4: Leading Practices for Securing Wireless Networks and 
Technologies: 

Practice category: 1. Policy; 
Practice description: Develop comprehensive security policies that 
govern the implementation and use of wireless networks and mobile 
devices that include the following safeguards: 
* implement secure encryption with enterprise authentication, 
* establish usage restrictions and implementation guidance for 
wireless access, and, 
* enforce access controls for connection of mobile devices. 

Practice category: 2. Risk-based approach; 
Practice description: Employ a risk-based approach for wireless 
deployment. 

Practice category: 3. Centralized management; 
Practice description: Employ a centralized wireless management 
structure that is integrated with the existing wired network. 

Practice category: 4. Configuration requirements; 
Practice description: Establish configuration requirements for 
wireless networks and devices in accordance with the developed 
security policies and requirements. 

Practice category: 5. Training; 
Practice description: Incorporate wireless and mobile device security 
component in training. 

Practice category: 6. Remote access; 
Practice description: Use a VPN to facilitate the secure transfer of 
sensitive data during remote access. 

Practice category: 7. Monitoring; 
Practice description: Deploy continuous monitoring procedures for 
detecting rogue access points and clients using a risk-based approach. 

Practice category: 8. Security assessments; 
Practice description: Perform regular security assessments to help 
ensure wireless networks are operating securely. 

Source: GAO. 

[End of table] 

Develop Comprehensive Security Policies that Govern Implementation and 
Use of Wireless Networks and Mobile Devices: 

Comprehensive information security policies that address the security 
of wireless networks and mobile devices can help agencies mitigate 
risks. FISMA recognizes that the development of policies and 
procedures is essential to cost effectively reducing the risks 
associated with IT, including wireless IT, to an acceptable level. In 
addition, experts noted that sound policy is the basis for all 
effective security measures. Policies should cover areas such as roles 
and responsibilities, WLAN infrastructure security, WLAN client device 
security, and security assessments. By establishing policies that 
address these areas, agencies can create a framework for applying 
practices, tools, and training to help support the security of 
wireless networks. 

In addition to these policies, federal guidelines and experts also 
emphasized key safeguards to address wireless security concerns that 
have surfaced since our 2005 report. These practices include 
prohibiting the use of WEP and implementing WPA2 with enterprise 
authentication, establishing usage restrictions and implementation 
guidance for wireless access, and implementing access controls for 
mobile devices that connect to an agency's wireless networks. 

Implement Secure Encryption with Enterprise Authentication: 

Organizations should establish policies requiring procurement of 
wireless products that have been WPA2-Enterprise certified and Federal 
Information Processing Standards (FIPS)-validated.[Footnote 11] NIST 
guidelines state, and experts agree, that only these devices are 
capable of fully implementing the IEEE 802.11i robust security network 
protections, which include enhanced user and message authentication 
mechanisms, cryptographic key management, and robust enciphering and 
data integrity mechanisms. Wireless technologies that rely on older 
wireless security protocols, such as WEP and WPA, can be more easily 
exploited to circumvent or adversely impact access control and 
authentication, confidentiality, integrity, and availability since 
they do not require strong encryption algorithms. 

Establish Usage Restrictions and Implementation Guidance for Wireless 
Access: 

Agencies should establish and enforce usage restrictions and 
implementation guidance for wireless access. According to NIST 
guidelines, security policies should identify which users are 
authorized to connect wirelessly to an organization's networks and the 
types of information allowed to be transmitted across wireless 
networks. In addition, wireless access to information systems should 
only be permitted by using authentication and encryption. 

NIST guidelines also instruct agencies to identify the acceptable 
methods of remote access. Specifically, an agency's policies should 
describe which wireless-enabled devices can connect to the agency's 
networks remotely and the types of external networks permitted. For 
example, policies should specify if users connecting remotely through 
public hot spots to an agency's networks are authorized to use only 
agency-issued mobile devices. 

Enforce Access Controls for Connection of Mobile Devices: 

Both NIST guidelines and experts identified establishing access 
controls for mobile devices, which includes those taken to locations 
the agency deems to be a significant risk, and prohibiting dual 
connection as a key practice for securely deploying and monitoring 
wireless networks. Our previous reports have also emphasized the 
importance of such access controls to limit, prevent, or detect 
inappropriate access to computer resources (data, equipment, and 
facilities), in order to protect them from unauthorized use, 
modification, disclosure, and loss. 

Specifically, NIST guidelines state that agencies need to establish 
and enforce usage restrictions and implementation guidance for agency- 
issued mobile devices taken to locations the agency deems to be a 
significant risk. For example, agencies may issue specially configured 
mobile devices to individuals before traveling to risky locations, 
such as certain countries, which are in accordance with agency 
policies and procedures. Upon return from travel, agency-defined 
inspection and preventative measures can be applied to the mobile 
device such as re-imaging the hard disk drive on laptops. According to 
one expert's account, by developing access control requirements for 
global use of devices (i.e., managing devices that travel 
internationally), organizations can avoid compromises of devices or 
information that have occurred at organizations without these 
practices. 

Another component of establishing access controls for mobile devices 
that NIST and experts identified was restricting the access rights of 
devices (and individuals) to an organization's network. Enforcing 
requirements such as usage restrictions, configuration management, and 
device identification and authentication, and disabling unnecessary 
hardware can prevent incidents of employees inadvertently connecting 
their devices to malicious entities and compromising the 
confidentiality, integrity, and availability of the organization's 
network. 

Employ a Risk-Based Approach for Wireless Deployment: 

Federal guidelines underscore, and experts agree with, the need for a 
risk-based approach for deploying wireless networks and technologies. 
A risk-based approach attempts to ensure that risks to the 
organization are identified and prioritized so that available 
resources can be most effectively used in defending against the most 
significant threats, such as unauthorized access points or devices on 
the network, and to prevent the incurrence of undue risk. 

Federal guidelines and experts also agreed that risks should be 
considered prior to acquisition of wireless technologies in order to 
implement management controls early on, determine which WLAN 
activities pose an acceptable risk, and identify the potential impact 
of the threat to the organization. The Committee on National Security 
Systems,[Footnote 12] in its recently issued Policy on Wireless 
Communications: Protecting National Security Information, recommended 
that agencies consider protecting against the risks that can occur 
during various points of data transmission such as at the point of 
origin, when received, and while stored on wireless media.[Footnote 
10] It is only after considering and then managing such risks that 
organizations can make informed decisions such as whether or not to 
deploy wireless networks and technologies or determine the types of 
devices and extent of their usage throughout the organization. 
Moreover, since risks change over time, as a general practice, it is 
essential to periodically reassess risks and reconsider the 
appropriateness and effectiveness of the policies and controls 
organizations have selected to mitigate those risks. 

