IT Security Among GAO's 2010 Top PrioritiesEnsuring Secure Systems, Data Deemed Critical
"Information systems security continues to be a critical activity in ensuring our information systems and assets are effectively protected and free from compromise," according to the 45-page GAO Fiscal Year 2010 Performance Plan, issued Monday. Fiscal year 2010 begins Oct. 1.
GAO set out for itself four strategic goals, including one to help transform the federal government's role and how it conducts business to meet 21st century challenges. Among the work it expects to do to achieve that goal is evaluating federal agencies' IT security policies and procedures and their critical cyber infrastructure.
"Given the constantly evolving nature of threats to information systems and assets, information security will continue to be a management challenge for us and all government and private sector entities at least through fiscal year 2010," the GAO performance plan states. "Our overall goal is to ensure that information protection requirements extend across the life cycle of documentation: from data transmission and storage to the eventual archiving and disposal of data. In fiscal years 2009 and 2010, we will continue to make progress on these efforts."
The performance plan does not provide details on how GAO would address information security, but in a recent interview with GovInfoSecurity.com, GAO Information Security Issues Director Gregory Wilshusen describes several IT security projects, including a major report expected in June to address what he characterizes as a "dichotomy of measures, where agencies are reporting that their increasingly performing all of these control activities, but the IGs (inspector generals), GAO and others consistently identify consistent and serious weaknesses in their computer controls."
The report is being prepared for Sen. Tom Carper, the Delaware Democrat who is sponsoring legislation to update the Federal Information Security Management Act (FISMA)of 2002, including finding new ways to measure the effectiveness of agencies securing their IT systems. (Click here to read a transcript of or listen to an interview with Carper on FISMA reform.)
Other IT security projects to get the GAO's attention, Wilshusen says, include the Federal Desktop Core Configuration, a Defense Department initiative that developed a minimum set of security configurations for Windows operating systems; the Trusted Internet Connection Initiative, a program aimed at drastically reducing the number of government connections to the Internet; and the Einstein Initiative, the U.S.-Cert program to provide network monitoring capability to look for anomalous activity.
"For each of those three initiatives, we are to identify the goals and objectives of the initiatives, the extent to which it has been implemented at the agencies or to access the plans for implementation at those agencies, and then to identify any lessons learned or challenges and the benefits associated with their implementation," Wilshusen says.