GAO: Common desktop configuration holds promise for better security

Agencies have not adopted — or are only slowly implementing — numerous recommendations and actions that could significantly improve the federal security posture, the Government Accountability Office has said.

GAO also reported that agencies did make incremental but steady progress in improving information security in 2007.

Persistent weaknesses in agency information security controls still threaten the confidentiality, integrity and availability of federal information and the systems on which the data runs, said Gregory Wilshusen, director of GAO’s information technology issues. The latest report to Congress on agencies’ compliance with the Federal Information Security Management Act also showed a jump in reported security incidents. 

GAO audits continue to identify similar conditions in financial and nonfinancial systems, including agencywide weaknesses as weaknesses in critical federal systems. For example, 20 of 24 major agencies indicated that inadequate information security controls were a significant deficiency or a material weakness for financial statement reporting, he said.

in addition to acting on past recommendations, agencies should take advantage of more robust security control testing, information security performance metrics and independent evaluations, Wilshusen said. He also urged agencies to implement user identification and authentication, authorization, boundary protections, encryption, and audit and monitoring.

“Until such opportunities are seized and fully exploited and the hundreds of GAO and [inspector general] recommendations to mitigate information security control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain at undue and unnecessary risk,” Wilshusen said March 12 at a hearing of the Senate Homeland Security and Governmental Affairs Committee’s Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.

Agencies' most persistent weaknesses are in access controls, configuration management controls, segregation of duties, continuity-of-operations planning and agencywide information security programs, Wilshusen said. Agencies may not be fully aware of the security control weaknesses in their systems, leaving them vulnerable to attack or compromise.

Agencies in 2007 hit a milestone by certifying and accrediting more than 90 percent of all 10,304 federal systems, said Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology. The C&A process assesses information technology systems for security controls. Some critics of FISMA have said the process has become more paper checklist than a way to evaluate risk and needs to be updated.

Evans cautioned against major changes, saying clarification might be more effective. Instead, those in oversight should keep monitoriing what agencies are doing and whether they are implementing solutions.

Evans testified that if agencies perform the work only to comply with OMB, those are just paper exercises. But many agencies use the guidance and conduct FISMA procedures to discover and manage risk to serve the mission, she said.

“You need to use FISMA as an indicator,” Evans said. “We pick certification and accreditation because we think it measures a life cycle for assessing risk.” Agency executives then sign off on the process, accepting the risk.

Agencies improved the quality of the C&A process in 2007, with 76 percent of agency inspectors general rating quality as satisfactory or better, and the number of agencies with the lowest rating decreased to four from nine, Evans said. “The goal is to be able to analyze this information and then fix the systemic problems.”

One agency that has excelled in information security is the U.S. Agency for International Development. Philip Heneghan, USAID chief information security officer, told lawmakers that senior executive buy-in, extensive training and having business owners lead certification and accreditation of systems helped the agency achieve a high grade. The agency also has a centralized IT environment. USAID en gages its executives, managers and systems administrators.

For each system and network, USAID has identified an executive who owns it, has responsibility for it and is in the best position to make risk-based decisions regarding the system’s security controls, he said.

USAID also relies on technologies that automate the collection and reporting of security information and metrics in a risk-based approach. A vulnerability management program continually scans the systems on its network to measure their security posture. USAID is one of six pilot agencies for the Einstein program to reduce the number of external Internet connections, the basis of OMB’s governmentwide Trusted Internet Connections program.

OMB has directed agencies to strengthen federal information systems. Many security problems stem from configuration or patch management issues. One of its requirements is the Federal Desktop Core Configuration, under which agencies that have Microsoft Windows XP and plan to upgrade to Windows Vista operating systems will adopt security configurations developed by the National Institute of Standards and Technology and the Defense and Homeland Security departments.

“FDCC holds a lot of promise. It [gives] the ability to secure a system right out of the box,” Wilshusen said.

During the final year of the administration, Evans said she will focus on:

• Achieving 100 percent of systems certified and accredited.

• Identifying and providing oversight of contractor systems.

• Reducing or eliminating systems that are uncategorized by risk impact level.

• Improving agencies' identification and reporting of security incidents.

• Increasing general and job-specific security training for federal employees and contractors.