Employ a Centralized Wireless Management Structure That Is Integrated 
with the Existing Wired Network: 

Security experts agreed that a centralized wireless management 
structure that is integrated with the management of the existing wired 
network can provide a more effective means to manage the wireless 
infrastructure and the information security program as a whole. A 
centralized structure can provide a coherent, consistent approach to 
managing the entire wireless network. For example, configuration 
changes can be centrally monitored, and with centralized reporting, 
management can have improved visibility and oversight of the 
organization's entire wireless network. Using tools that allow 
centralized management of WLANs can provide a management focal point 
and reduce the number of attack points in the network. 

A centralized structure can also facilitate the development and 
implementation of standardized guidance, which allows organizations to 
consistently apply information security policies. Organizations can 
authorize the use of specific products, coordinate the installation of 
WLANs, and issue other such directives to provide a holistic approach 
for deploying and monitoring wireless activities. Such implementation 
can be centralized at the enterprise or component level, based on the 
business needs of the organization. 

In conjunction with a centralized management structure, experts agreed 
the importance of integrating wireless management with management of 
the wired network. By extending established information security 
controls, such as intrusion detection systems and monitoring, from the 
wired to the wireless network, an organization is better positioned to 
both understand and defend its overall information security posture. 

Experts agreed that a decentralized wireless management structure can 
result in disparate, ad hoc networks that operate and are managed 
separately. The existence of multiple networks that are independently 
managed can impede effective implementation and monitoring of security 
controls and inhibit sufficient oversight of the wireless network. 

Although centralized wireless management can have many benefits, the 
level of centralization needs to be determined by business need and a 
risk-based approach. Centralization can be performed by agency 
components or departmentwide and should be balanced against the costs 
of centralization. 

Existing federal guidelines recognize the benefits that centralized 
management of network services and information security can provide 
for federal agencies. For example, NIST guidelines state that 
centralized security management is an important consideration for 
managing mobile devices since it facilitates the configuration control 
and management processes that support compliance with an 
organization's security policy. Additionally, we previously reported 
that establishing a central management focal point for information 
security is essential to spotting trends, identifying problem areas, 
and determining whether policies and administrative issues are handled 
in a consistent manner.[Footnote 14] 

Establish Configuration Requirements for Wireless Networks and Devices 
in Accordance with the Developed Security Policies and Requirements: 

Establishing configuration requirements for wireless networks and 
devices can help ensure they are deployed in a secure manner in 
accordance with agency policies. For example, NIST SP 800-48 states 
that agencies should configure their wireless networks in accordance 
with established security policies and requirements. Establishing 
settings or configuration requirements for wireless access points can 
guide their placement and signal strength to minimize signal leakage 
and exposure to attacks. 

In addition to access points, client devices should also be configured 
to enhance the wireless network security posture. According to NIST, 
securing the infrastructure without properly securing the client 
devices renders the entire wireless network insecure. Solutions such 
as enterprise servers can periodically communicate with managed mobile 
devices to ensure security and other configuration settings are 
correct and in compliance with policy. 

Incorporate Wireless and Mobile Device Security Component in Training: 

NIST guidelines and experts stated that training employees and 
contractors in an organization's wireless policies is a fundamental 
part of ensuring that wireless networks are configured, operated, and 
used in a secure and appropriate manner. For security policies to be 
effective, those expected to comply with them must be aware of the 
policies. Additionally, FISMA mandates that agencies provide security 
awareness training for their personnel, including contractors and 
other users of information systems that support the operations and 
assets of the agency. NIST recommends that the security awareness 
training include the risks of wireless security and how to protect 
against those risks. In addition, NIST guidelines and experts agree 
that an agency's security training should include mobile device 
security that addresses (1) maintaining physical control over mobile 
devices, (2) protecting sensitive data on mobile devices with 
encryption, (3) disabling wireless interfaces on mobile devices when 
not needed, and (4) the procedures for reporting lost or stolen mobile 
devices. FISMA also requires agency chief information officers to 
ensure that personnel with significant information security 
responsibilities receive training with respect to their 
responsibilities. 

Use a VPN to Facilitate the Secure Transfer of Data during Remote 
Access: 

A VPN can provide a secure communications mechanism for sensitive data 
transferred across multiple, public networks. For wireless 
technologies, VPNs are useful because they provide a way to secure 
WLANs that may be insecure, such as those at public hot spots, in 
homes, or other locations. According to NIST guidelines, federal 
agencies should consider using VPNs to protect the confidentiality of 
WLAN communications during remote access and telework and should 
configure the VPNs to use FIPS-140-2-validated encryption. Experts 
agreed on the use of VPNs as an integral security measure for an 
increasingly mobile workforce. 

Deploy Continuous Monitoring Procedures for Detecting Rogue Access 
Points and Clients Using a Risk-Based Approach: 

Continuous monitoring is a means for an organization to ensure that 
security controls remain effective despite the planned and unplanned 
changes that can occur to an information system. OMB policy and NIST 
guidelines require agencies to implement a continuous monitoring 
approach for all information systems, including those using wireless 
technologies. According to NIST guidelines, agencies are required to 
monitor for unauthorized wireless access to information systems and 
should base their determination of the scope and frequency of such 
monitoring on an assessment of risk to the agency, the operational 
environment, the agency's requirements, and specific threat 
information. Continuous monitoring allows an organization to defend 
its security posture in a dynamic environment where threats, 
vulnerabilities, and technologies are constantly changing. Experts 
also noted the importance of continuously monitoring the wireless 
network for rogue access points and client devices. Documenting and 
implementing an approach to wireless monitoring that uses a risk-based 
approach helps to ensure that the scope and frequency of monitoring is 
appropriate for the threats facing the agency. As previously 
mentioned, centralized management tools can provide continuous 
monitoring capabilities for improved visibility and oversight of the 
organization's entire wireless network. 

Both experts and NIST guidelines highlighted the importance of using a 
wireless intrusion detection system to continuously monitor an 
agency's wireless networks to detect and respond to malicious 
activities on the network before they inflict damage. These types of 
systems enable an organization's operations or security staff to 
determine whether unauthorized users or devices are attempting to 
access, have already accessed, or have compromised a WLAN. A wireless 
intrusion prevention system builds on the functionality of a wireless 
intrusion detection system by also automatically taking 
countermeasures against these unauthorized users or devices. These 
systems are able to monitor wireless data as it passes from wireless 
to wired networks. They can also detect misconfigured WLAN clients, 
rogue access points, ad hoc networks, and other possible violations of 
an organization's WLAN policy. In addition, these systems can position 
an organization to proactively assess its wireless network at regular 
intervals. However, a wireless intrusion detection or prevention 
system is a significant expense, and it may not be appropriate in all 
cases. For example, an agency may determine that a smaller agency 
location with lower risk systems may not warrant the expense that 
installing a wireless intrusion detection or prevention system may 
entail. 

