Information Security: Persistent Weaknesses Highlight Need for Further Improvement

For many years, GAO has reported that weaknesses in information security are a widespread problem with potentially devastating consequences--such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information. In reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the information security program, evaluation, and reporting requirements for federal agencies. FISMA also defines responsibilities for ensuring centralized compilation and analysis of incidents that threaten information security and providing timely technical assistance in handling security incidents. In this testimony, GAO discusses the continued weaknesses in information security controls at 24 major federal agencies, the reporting and analysis of security incidents, and efforts by the Department of Homeland Security (DHS) to develop a cyber threat analysis and warning capability. GAO based its testimony on its previous work in this area as well as agency and congressional reports.