Agencies riddled with security holes, GAO says

A continued lack of sufficient information security controls at major federal agencies puts sensitive data at risk, the Government Accountability Office said today. GAO also said the process agencies use to report progress on information security needs to be improved.

In a report released today, GAO said agencies have persistent weaknesses in the controls they place on information systems and insufficient information security policies. The GAO's auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems.

“These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

GAO said that according to its previous findings and those from agency inspectors general, agencies have persistent weaknesses in the access controls, configuration management controls they use to protect data. In addition, problems also existed with their segregation of duties, continuity of operations planning and agencywide information security programs. GAO said almost all 24 major federal agencies had weaknesses in information security controls.

Meanwhile, the auditors said the current FISMA reporting process doesn’t produce data to accurately gauge the effectiveness of agencies' information security activities. In addition, GAO said OMB annual reporting instructions to agency for FISMA reports weren’t always clear and OMB didn’t put key information about problems identified by the IGs in its report to Congress. GAO also said OMB didn’t approve or disapprove agency information security programs.

To correct the problems, the auditors recommended that OMB:

• Update annual reporting instructions to request inspectors general to report on the effectiveness of agencies’ processes for developing inventories, keeping track of contractor operations, and providing specialized security training.
• Clarify and improve reporting instructions to inspectors general for certification and accreditation evaluations.
• Include in the report to Congress a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices.
• Approve or disapprove agency information security programs after review.

Vivek Kundra, the federal chief information officer, said in response to the report that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.

Kundra also responded that each year OMB reviews all FISMA reports from agencies and IGs year and uses that information to evaluate agencies' security management programs.