Other tools exist to detect rogue wireless client devices, such as 
handheld scanners and network authentication mechanisms, but these may 
not be as effective or easy to monitor as an intrusion detection 
system. Consistent with NIST guidelines, an organization should use a 
risk-based business case to determine the appropriate use of 
continuous monitoring solutions. 

Perform Regular Security Assessments to Help Ensure Wireless Networks 
are Operating Securely: 

Experts and NIST guidelines both noted the importance of regular 
security assessments for checking the security posture of wireless 
networks and for determining corrective actions needed to ensure the 
wireless networks remain secure. Regular assessments help to determine 
whether wireless devices are transmitting correctly and are on the 
correct channels. Experts noted the importance of consistently and 
regularly performing security assessments in tandem with continuously 
monitoring the wireless network. In addition, organizations should 
maintain an inventory of access points deployed and their mobile 
devices to help identify rogue devices when conducting assessments. 
Assessments can help organizations to determine whether controls are 
appropriately designed and operating effectively to achieve the 
organization's control objectives. 

Broadband Wireless, Device Management, and Newer WLAN Technologies Are 
Emerging Wireless Technologies: 

Several current and emerging technologies are important to consider 
for secure deployment of wireless technologies as follows: 

* Long-Term Evolution: Long-Term Evolution is a fourth-generation 
wireless broadband technology that experts stated is expected to 
improve the speed and quality of service and provide scalable 
bandwidth capacity. It is also expected to improve security through 
enhanced encryption to prevent eavesdropping and user identity 
confidentiality to prevent tracking of specific users. One expert 
noted that most of the public safety broadband environments used for 
emergency communications at the state and local levels will adopt Long-
Term Evolution and highlighted the importance of its effective 
implementation by government entities. 

* WiMAX: Another form of broadband wireless technology known as WiMAX 
(Worldwide Interoperability for Microwave Access ) is intended for 
wireless metropolitan area networking and is an effort to provide 
seamless mobile access in much the same way as wide-area cellular 
networks with higher transmission speeds. Security advantages of WiMAX 
include mutual device/user authentication, improved traffic 
encryption, and options for securing data within the core network. 

* Third-party device management: The technological capabilities of a 
third-party vendor may provide a means for organizations to establish 
security for mobile devices. According to experts, a vendor that 
specializes in wireless security may be more up-to-date on security 
vulnerabilities and better equipped to assess the security of wireless 
networks than an agency's own staff. Capabilities provided by a vendor 
can include incident management, triggers if a device is taken 
overseas, remote trouble shooting, and usage trends, among others. 

* IEEE 802.11n-2009/802.11w-2009 technologies: Two additions to the 
802.11 family of WLAN technologies-802.11n-2009 and 802.11w-2009-are 
expected to improve the performance and security of WLANs. The 
technologies specified in 802.11n-2009 increase WLAN speed, improve 
reliability, and extend the range of wireless transmissions. The 
802.11w-2009 encryption standard builds on the 802.11i framework to 
protect against certain types of attacks on WLANs. 

Agencies Have Acted to Secure Wireless Networks, but Additional Steps 
Are Needed to Effectively Mitigate Security Challenges: 

Agencies have taken several steps to address the security of their 
wireless networks; however, these steps have not been fully and 
comprehensively applied across the government. Specifically, 
application was inconsistent among the agencies for most of the 
following leading practices: 

* Most agencies developed policies that reflected NIST guidelines and 
leading practices, but gaps existed in these policies, particularly 
with respect to dual-connected laptops and use of mobile devices on 
international travel. 

* All agencies required a risk-based approach for management of 
wireless technologies. 

* Many agencies used a decentralized structure for management of 
wireless, limiting the potential standardization that centralized 
management can provide, and guidance on centralization is limited. 

* The five agencies where we did detailed testing generally securely 
configured wireless access points, but they had numerous weaknesses in 
laptop and smartphone configurations. Gaps in governmentwide guidance 
on configuration contributed to these weaknesses. 

* Most agencies were missing key elements related to wireless security 
in their security awareness training. 

* Twenty agencies required encryption, and eight of these agencies 
specified that a VPN must be used during remote access; four agencies 
did not require encryption. 

* Many agencies had insufficient practices for monitoring or 
conducting security assessments. Furthermore, federal guidance in this 
area lacks specificity. 

Existing governmentwide guidance and oversight efforts do not fully 
address agency implementation of the leading practices. Until agencies 
fully address these practices, they will not have sufficient assurance 
that the risks to sensitive wireless systems, and sensitive data 
transmitted across or processed by those systems, are adequately 
safeguarded from inadvertent or deliberate misuse, fraudulent use, 
improper disclosure, or destruction. Also, until OMB and DHS ensure 
they have effective means for oversight of federal agencies' efforts 
to secure wireless networks they may lack full visibility of the 
vulnerability of these networks to attack. 

Agencies Have Developed Policies to Support Secure Use of Wireless 
Technologies, but Gaps Exist: 

Almost all agencies required wireless networks to employ encryption, 
but not all agencies required secure forms of encryption. 
Specifically, 23 of 24 agencies specified in their policies that 
agency wireless networks are required to employ encryption. However, 7 
of the 23 agencies did not require secure forms of encryption. 
Specifically, 2 agencies' policies required the use of WEP, an older 
wireless encryption method that is vulnerable to attack; one agency 
required the use of WPA, which is not compliant with federal 
requirements for encryption; and 4 other agencies did not specify any 
type of encryption or require the use of FIPS 140-2 compliant 
encryption. In addition, 1 agency did not have any documented 
requirements for wireless transmissions to be encrypted, even though 
that agency has a wireless network deployed at its headquarters. 

In certain cases, agency policies had been developed several years 
ago. Agencies had also not always updated their policies to reflect 
their implementations of WLANs or federal requirements for wireless 
encryption. Agencies that do not require the use of strong, FIPS- 
validated encryption algorithms on their wireless networks have 
limited assurance that sensitive agency information is being 
adequately protected from unauthorized disclosure or modification. 

Most Agencies Have Established Usage Restrictions and Implementation 
Guidance for Wireless Networks: 

Twenty-three of the 24 agencies provided specific guidance to agency 
personnel on the types of information that may be transmitted using 
wireless networks or on how sensitive information is to be protected 
when transmitted wirelessly. All 24 of the agencies in our review had 
also developed policies establishing usage restrictions and 
implementation guidance for wireless networks; although policies for 3 
agencies were in draft and had not yet been approved. 

