GAO finds security plan lacking

Federal agencies do not have the experience, tools or legislative backing to secure their systems to the degree required by the administration's new National Plan for Information Systems Protection, according to the General Accounting Office.

The plan is "an important and positive step forward toward building the cyberdefense necessary to protect critical information assets and infrastructures," said Jack Brock, director of governmentwide and defense information systems at GAO's accounting and information management division. But there are several ways the Critical Infrastructure Assurance Office could improve it, he said this week in written testimony to the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information.

The plan calls for federal agencies to be the country's models for information security practices, but GAO audits have found that 22 of the largest agencies have significant computer security weaknesses. The plan touches on solutions to a few of the key problems, but changes will not happen quickly, Brock said.

Another major problem that Congress will have to help fix is the reliance on the outdated Computer Security Act, Brock said. The act, passed into law in 1987, was not designed to handle networked environments with multiple levels of security and vulnerabilities.

The House and Senate are both working on bills to enhance IT security legislation, including the Computer Security Enhancement Act (H.R. 2413) and the Government Information Security Act (S. 1993).

"Such efforts could play and integral role in further strengthening the plan," Brock said.