GAO: Fed Security Practices Threaten IT IntegrityFederal CIO Kundra Pledges a Secure Government
"Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft."
In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies.
The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."
Not all of the report was critical. The GAO said federal agencies reported increased compliance in implementing key information security control activities for fiscal year 2008, which ended last September. But, the report said, several agencies inspectors general noted shortcomings with agencies' implementation of information security requirements. Agencies reported increased implementation of control activities, such as providing awareness training for employees and testing system contingency plans.
Though agencies reported increased implementation of control activities, such as providing awareness training for employees and testing system contingency plans, GAO said, they reported decreased levels of testing security controls and training for employees who have significant security responsibilities. In addition, the report said, several agencies inspectors general disagreed with performance reported by their agencies and identified weaknesses in the processes used to implement these activities.
GAO also took to task the White House Office of Management and Budget for failing to get agencies inspectors generals to report on agencies' effectiveness of key activities, noting OMB did not always provide clear guidance to inspectors general. "As a result," Wilshusen wrote, "the reporting may not adequately reflect agencies' implementation of the required information security policies and procedures." Vivek didn't disagree: "Improved consistency in the reporting of the inspector general would contribute to a clearer picture of information security in the federal government."
Yet, Vivek vehemently challenged another GAO assertion, that OMB failed to approve or disapprove annually agencies IT security program, something the Federal Information Security Management Act requires the White House office to do. GAO said OMB representatives told the Congressional auditors only reviewed agencies' FISMA reports whenever an issue arises that requires the office's oversight. "OMB reviews all agency and IG FISMA reports annual," wrote Kundra, whose official title is OMB administrator of e-government and IT. "For the major agencies, OMB also receives and reviews quarterly information on their security programs. OMB uses this information, and other reporting, to evaluate agencies' security management programs. Concerns are communicated directly to the agencies."