Examples of usage restrictions in agency policies included the 
following: 

* requiring that administration of wireless infrastructure devices 
(such as access points) be conducted using the wired network, 

* prohibiting the use of ad hoc wireless networks, and: 

* allowing access to agency wireless networks only via a VPN. 

Agencies' policies frequently contained wireless implementation 
guidance such as the following: 

* physically securing wireless infrastructure devices, 

* adjusting the transmission power of access points to ensure adequate 
coverage while minimizing signal leakage, 

* maintaining audit logs on wireless access points, 

* changing default service set identifiers[Footnote 15] and not using 
identifiers that would identify the agency, 

* enabling media access control[Footnote 16] address filtering, and: 

* segregating wireless network traffic from the wired network using 
firewalls or other methods. 

Agencies Established Policies for Access Controls for Mobile Devices, 
but Several Agencies Did Not Specifically Address Wireless 
Functionality of Laptops, Dual Connection of Laptops, or International 
Travel of Mobile Devices: 

Almost all agencies had established some type of access control policy 
for mobile devices. Specifically, all 24 agencies developed policies 
for PDAs, such as smartphones, although 2 agencies' policies had not 
been finalized. Although 23 of the 24 agencies had developed 
implementation guidance for laptop computers, the policies of 4 of 
these agencies did not specifically address wireless functionality on 
laptops. In addition, 1 of the 24 agencies did not document laptop 
policies at all. 

Fewer agencies had developed access control policies regarding dual 
connection of laptops. NIST guidelines recommend that client devices, 
such as laptop computers, should be configured not to allow the 
simultaneous use of more than one network interface. Although most 
agencies had established policies for wireless-enabled laptops, many 
did not address the risk of dual connections of laptops in their 
policies. As described earlier, the security of an agency network 
could be compromised when a laptop is connected to an external 
wireless network, and to an agency's wired network simultaneously, 
leaving it vulnerable to attack and providing unauthorized access to 
the wired network. Turning off or disabling the wireless capability 
when a laptop is connected to a wired network mitigates this risk. Of 
the 24 agencies in our review, 8 did not have documented policies 
requiring the wireless capability to be turned off or disabled when 
the agency's laptop is connected to a wired network. One agency with a 
decentralized wireless management structure had a high level overall 
wireless policy, but allowed its components to determine whether to 
augment it with more detailed policies, including policies prohibiting 
multiple network connections. Other agency officials incorrectly 
thought that the dual connection issue was addressed by governmentwide 
guidance such as the Federal Desktop Core Configuration (FDCC). 
[Footnote 17] 

Although the baseline FDCC standard disables wireless connectivity, in 
March 2010,[Footnote 18] we reported that many agencies have chosen to 
deviate from the standard and enable wireless functionality on their 
workstations. No other setting or combination of settings within the 
FDCC standard prevents multiple network connections. We also 
previously reported that OMB had not specified any guidance for 
agencies to use when considering the risks of deviating from the FDCC 
standard; OMB has therefore not specified any such guidance for 
agencies regarding permitting the use of wireless technologies. We 
recommended that OMB clarify its policies regarding FDCC deviations to 
include guidance for agencies to use when assessing the risks of 
deviations. Until OMB provides guidance to agencies regarding the 
risks associated with enabling wireless on agency laptops, including 
the risk of dually connected laptops, agencies may not document and 
implement policies prohibiting dual connections, increasing the risk 
that an attacker would be able to gain unauthorized access into an 
agency's network and destroy, modify, or copy sensitive information. 
Further, until agencies fully document and implement policies 
prohibiting dual connections, an increased risk exists that an 
attacker would be able to gain unauthorized access into an agency's 
network and destroy, modify, or copy sensitive information. 

Similarly, many agencies also did not have documented policies 
governing international travel with mobile devices. As noted earlier, 
according to NIST, a leading practice for client and mobile devices is 
to issue specially configured laptops, PDAs, and other mobile devices 
to individuals traveling to locations considered to be high risk and 
to apply preventative measures to devices being returned from such 
locations. However, only 12 of the 24 agencies had documented policies 
for safeguarding PDAs taken internationally, and policies for 4 
agencies were in draft. Policies of 5 agencies required specially 
configured devices to be issued for such travel, although policies of 
10 agencies required preventative measures to be applied to the 
devices after they were returned from travel and before being 
connected to agency networks. In addition, just 9 of the 24 agencies 
had documented policies for laptops taken internationally; including 2 
agencies that had draft policies. Only 4 of the 9 agencies required 
that a specially configured laptop be used for travel, although 8 
agencies required preventative measures to be applied after the 
devices were returned from travel. 

Several agency officials stated that they were aware of the risks 
posed to mobile devices during international travel, but that agencies 
had not yet developed policies to address these risks. NIST issued its 
updated guidelines on this practice in August 2009, and many agencies 
had not yet updated their security policies to reflect the new 
guidelines. By not having documented policies, agencies may be at 
increased risk that sensitive information could be compromised while a 
device is in another country, or that malware obtained during an 
international trip could be inadvertently introduced onto agency 
networks, placing sensitive data and systems at risk. 

All Agencies Required a Risk-Based Approach to Wireless Deployment, 
and Most Required Approval of New Wireless Technologies: 

All of the agencies in our review required in their policies that 
decisions related to management of wireless technologies be based on 
risk. Fifteen agencies had policies that specifically required a risk- 
based approach to wireless management; the remaining 9 agencies had 
policies that, while not specific to wireless, required a risk-based 
approach to all management of IT. 

Twenty-two of the 24 agencies had documented policies specifying that 
new wireless technologies require approval from an appropriate 
official or governing body before they could be implemented, although 
one agency's policy was still in draft. The remaining 2 agencies, 
while not specifying wireless, required all new technologies to be 
approved. 

Many Agencies Did Not Use a Centralized Structure for Wireless 
Management: 

Although a centralized wireless management structure can provide a 
more effective means of managing wireless networks, many agencies 
reported not using a centralized approach. Eleven agencies indicated 
that they did have a centralized wireless management structure, and 3 
indicated using both a centralized and decentralized structure, 
depending on agency component. Ten agencies employed a decentralized 
wireless management structure. As previously mentioned, a 
decentralized wireless management structure can result in disparate, 
ad hoc networks that are independently managed, which can impede 
effective implementation and monitoring of security controls and 
inhibit sufficient oversight of the wireless network. The following 
examples describe 2 agencies that are implementing a centralized 
management approach and identify the benefits and limitations of their 
implementation efforts. 

