Agencies lack infosec resources

OMB GISRA report

Federal agencies have the tools necessary to find and fix information security weaknesses but are struggling to find the appropriate resources and personnel to follow through, the General Accounting Office said April 16.

GAO's further assessment of agencies' security capabilities came in a letter to the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee, in response to questions raised at a March 6 hearing held by Rep. Stephen Horn (R-Calif.), the subcommittee chairman. The hearing focused on the first reports issued under the Government Information Security Reform Act, which requires agencies to perform annual independent and self-assessments of their security practices.

"In past years, most reviews of information security controls were performed as part of agency financial statement audits and, thus, focused on financial systems," Robert Dacey, GAO's director for information security issues, wrote in the letter. "It is the extent of the weaknesses for [the] nonfinancial systems that are still not fully identified."

Agencies' inspectors general have GAO's Federal Information System Controls Audit Manual. However, performing these audits and assessments on all systems "will place a significant new burden on the existing audit capabilities of agency inspectors general and will require that they have appropriate resources to either perform or contract for the needed work," Dacey wrote.

Two significant barriers to agencies improving their security are obtaining appropriate security funding and finding personnel with the necessary technical expertise to select, implement and maintain security controls, Dacey wrote.