GAO Dissects 2 Key Infosec Initiatives

Senator Describes Findings on FDCC, TIC "Most Disturbing"
GAO Dissects 2 Key Infosec Initiatives
The federal government could be doing a better job in implementing two key information security initiatives, the Federal Desktop Core Configuration and Trusted Internet Connection, the General Accountability Office suggested in two reports issued Monday.

FDCC is aimed at improving IT security and cutting its costs by providing a baseline level of security though the implementation of a set of standard configuration settings on government-owned desktop and laptop computers. TIC is an initiative to reduce the number of gateways between federal networks and the Internet to fewer than 100 from several thousand that would make monitoring digital traffic for nefarious activity simpler.

"While agencies have taken actions to implement these requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations," Gregory Wilshusen, GAO director of information security issues, wrote in the report on FDCC. "Until agencies ensure that they are meeting these FDCC requirements, the effectiveness of the initiative will be limited."

Similarly, Wilshusen wrote in the TIC findings: "Although most agencies reported that they have made progress toward reducing their external connections and implementing critical security capabilities, most agencies have also experienced delays in their implementation efforts."

The reports were prepared for the Senate Committee on Homeland Security and Governmental Affairs, and its leaders weren't pleased in what they read.

"The security of federal IT systems is an ever-growing problem that must be confronted aggressively and with all available means," Committee Chairman Joseph Lieberman, ID-Conn., said in a statement. "Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security."

Lieberman said the committee is drafting legislation to address these concerns.

The ranking Republican on the panel, Susan Collins of Maine, said in the statement that she founding the GAO's findings "most disturbing. ... These GAO findings show that our government's current system of weak authorities and diffuse responsibility is simply not sufficient to secure our critical cyber networks. We must elevate the focus on cybersecurity within the federal government and across our nation's critical cyber infrastructure. Only a strong leader with significant new authorities can be held accountable for the security of these digital assets."

In the FDCC report, GAO said most plans submitted to the Office of Management and Budget failed to address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings. The audit revealed that several agencies did not fully document their deviations from the settings or establish a process for approving them.

FDCC has the potential to increase agencies' information security by requiring stricter security settings on workstations than those that may have been previously in place and standardizing agencies' management of workstations, making it easier to manage changes such as applying updates or patches.

GAO recognizes implementing FDCC isn't easy. Agencies face several continuing challenges to fully comply with FDCC requirements, including retrofitting applications and systems in their existing conditions to conform with the settings, assessing the risks associated with deviations and monitoring workstations to ensure that the settings are applied and functioning properly. "As OMB moves forward with the initiative, understanding the lessons learned as well as the ongoing challenges agencies face will be essential in order to ensure the initiative is successful in ensuring public confidence in the confidentiality, integrity and availability of government information," Wilshusen said.

GAO recommended that OMB issue guidance on assessing the risks of deviations and monitoring compliance with FDCC. The congressional auditor also advised that 22 agencies take steps to fully implement FDCC requirements. GAO said the agencies generally concurred with its recommendations.

(More on GAO's TIC findings after the chart.)

As of last September, GAO reported, none of the 23 agencies it audited had met all of the requirements of the TIC initiative. Although most agencies reported that they have made progress toward reducing their external connections and implementing critical security capabilities, most agencies have also experienced delays in their implementation efforts. And, these agencies have not demonstrated that they have fully implemented the required security capabilities. For example, Wilshusen said, the 16 agencies that chose to become access providers reported that they had reduced their number of external connections from 3,286 to approximately 1,753. Agencies have the option to become their own access providers or contract that service to another agency or provider.

In an interview with GovInfoSecurity.com in February, Matt Coose, director of federal network security at the Department of Homeland Security's National Cybersecurity Division, said most federal agencies will have implemented TIC by the end of this calendar year. Coose said about 50 access points had been certified by DHS by late February. Still, as of late February, more than 2,000 non-compliant Internet connections still feed into federal networks, he said.

Wilshusen said TIC is working. "Throughout their reduction efforts, agencies have experienced benefits, such as improved security and network management," he wrote in the report. "However, they have been challenged in implementing TIC because OMB did not promptly communicate the number of access points for which they had been approved and DHS did not always respond to agency queries on security capabilities in a timely manner.

"Agencies' experiences with implementing TIC offered OMB and DHS lessons learned, such as the need to define program requirements before establishing deadlines and the usefulness of sponsoring collaborative meetings for agencies' implementation efforts."

GAO recommended that OMB promptly communicate the number of approved connections for agencies, and suggested that DHS improve its communication and performance measures. OMB and DHS concurred with GAO's findings, conclusions and recommendations, GAO reported, though Homeland Security furnished several technical comments.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.