One agency where we performed detailed testing had deployed a 
centrally monitored and managed wireless intrusion detection system 
that was integrated with the agency's national wired networks and 
operated centrally by its cybersecurity management center. This system 
had several positive aspects such as eliminating the need for trained 
personnel in every location, easy integration with other automated 
tools, and a console that provided a summary view of security events 
and detected devices. Additionally, it provided a central means to 
monitor configurations of wireless devices, discover rogue access 
points, and detect intrusion attempts. However, this system also had 
limitations. According to agency officials, the center did not always 
manage the installation and configurations of wireless devices at the 
facilities being monitored. As a result, the agency could not take 
full advantage of the improved visibility and oversight of the 
agency's entire wireless network that centralized management can offer. 

Another agency was deploying a centrally managed WLAN nationwide to 
hundreds of facilities. According to agency officials, the WLAN would 
provide a platform for numerous systems and devices to be operated in 
a highly mobile environment. The centrally managed WLAN has the 
potential to simplify and provide more control over WLAN management. 
For instance, configuration policies created in templates can be 
forwarded to all controllers connected to the network and then on to 
the wireless access points. It can also provide a graphical display of 
the WLAN and its performance. 

Agencies had decentralized approaches to wireless management for 
several reasons. Several agencies managed IT in a decentralized 
manner, delegating responsibility to agency components based on their 
business needs. Other agencies were just beginning to consider use of 
WLANs, or had only deployed WLANs in a limited manner. Technological 
advances have also made centralized management of wireless more 
feasible than in the past. Furthermore, while existing federal 
guidelines recognizes the benefits that centralized management of 
information security can provide for federal agencies; existing NIST 
guidelines on wireless security do not provide detail on the 
appropriate ways agencies can centralize their management of wireless 
technologies based on business need. 

Until agencies effectively implement a centralized wireless management 
structure, they will have limited visibility and control over WLANs 
and a limited ability to integrate wireless management controls with 
the existing wired network to provide continuity and robustness to 
their organization's overall information security program. 

Although Access Points Were Generally Configured Securely, Weaknesses 
Existed in Configurations of Laptops, Firewalls, and Smartphones Used 
for Wireless Access: 

At the five agencies where we conducted detailed testing, the access 
points used to provide WLANs were generally configured in a secure 
manner. However, we identified weaknesses in laptop or firewall 
configurations at these agencies as the following examples illustrate: 

* None of the five agencies had fully implemented controls to prevent 
laptops from connecting to a wireless network while also being 
connected to the agency's internal wired network. As described 
earlier, when a laptop is connected to a wireless network and to an 
agency's wired network simultaneously, an attacker could exploit this 
dual connection to gain unauthorized access to the agency's network, 
placing sensitive information and systems at risk. In certain cases, 
agency officials were unaware that the potential for a dual connection 
existed. In other cases, officials were aware of the risk, but were 
unsure of the appropriate controls that could mitigate this risk, or 
were concerned that these controls might interfere with needed 
functionality of the device. In general, workstations using Microsoft 
Windows require an additional third-party application or other 
specialized configuration to disable wireless connectivity. Although 
NIST guidelines recommend that client devices, such as laptop 
computers, be configured to not allow the simultaneous use of more 
than one network interface, existing NIST guidelines on wireless 
networks do not provide specific technical information on steps that 
agencies should take to implement this control. 

* One of the five agencies had configured a laptop to allow 
nonprivileged users to enable Bluetooth and to connect to other 
personal Bluetooth devices. Furthermore, Bluetooth was configured to 
default to "discovery" mode, making the laptops visible to other 
Bluetooth devices. As a result, an attacker with a Bluetooth device 
within range could connect to the agency's laptop, providing a means 
of unauthorized access to sensitive information on the laptop itself, 
as well as to the agency's network. 

* Two agencies allowed general users to have administrative privileges 
on their laptops, thus reducing the effectiveness of established 
security controls on those machines and increasing the risk that users 
could install unapproved and potentially malicious software, which 
could allow sensitive information to be viewed, modified, or deleted. 

* At one agency, a firewall[Footnote 19] segmented a guest wireless 
network from the agency's internal network. However, the firewall was 
configured to allow all traffic that used Internet protocol version 6 
(IPv6) to flow between the networks without controls. As a result, any 
user--whether malicious or not--connected to the guest wireless 
network using the IPv6 protocol could traverse the guest network 
without any authentication or access controls and could potentially 
gain unauthorized access to the internal network, placing sensitive 
agency information and systems at risk of unauthorized disclosure, 
modification, misuse, or destruction. 

Many agencies also did not enforce secure configurations on their 
BlackBerry smartphones. DISA has developed a configuration checklist 
to help its administrators securely configure its BlackBerry 
Enterprise Servers, which are servers that allow agencies to centrally 
control security policy for BlackBerry smartphones. These guidelines 
have also been made available to other organizations, including 
federal agencies, as part of a NIST program providing secure 
configurations for computing devices. Although not mandatory, the 
guidelines provide a starting point for securely configuring 
BlackBerry smartphones. However, 18 of the 24 agencies had server 
configurations that were less secure than the DISA guidelines. For 
example: 

* Fourteen agencies allowed BlackBerry passwords of insufficient 
length. DISA recommends that passwords on BlackBerry smartphones be a 
minimum of eight characters in length. 

* Seven agencies did not require the use of complex passwords. DISA 
recommends that this value be configured to require passwords to 
contain, at a minimum, at least one alphabetic character and one 
numeric character. 

* Eleven agencies did not set a sufficient security timeout period. 
DISA recommends that this value be set to 15 minutes or less. 

* Ten agencies did not configure a setting that prevents applications 
from opening internal and external connections simultaneously, 
exposing the device to malware. 

Several agency officials stated that the DISA checklist was not 
mandatory for federal agencies; however, no other federal 
configuration standard for BlackBerry smartphones currently exists. 
Due to their portability and capacity to collect and store significant 
amounts of sensitive information, smartphones such as the BlackBerry 
are susceptible to security threats such as loss, theft, unauthorized 
access, malware, electronic eavesdropping, and tracking. Without 
securely configuring their BlackBerry Enterprise Servers, agencies are 
at an increased risk that their BlackBerry smartphones could be 
compromised, resulting in tampered, lost, or stolen data. 

Agencies Have Improved Wireless Security Training Efforts, but 
Training Often Lacked Key Elements: 

Many agencies did include key information on the risks of wireless 
technologies and how to mitigate such risks in their training 
programs. Specifically, 18 agencies provided training on the inherent 
lack of security of wireless technology and gave information on how 
employees and contractors could protect information that is 
transmitted wirelessly. However, 6 agencies did not address wireless 
security in their annual training. 

In addition, although most agencies included information on mobile 
devices in their security awareness training, most agencies did not 
include key elements in accordance with NIST guidelines. Specifically, 
only 2 of the 24 agencies included in their training that users should 
disable the wireless interfaces on their mobile devices when not 
needed. In addition, training at 14 agencies did not address physical 
control over mobile devices; 5 did not describe the procedures for 
reporting lost or stolen mobile devices; and 5 did not include 
information on encrypting sensitive data on mobile devices. Finally, 1 
agency did not address mobile device security in its annual training. 

Awareness about wireless security challenges can assist employees in 
complying with policies and procedures to reduce agency information 
security risks. Without such training, employees and contractors may 
practice behaviors that threaten the safety of the agency's data. 

Agency Policies Did Not Always Require the Use of a VPN or Encryption 
for Remote Access: 

Policies on remote access are important to the security of wireless 
devices because a frequent use of wireless technologies is for access 
to agency networks from remote locations, such as a home or hotel 
WLAN. Twenty of the 24 agencies required remote access sessions to be 
encrypted, and 8 of these agencies specified that a VPN must be used. 
However, 4 of the 24 agencies did not require remote access to be 
encrypted using a VPN or other encryption method. Without having 
policies requiring remote access sessions to employ adequate 
encryption, agencies will not be able to ensure that sensitive 
information is protected from unauthorized access, use, disclosure, or 
modification when users connect to agency information systems remotely. 

Many Agency Policies and Practices for Monitoring 802.11 Networks and 
Conducting Assessments Were Insufficient: 

All 24 agencies in our review reported some form of monitoring for the 
existence of unauthorized or "rogue" wireless networks. Sixteen 
agencies reported that they continuously monitored 24 hours a day at 
one or more agency facilities. However, we found significant 
weaknesses in agency policies for wireless monitoring. Only 18 
agencies required any type of monitoring for unauthorized access 
points in their policies, sometimes as rarely as once per year. In 
addition, two agencies used outdated scanning tools that could miss 
key wireless activities. Six agencies lacked any requirements for 
wireless monitoring. This lack of requirements, combined with the ease 
of setting up wireless networks, creates a situation in which wireless 
networks can be operating in these agencies without authorization or 
the required security configurations. 

At the five agencies where we performed detailed testing, we found 
that the approach that several locations took toward monitoring and 
assessments for 802.11 wireless activity had significant weaknesses. 
Five agency locations did not have routine procedures for performing 
wireless assessments for unauthorized devices and networks. Two of 
these locations had not performed wireless scans in the past 2 years; 
two other agency locations did not document the results of scans. 

One agency where we performed detailed testing had deployed a 
centrally monitored and managed wireless intrusion detection system at 
one of its locations. However, according to agency officials, because 
of the costs of the system, it was not deployed to all locations. At 
the location we visited that did not have the system deployed, there 
was no alternate approach to wireless monitoring, posing the risk of 
undetected wireless access points, intrusions, and loss of sensitive, 
proprietary data. 

Further, while three other agencies also used a wireless intrusion 
detection system at some locations to continuously monitor for 
unauthorized devices and networks, the monitoring at these locations 
was ineffective. Specifically, the systems at each location had not 
been tailored to ignore known false positives. As a result, the 
systems generated large numbers of alerts for rogue access points, 
most of which were false. Local network administrators therefore had 
no way to determine which alerts were actual security events, 
hindering their ability to take advantage of the security aspects of 
the system. 

Although NIST guidelines recommend that agencies use wireless 
monitoring, it does not specify criteria for selecting tools to ensure 
they provide comprehensive monitoring capabilities, nor does it 
suggest appropriate frequencies for recurring assessments or 
recommendations for when continuous monitoring may be appropriate. 

Regular monitoring and security assessments are key practices for 
ensuring the security of wireless networks and devices. Even at 
agencies that have no wireless networks deployed, wireless-enabled 
devices that are deployed on the network, such as laptop computers, 
can provide a potential means for an attacker to gain unauthorized 
access to the network, putting critical agency systems and information 
at risk of unauthorized modification, misuse, disclosure, or 
destruction. Until regular monitoring and assessment policies and 
practices are implemented, these networks are at increased 
vulnerability to attack. 

Existing Governmentwide Reporting and Oversight Efforts Do Not Fully 
Address Key Wireless Security Practices: 

The annual FISMA reporting process administered by OMB (and recently 
devolved from OMB to DHS by an OMB memorandum), which serves as a 
means of oversight of federal agency information security, does not 
fully address implementation of leading practices in wireless 
security. As of October 2010, the fiscal year 2010 draft reporting 
metrics do contain measures related to automated configuration 
management, vulnerability management, and incident management. 
However, they do not include specific metrics related to wireless 
security issues identified in this report, such as measures to address 
the risk of dual-connected laptops, policies related to international 
travel with mobile devices, the extent to which agencies have 
centralized their management of wireless devices, and agency practices 
for monitoring and assessment of wireless networks. 

Furthermore, although the DHS official responsible for the agency's 
newly assigned governmentwide FISMA compliance activities stated that 
the agency plans additional activities that may address aspects of 
wireless security governmentwide, the scope and time frames for these 
activities have not yet been finalized. 

Until OMB and DHS ensure they have effective means for oversight of 
federal agencies' efforts to secure wireless networks, they lack full 
visibility of the vulnerability of these networks to attack. 

Conclusions: 

Federal agencies are making significant use of wireless networks and 
devices, including WLANs, laptop computers, and smartphones. Several 
leading practices exist to secure these technologies, including 
developing comprehensive policies, employing a centralized approach to 
management, establishing secure network and device configurations, and 
having effective training and monitoring in place. 

Agencies have taken several steps to address the security of their 
wireless networks and devices, including development of security 
policies, centralized management, training, and monitoring; however, 
these steps have not been fully and comprehensively applied across the 
government. Gaps exist in policies, network management was not always 
centralized, and numerous weaknesses existed in configurations of 
laptops and smartphones. Particular issues are the risk of dual- 
connected laptops and risks related to mobile devices being taken on 
international travel In addition, many agencies had insufficient 
policies and practices for monitoring or conducting assessments of 
wireless technologies. Until OMB, DHS, NIST, and individual agencies 
take steps to fully implement leading security practices, federal 
wireless networks will remain at increased vulnerability to attack, 
and information on these networks is subject to unauthorized access, 
use, disclosure, or modification. 

Recommendations for Executive Action: 

To improve governmentwide oversight of wireless security practices, we 
recommend that the Director of OMB, in consultation with the Secretary 
of Homeland Security, implement the following two recommendations: 

* include metrics related to wireless security as part of the FISMA 
reporting process, and: 

* develop the scope and specific time frames for additional activities 
that address wireless security as part of their reviews of agency 
cybersecurity programs. 

We also recommend that the Secretary of Commerce instruct the Director 
of NIST to develop and issue guidelines in the following four areas: 

* technical steps agencies can take to mitigate the risk of dual 
connected laptops, 

* governmentwide secure configurations for wireless functionality on 
laptops and for smartphones such as BlackBerries, 

* appropriate ways agencies can centralize their management of 
wireless technologies based on business need, and: 

* criteria for selection of tools and recommendations on appropriate 
frequencies of wireless security assessments and recommendations for 
when continuous monitoring of wireless networks may be appropriate. 

In addition, in a separate report with limited distribution, we are 
making 134 recommendations to 24 major federal agencies to address 
weaknesses in wireless-related information security controls, 
including policies, procedures, and technical configurations. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to the Director of OMB and the 
Secretary of Commerce for their review and comment. However, OMB did 
not provide comments on the report. 

In written comments on a draft of this report, the Secretary of 
Commerce stated that the department concurred with our recommendations 
that NIST develop additional guidance related to wireless security. 
The Secretary also suggested that we use the term "NIST guidelines" 
rather than "NIST guidance" throughout the report, in addition to 
other technical comments. We have incorporated these comments in the 
report where appropriate. 

We are sending copies of this report to the appropriate congressional 
committees, the Director of OMB, the Secretary of DHS, the Secretary 
of Commerce, and other interested congressional parties. The report 
also is available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff members have any questions about this report, 
please contact Gregory Wilshusen at (202) 512-6244 or Dr. Nabajyoti 
Barkakati at (202) 512-4499, or by e-mail at wilshuseng@gao.gov and 
barkakatin@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Key contributors to this report are listed in appendix III. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

Signed by: 

Dr. Nabajyoti Barkakati: 
Chief Technologist: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to (1) identify leading practices 
and state-of-the-art technologies for deploying and monitoring secure 
wireless networks and (2) assess agency efforts to secure wireless 
networks, including vulnerability to attack. The scope of our review 
included the 24 major federal agencies covered by the Chief Financial 
Officers Act.[Footnote 20] 

To identify leading practices for deploying and monitoring secure 
wireless networks, we first identified subject matter experts, 
including leading organizations and individuals, by reviewing 
information security-related Web sites and professional literature. In 
addition, we identified organizations that received recognition based 
on an industry magazine's rankings for top wireless or other 
information security-related products. We also solicited suggestions 
on subject matter experts from individuals working in the field of 
wireless security at major information technology (IT) and 
telecommunications companies and federal government agencies, such as 
the National Institute of Standards and Technology (NIST), National 
Security Agency, and Committee on National Security Systems, because 
they were in a position to evaluate and compare wireless security 
practices at numerous organizations. We contacted approximately 10 
organizations and individuals that met the above criteria; 8, 
including 5 organizations and three individuals, agreed to be 
interviewed and provide input on the practices we identified. The 
organizations were prominent and nationally known, and the individuals 
were recognized as experts in the information security community. The 
participants included a wireless services provider, a global 
technology products and services provider, a global telecommunications 
provider, a nonprofit industry organization, a standards laboratory, a 
government information security consortium, a defense agency, and a 
wireless security consultant. 

Then, to determine the specific leading practices, we obtained 
information, primarily through analysis of publications, guidance, 
checklists, presentations, and other documentation, and interviews 
with subject matter experts. We supplemented the information gathered 
with information obtained from our professional literature review. We 
then analyzed the information obtained to identify common wireless 
security leading practices and validated the practices we identified 
with the subject matter experts. 

To assess agency efforts to secure wireless networks, we obtained and 
analyzed documents such as departmental and component policies, plans, 
configuration documents, and training materials to determine the 
extent of wireless technologies used and the security controls 
implemented at each of the 24 major federal agencies. We also obtained 
information through structured interviews with officials responsible 
for wireless security policies and practices for each of the 24 
agencies. For each of these agencies, we used a laptop equipped with 
an antenna that served as a mobile scanning device and walked or drove 
around the perimeters of publicly accessible areas of their 
headquarters facilities in the Washington, D.C., area to collect data 
to determine wireless technologies that were deployed in the 
buildings. We also conducted scans of multiple agency facilities in 
another major metropolitan area outside of the Washington, D.C., 
region. This area was chosen based on the following criteria: 

* contained regional offices for the multiple major federal agencies 
in locations that were sufficiently dispersed to not have too many 
802.11 signals within a narrow proximity; and: 

* had several regional offices with additional field offices nearby. 

Based on the initial data collected from scans at the headquarters and 
field locations, we chose 5 of the 24 agencies at which to complete 
additional detailed wireless security testing, specifically, the 
Departments of Agriculture, Commerce, Transportation, and Veterans 
Affairs, and the Social Security Administration. These agencies were 
selected based on several criteria, including the amount of usage of 
wireless technologies, the level of centralization of IT management, 
and potential security issues revealed by the initial scan results. 
More in-depth testing at these agencies included a review of the 
configurations of client devices, wireless infrastructure, and 
monitoring practices. We inspected client devices to determine if 
security controls had been implemented to protect the local network. 
We also examined each agency's network infrastructure to determine if 
access points were encrypted and configured to deny unauthorized 
access. Finally, we determined if the agencies monitored the IEEE 
802.11 wireless spectrum. 

We conducted this performance audit from January 2010 to November 
2010, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: Comments from the Department of Commerce: 

The Secretary Of Commerce: 
Washington, D.C. 20230: 
	
November 1, 2010: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on the draft report from the 
U.S. Government Accountability Office (GAO) entitled "Information 
Security: Federal Agencies Have Taken Steps to Secure Wireless 
Networks, but Further Actions Can Mitigate Risks (GAO-11-43)."
We concur with the report's recommendations that the Department of 
Commerce should instruct the Director of the National Institute of 
Standards and Technology (NISI) to develop and issue guidance: 

* On technical steps agencies can take to mitigate the risk of dual 
connected laptops. 

* On government-wide secure configurations for wireless functionality 
on laptops and for BlackBerry smartphones. 

* On appropriate ways agencies can centralize their management of 
wireless technologies based on business need. 

* On criteria for selection of tools and recommendations on 
appropriate frequencies of wireless security assessments and 
recommendations for when continuous monitoring of wireless networks 
may be appropriate. 

We also feel that the draft report does an outstanding job at 
highlighting NIST's leadership in this effort. The Department of 
Commerce would like to offer the following comments: 

1. Inconsistent use of "NIST guidance" and "NIST guidelines." We 
recommend using "NIST guidelines" throughout the report. 

2. Page 20, last paragraph. GAO refers to the Office of Management and 
Budget's annual Federal Information Security Management Act (FISMA) 
reporting requirements (OMB M-10-15, FAO #11,) which state that 
agencies must follow NIST standards and guidelines for non-national 
security programs and information systems. While this is accurate, we 
recommend also including OMB M-10-15 FAQ #12, which will help to put 
this general statement in full context. OMB FISMA FAQ #12 states, 
"While agencies are required to follow NIST standards and guidelines 
in accordance with OMB policy, there is flexibility within MST's 
guidelines (specifically in the 800-series) in how agencies
apply them. However, Federal Information Processing Standards (FIPS) 
are mandatory. Unless specified by additional implementing policy by 
OMB, MST guidelines generally allow agencies latitude in their 
application. Consequently, the application of NIST guidelines by 
agencies can result in different security solutions that are equally 
acceptable and compliant with the guidelines." 

3. Page 23, footnote 11, last sentence. "... using NIST-certified 
cryptographic modules as specified in FIPS 140-2." We recommend 
changing "NIST-certified" to "NIST-validated" as this is consistent 
with FIPS 140-2 and the Cryptographic Module Validation Program. 

4. Page 30, 2nd paragraph, last sentence. "Consistent with NIST 
policy, an organization should ..." We recommend changing "NIST 
policy" to "NIST guidelines" as NISI does not issue policy. 

We welcome further communications with GAO regarding its conclusions 
and look forward to receiving your final report. Please contact Rachel 
Kinney at (301) 957-8707 if you have any questions regarding this 
response. 

Sincerely, 

Signed by: 

Gary Locke: 	 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gregory C. Wilshusen, (202) 512-6244, or wilshuseng@gao.gov Dr. 
Nabajyoti Barkakati, (202) 512-4499, or barkakatin@gao.gov: 

Staff Acknowledgments: 

In addition to the individuals named above, Lon Chin and Vijay D'Souza 
(Assistant Directors), Monica Anatalio, Mark Canter, William Cook, 
Neil Doherty, Rebecca Eyler, Nancy Glover, Matthew Grote, Min Hyun, 
Javier Irizarry, Franklin Jackson, Vernetta Marquis, Sean Mays, Lee 
McCracken, and Michael Stevens made key contributions to this report. 

[End of section] 

Footnotes: 

[1] GAO, Information Security: Federal Agencies Need to Improve 
Controls over Wireless Networks, [hyperlink, 
http://www.gao.gov/products/GAO-05-383] (Washington, D.C.: May 17, 
2005). 

[2] H.R. Conf. Rep. No. 111-366, at 914 (2009). We briefed the 
committees on the preliminary results of our review on April 13, 2010. 

[3] The 24 major federal agencies are the Agency for International 
Development; the Departments of Agriculture, Commerce, Defense, 
Education, Energy, Health and Human Services, Homeland Security, 
Housing and Urban Development, the Interior, Justice, Labor, State, 
Transportation, the Treasury, and Veterans Affairs; the Environmental 
Protection Agency; the General Services Administration; the National 
Aeronautics and Space Administration; the National Science Foundation; 
the Nuclear Regulatory Commission; the Office of Personnel Management; 
the Small Business Administration; and the Social Security 
Administration. 

[4] IEEE is a professional association focused on electrical and 
computer sciences, engineering, and related disciplines. IEEE is 
responsible for developing technical standards through the IEEE 
Standards Association, which follows consensus-based standards 
development processes. 

[5] The Wi-Fi Alliance is a nonprofit international association that 
has the goal of certifying the interoperability of WLAN products based 
on IEEE 802.11 specifications. 

[6] The Bluetooth Special Interest Group is a not-for-profit trade 
association developed to serve as the governing body for Bluetooth 
specifications. 

[7] A VPN is a private network that is maintained across a shared or 
public network, such as the Internet, by means of specialized security 
procedures. VPNs are intended to provide secure connections between 
remote clients, such as branch offices or traveling personnel and a 
central office. 

[8] 44 U.S.C. § 3544(b). 

[9] OMB, Clarifying Cybersecurity Responsibilities and Activities of 
the Executive Office of the President and the Department of Homeland 
Security (Washington, D.C: July 6, 2010). 

[10] [hyperlink, http://www.gao.gov/products/GAO-05-383]. 

[11] See NIST, Security Requirements for Cryptographic Modules, FIPS 
140-2 (Gaithersburg, MD: May 25, 2001). FIPS 140-2 specifies the 
security requirements for a cryptographic module used within a 
security system protecting sensitive information in computer and 
telecommunication systems (including voice systems) and provides four 
increasing, qualitative levels of security intended to cover a wide 
range of potential applications and environments. Agencies are 
required to encrypt agency data, where appropriate, using NIST-
validated cryptographic modules as specified in FIPS 140-2. 

[12] The Committee on National Security Systems consists of 21 members 
from federal agencies and is charged with establishing national policy 
and promulgating direction, operational procedures, and guidance for 
the security of national security systems. 

[13] Committee on National Security Systems, Policy on Wireless 
Communications: Protecting National Security Information, CNSSP No.17 
(Ft. Meade, MD: May 2010). 

[14] See, for example, GAO, Executive Guide: Information Security 
Management, Learning From Leading Organizations, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-98-68] (Washington, D.C.: May 
1998). 

[15] A service set identifier is a name assigned to a wireless network 
that allows wireless clients to distinguish one wireless network from 
another. 

[16] The media access control address is a unique identifier assigned 
to network adapters usually by the manufacturer for identification. 
Although intended to be a permanent and unique identification, it is 
possible to change the media access control address on most hardware. 

[17] The FDCC was an initiative launched by OMB to require federal 
agencies to implement common security configurations on Microsoft 
Windows XP and Vista operating systems. The initiative has evolved 
into the United States Government Configuration Baseline, run by NIST. 

[18] GAO, Information Security: Agencies Need to Implement Federal 
Desktop Core Configuration Requirements, [hyperlink, 
http://www.gao.gov/products/GAO-10-202] (Washington, D.C.: Mar. 12, 
2010). 

[19] A firewall is a hardware or software component that protects 
given computers or networks from attacks by blocking network traffic 
or by allowing only authorized protocols and services to cross the 
boundary between networks. 

[20] The 24 major federal agencies are the Agency for International 
Development; the Departments of Agriculture, Commerce, Defense, 
Education, Energy, Health and Human Services, Homeland Security, 
Housing and Urban Development, the Interior, Justice, Labor, State, 
Transportation, the Treasury, and Veterans Affairs; the Environmental 
Protection Agency; the General Services Administration; the National 
Aeronautics and Space Administration; the National Science Foundation; 
the Nuclear Regulatory Commission; the Office of Personnel Management; 
the Small Business Administration; and the Social Security 
Administration. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: