Cybersecurity
Continued Federal Efforts Are Needed to Protect Critical Systems and Information Gao ID: GAO-09-835T June 25, 2009Federal laws and policy have assigned important roles and responsibilities to the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) for securing computer networks and systems. DHS is charged with coordinating the protection of computer-reliant critical infrastructure--much of which is owned by the private sector--and securing its own computer systems, while NIST is responsible for developing standards and guidelines for implementing security controls over information and information systems. GAO was asked to describe cybersecurity efforts at DHS and NIST--including partnership activities with the private sector--and the use of cybersecurity performance metrics in the federal government. To do so, GAO relied on its reports on federal information security and federal efforts to fulfill national cybersecurity responsibilities.
Since 2005, GAO has reported that DHS has yet to comprehensively satisfy its key cybersecurity responsibilities, including those related to establishing effective partnerships with the private sector. Shortcomings exist in key areas that are essential for DHS to address in order to fully implement its cybersecurity responsibilities. DHS has since developed and implemented certain capabilities, but still has not fully satisfied aspects of these responsibilities and needs to take further action to enhance the public/private partnerships needed to adequately protect cyber critical infrastructure. GAO has also previously reported on significant security weaknesses in systems supporting two of the department's programs, one that tracks foreign nationals entering and exiting the United States, and one for matching airline passenger information against terrorist watch-list records. DHS has corrected information security weaknesses for systems supporting the terrorist watch-list, but needs to take additional actions to mitigate vulnerabilities associated with systems tracking foreign nationals. NIST plays a key role in providing important information security standards and guidance. Pursuant to its responsibilities under the Federal Information Security Management Act (FISMA), NIST has developed standards specifying minimum security requirements for federal information and information systems; and provided corresponding guidance that details the controls necessary for securing those systems. It has also been working with both public and private sector entities to enhance information security requirements. The resulting guidance and tools provided by NIST serve as important resources for federal agencies that can be applied to information security programs. As GAO recently testified in May, opportunities exist to improve the metrics used to assess agency information security programs. According to the performance metrics established by the Office of Management and Budget (OMB), agencies reported increased compliance in implementing key information security control activities. However, GAO and agency inspectors general continue to report significant weaknesses in controls. This dichotomy exists in part because the OMB-defined metrics generally do not measure how well controls are implemented. As a result, reported metrics may provide an incomplete picture of an agency's information security program.
GAO-09-835T, Cybersecurity: Continued Federal Efforts Are Needed to Protect Critical Systems and Information
This is the accessible text file for GAO report number GAO-09-835T
entitled 'Cybersecurity: Continued Federal Efforts Are Needed to
Protect Critical Systems and Information' which was released on June
26, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Technology and Innovation, Committee on
Science and Technology, House of Representatives:
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected 2:00 p.m. EDT:
Thursday, June 25, 2009:
Cybersecurity:
Continued Federal Efforts Are Needed to Protect Critical Systems and
Information:
Statement of Gregory C. Wilshusen,
Director, Information Security Issues:
GAO-09-835T:
GAO Highlights:
Highlights of GAO-09-835T, a testimony before the Subcommittee on
Technology and Innovation, Committee on Science and Technology, House
of Representatives.
Why GAO Did This Study:
Federal laws and policy have assigned important roles and
responsibilities to the Department of Homeland Security (DHS) and the
National Institute of Standards and Technology (NIST) for securing
computer networks and systems. DHS is charged with coordinating the
protection of computer-reliant critical infrastructure--much of which
is owned by the private sector”and securing its own computer systems,
while NIST is responsible for developing standards and guidelines for
implementing security controls over information and information
systems.
GAO was asked to describe cybersecurity efforts at DHS and NIST”
including partnership activities with the private sector”and the use of
cybersecurity performance metrics in the federal government. To do so,
GAO relied on its reports on federal information security and federal
efforts to fulfill national cybersecurity responsibilities.
What GAO Found:
Since 2005, GAO has reported that DHS has yet to comprehensively
satisfy its key cybersecurity responsibilities, including those related
to establishing effective partnerships with the private sector.
Shortcomings exist in key areas that are essential for DHS to address
in order to fully implement its cybersecurity responsibilities (see
table). DHS has since developed and implemented certain capabilities,
but still has not fully satisfied aspects of these responsibilities and
needs to take further action to enhance the public/private partnerships
needed to adequately protect cyber critical infrastructure. GAO has
also previously reported on significant security weaknesses in systems
supporting two of the department‘s programs, one that tracks foreign
nationals entering and exiting the United States, and one for matching
airline passenger information against terrorist watch-list records. DHS
has corrected information security weaknesses for systems supporting
the terrorist watch-list, but needs to take additional actions to
mitigate vulnerabilities associated with systems tracking foreign
nationals.
Table: Key Cybersecurity Areas Reviewed by GAO:
1. Bolstering cyber analysis and warning capabilities.
2. Improving cybersecurity of infrastructure control systems.
3. Strengthening DHS‘s ability to help recover from Internet
disruptions.
4. Reducing organizational inefficiencies.
5. Completing actions identified during cyber exercises.
6. Developing sector-specific plans that fully address all of the cyber-
related criteria.
7. Securing internal information systems.
Source: GAO.
[End of table]
NIST plays a key role in providing important information security
standards and guidance. Pursuant to its responsibilities under the
Federal Information Security Management Act (FISMA), NIST has developed
standards specifying minimum security requirements for federal
information and information systems; and provided corresponding
guidance that details the controls necessary for securing those
systems. It has also been working with both public and private sector
entities to enhance information security requirements. The resulting
guidance and tools provided by NIST serve as important resources for
federal agencies that can be applied to information security programs.
As GAO recently testified in May, opportunities exist to improve the
metrics used to assess agency information security programs. According
to the performance metrics established by the Office of Management and
Budget (OMB), agencies reported increased compliance in implementing
key information security control activities. However, GAO and agency
inspectors general continue to report significant weaknesses in
controls. This dichotomy exists in part because the OMB-defined metrics
generally do not measure how well controls are implemented. As a
result, reported metrics may provide an incomplete picture of an agency‘
s information security program.
What GAO Recommends:
GAO has previously made about 30 recommendations to help DHS fulfill
its cybersecurity responsibilities and resolve underlying challenges.
In addition, GAO has made about 60 recommendations to strengthen
security over information systems supporting DHS‘s programs for border
security and its terrorist watch list. DHS has actions planned and
underway to implement them.
View [hyperlink, http://www.gao.gov/products/GAO-09-835T] or key
components. For more information, contact Gregory C. Wilshusen at (202)
512-6244 or wilshuseng@gao.gov.
[End of section]
Chairman Wu and Members of the Subcommittee:
Thank you for the opportunity to participate in today's hearing on
computer-based (cyber) security activities at the Department of
Homeland Security (DHS) and the National Institute of Standards and
Technology (NIST). Cybersecurity is a critical consideration for any
organization that depends on information systems and computer networks
to carry out its mission or business. The need for a vigilant approach
to cybersecurity has been demonstrated by the pervasive and sustained
cyber attacks against the United States and others that continue to
pose significant risks to computer systems and networks and the
operations and critical infrastructures that they support.
In my testimony today, I will describe cybersecurity activities at DHS
and NIST, including those activities related to establishing public/
private partnerships with the owners of critical infrastructure. In
addition, I will discuss the use of cybersecurity-related metrics in
the federal government. In preparing for this testimony, we relied on
our previous reports on federal information security and on DHS's
efforts to fulfill its national cybersecurity responsibilities. We also
relied on a draft report of our review of agencies' implementation of
the Federal Information Security Management Act (FISMA).[Footnote 1]
These reports contain detailed overviews of the scope of our work and
the methodology we used.
The work on which this testimony is based was performed in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform audits to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
Background:
As computer technology has advanced, federal agencies have become
dependent on computerized information systems to carry out their
operations and to process, maintain, and report essential information.
Virtually all federal operations are supported by computer systems and
electronic data, and agencies would find it difficult, if not
impossible, to carry out their missions, deliver services to the
public, and account for their resources without these cyber assets.
Information security is thus especially important for federal agencies
to ensure the confidentiality, integrity, and availability of their
systems and data. Conversely, ineffective information security controls
can result in significant risk to a broad array of government
operations and assets, as the following examples illustrate:
* Computer resources could be used for unauthorized purposes or to
launch attacks on other computer systems.
* Sensitive information, such as personally identifiable information,
intellectual property, and proprietary business information could be
inappropriately disclosed, browsed, or copied for purposes of identity
theft, espionage, or other types of crime.
* Critical operations, such as those supporting critical
infrastructure, national defense, and emergency services, could be
disrupted.
* Data could be added, modified, or deleted for purposes of fraud,
subterfuge, or disruption.
Government officials are increasingly concerned about attacks from
individuals and groups with malicious intent, such as criminals,
terrorists, and adversarial foreign nations. For example, in February
2009, the Director of National Intelligence testified that foreign
nations and criminals have targeted government and private sector
networks to gain a competitive advantage and potentially disrupt or
destroy them, and that terrorist groups have expressed a desire to use
cyber attacks as a means to target the United States. [Footnote 2] The
growing connectivity between information systems, the Internet, and
other infrastructures creates opportunities for attackers to disrupt
telecommunications, electrical power, and other critical
infrastructures. As government, private sector, and personal activities
continue to move to networked operations, digital systems add ever more
capabilities, wireless systems become more ubiquitous, and the design,
manufacture, and service of information technology have moved overseas,
the threat will continue to grow.
DHS Is a Focal Point for National Cybersecurity Efforts:
Federal law and policy[Footnote 3] establish DHS as the focal point for
efforts to protect our nation's computer-reliant critical
infrastructures[Footnote 4]--a practice known as cyber critical
infrastructure protection, or cyber CIP. In this capacity, the
department has multiple cybersecurity-related roles and
responsibilities. In 2005, we identified, and reported on, 13 key
cybersecurity responsibilities.[Footnote 5] They include, among others,
(1) developing a comprehensive national plan for CIP, including
cybersecurity; (2) developing partnerships and coordinating with other
federal agencies, state and local governments, and the private sector;
(3) developing and enhancing national cyber analysis and warning
capabilities; (4) providing and coordinating incident response and
recovery planning, including conducting incident response exercises;
and (5) identifying, assessing, and supporting efforts to reduce cyber
threats and vulnerabilities, including those associated with
infrastructure control systems.[Footnote 6] Within DHS, the National
Protection and Programs Directorate has primary responsibility for
assuring the security, resiliency, and reliability of the nation's
cyber and communications infrastructure.
DHS is also responsible for securing its own computer networks,
systems, and information. FISMA requires the department to develop and
implement an agencywide information security program to provide
security for the information and information systems that support the
operations and assets of the agency. Within DHS, the Chief Information
Officer is responsible for ensuring departmental compliance with
federal information security requirements.
NIST Is Responsible for Establishing Federal Standards and Guidance for
Information Security:
FISMA tasks NIST--a component within the Department of Commerce--with
responsibility for developing standards and guidelines, including
minimum requirements, for (1) information systems used or operated by
an agency or by a contractor of an agency or other organization on
behalf of the agency and (2) providing adequate information security
for all agency operations and assets, except for national security
systems. The act specifically required NIST to develop, for systems
other than national security systems, (1) standards to be used by all
agencies to categorize all their information and information systems
based on the objectives of providing appropriate levels of information
security, according to a range of risk levels; (2) guidelines
recommending the types of information and information systems to be
included in each category; and (3) minimum information security
requirements for information and information systems in each category.
NIST also is required to develop a definition of and guidelines for
detection and handling of information security incidents as well as
guidelines developed in conjunction with the Department of Defense and
the National Security Agency for identifying an information system as a
national security system. Within NIST, the Computer Security Division
of the Information Technology Laboratory is responsible for developing
information security related standards and guidelines.
FISMA also requires NIST to take other actions that include:
* conducting research, as needed, to determine the nature and extent of
information security vulnerabilities and techniques for providing cost-
effective information security;
* developing and periodically revising performance indicators and
measures for agency information security policies and practices;
* evaluating private sector information security policies and practices
and commercially available information technologies, to assess
potential application by agencies to strengthen information security;
and:
* assisting the private sector, in using and applying the results of
its activities required by FISMA.
In addition, the Cyber Security Research and Development Act[Footnote
7] required NIST to develop checklists to minimize the security risks
for each hardware or software system that is, or likely to become,
widely used within the federal government.
Metrics Established to Evaluate Information Security Programs:
FISMA also requires the Office of Management and Budget (OMB) to
develop policies, principles, standards, and guidelines on information
security and to report annually to Congress on agency compliance with
the requirements of the act. OMB has provided instructions to federal
agencies and their inspectors general for preparing annual FISMA
reports. These instructions focus on metrics related to the performance
of key control activities such as developing a complete inventory of
major information systems, providing security training to personnel,
testing and evaluating security controls, testing contingency plans,
and certifying and accrediting systems. FISMA reporting provides
valuable information on the status and progress of agency efforts to
implement effective security management programs.
Recent Efforts to Improve National Cybersecurity Strategy:
Because the threats to federal information systems and critical
infrastructure have persisted and grown, President Bush in January 2008
began to implement a series of initiatives--commonly referred to as the
Comprehensive National Cybersecurity Initiative aimed primarily at
improving DHS's and other federal agencies' efforts to protect against
intrusion attempts and anticipate future threats.[Footnote 8] Since
then, President Obama (in February 2009) directed the National Security
Council and Homeland Security Council to conduct a comprehensive review
to assess the United States' cyber security related policies and
structures. The resulting report, "Cyberspace Policy Review: Assuring a
Trusted and Resilient Information and Communications Infrastructure,"
recommended, among other things, appointing an official in the White
House to coordinate the nation's cybersecurity policies and activities,
creating a new national cybersecurity strategy, and developing a
framework for cyber research and development.[Footnote 9] In addition,
we testified in March 2009[Footnote 10] that a panel of experts
identified 12 key areas of the national cybersecurity strategy
requiring improvement, such as developing a national strategy that
clearly articulates strategic objectives, goals, and priorities;
bolstering the public/private partnership; and placing a greater
emphasis on cybersecurity research and development.
DHS Has Yet to Fully Satisfy Its Cybersecurity Responsibilities:
We have reported since 2005 that DHS has yet to comprehensively satisfy
its key responsibilities for protecting computer-reliant critical
infrastructures. Our reports included about 90 recommendations that we
summarized into key areas, including those listed in table 1, that are
essential for DHS to address in order to fully implement its
responsibilities. DHS has since developed and implemented certain
capabilities to satisfy aspects of its responsibilities, but the
department still has not fully implemented our recommendations, and
thus further action needs to be taken to address these areas.
Table 1: Key Cybersecurity Areas Reviewed by GAO:
1. Bolstering cyber analysis and warning capabilities.
2. Improving cybersecurity of infrastructure control systems.
3. Strengthening DHS's ability to help recover from Internet
disruptions.
4. Reducing organizational inefficiencies.
5. Completing actions identified during cyber exercises.
6. Developing sector-specific plans that fully address all of the cyber-
related criteria.
7. Securing internal information systems.
Source: GAO.
[End of table]
Bolstering Cyber Analysis and Warning Capabilities:
In July 2008, we identified[Footnote 11] that cyber analysis and
warning capabilities included (1) monitoring network activity to detect
anomalies, (2) analyzing information and investigating anomalies to
determine whether they are threats, (3) warning appropriate officials
with timely and actionable threat and mitigation information, and (4)
responding to the threat. These four capabilities are comprised of 15
key attributes, including establishing a baseline understanding of the
nation's critical network assets and integrating analysis work into
predictive analyses of broader implications or potential future
attacks.
We concluded that while DHS's United States Computer Emergency
Readiness Team (US-CERT) demonstrated aspects of each of the key
attributes, it did not fully incorporate all of them. For example, as
part of its monitoring, US-CERT obtained information from numerous
external information sources; however, it had not established a
baseline of the nation's critical network assets and operations. In
addition, while it investigated whether identified anomalies
constituted actual cyber threats or attacks as part of its analysis, it
did not integrate its work into predictive analyses of broader
implications or potential future attacks, nor did it have the
analytical or technical resources to analyze multiple, simultaneous
cyber incidents. The organization also provided warnings by developing
and distributing a wide array of attack and other notifications;
however, these notifications were not consistently actionable or
timely--i.e., providing the right information to the right persons or
groups as early as possible to give them time to take appropriate
action. Further, while the team responded to a limited number of
affected entities in its efforts to contain and mitigate an attack,
recover from damages, and remediate vulnerabilities, it did not possess
the resources to handle multiple events across the nation.
We also concluded that without fully implementing the key attributes,
US-CERT did not have the full complement of cyber analysis and warning
capabilities essential to effectively perform its national mission. As
a result, we made 10 recommendations to the department to address
shortfalls associated with the 15 attributes in order to fully
establish a national cyber analysis and warning capability. DHS
concurred and agreed to implement 9 of our 10 recommendations.
Improving Cybersecurity of Infrastructure Control Systems:
In a September 2007 report and October 2007 testimony, we reported
[Footnote 12] that DHS was sponsoring multiple control systems security
initiatives, including an effort to improve control systems
cybersecurity using vulnerability evaluation and response tools.
However, DHS had not established a strategy to coordinate the various
control systems activities across federal agencies and the private
sector, and it did not effectively share information on control system
vulnerabilities with the public and private sectors. Accordingly, we
recommended that DHS develop a strategy to guide efforts for securing
control systems and establish a rapid and secure process for sharing
sensitive control system vulnerability information. In response, DHS
recently began developing a strategy and a process to share sensitive
information.
Strengthening DHS's Ability to Help Recovery from Internet Disruption:
We reported and later testified[Footnote 13] in 2006 that the
department had begun a variety of initiatives to fulfill its
responsibility for developing an integrated public/private plan for
Internet recovery in case of a major disruption. However, we determined
that these efforts were not comprehensive or complete. As such, we
recommended that DHS implement nine actions to improve the department's
ability to facilitate public/private efforts to recover the Internet.
In October 2007, we testified[Footnote 14] that the department had made
progress in implementing our recommendations; however, seven of the
nine had not been completed. For example, it revised key plans in
coordination with private industry infrastructure stakeholders,
coordinated various Internet recovery-related activities, and addressed
key challenges to Internet recovery planning. However, it has not,
among other things, finalized recovery plans and defined the
interdependencies among DHS's various working groups and initiatives.
In other words, it has not completed an integrated private/public plan
for Internet recovery. As a result, we concluded that the nation lacked
direction from the department on how to respond in such a contingency.
We also noted that these incomplete efforts indicated that DHS and the
nation were not fully prepared to respond to a major Internet
disruption. To date, an integrated public/private plan for Internet
recovery does not exist.
Reducing Organizational Inefficiencies:
In June 2008, we reported[Footnote 15] on the status of DHS's efforts
to establish an integrated operations center that it agreed to adopt
per recommendations from a DHS-commissioned expert task force. We
determined that while DHS had taken the first step towards integrating
two operations centers--the National Coordination Center Watch and US-
CERT, it had yet to implement the remaining steps, complete a strategic
plan, or develop specific tasks and milestones for completing the
integration. We concluded that until the two centers were fully
integrated, DHS was at risk of being unable to efficiently plan for and
respond to disruptions to communications infrastructure and the data
and applications that travel on this infrastructure, increasing the
probability that communications will be unavailable or limited in times
of need. As a result, we recommended that the department complete its
strategic plan and define tasks and milestones for completing remaining
integration steps so that we are better prepared to provide an
integrated response to disruptions to the communications
infrastructure. DHS concurred with our first recommendation and stated
that it would address the second recommendation as part of finalizing
its strategic plan.
Completing Corrective Actions Identified During a Cyber Exercise:
In September 2008, we reported[Footnote 16] on a major DHS-coordinated
cyber attack exercise called Cyber Storm, which occurred in 2006 and
included large-scale simulations of multiple concurrent attacks
involving the federal government, states, foreign governments, and
private industry. We determined that DHS had identified eight lessons
learned from this exercise, such as the need to improve interagency
coordination groups and the exercise program. We also concluded that
while DHS had demonstrated progress in addressing the lessons learned,
more needed to be done. Specifically, while the department completed 42
of the 66 activities identified to address the lessons learned, it
identified 16 activities as ongoing and 7 as planned for the future.
[Footnote 17] In addition, DHS provided no timetable for the completion
dates of the ongoing activities. We noted that until DHS scheduled and
completed its remaining activities, it was at risk of conducting
subsequent exercises that repeated the lessons learned during the first
exercise. Consequently, we recommended that DHS schedule and complete
the identified corrective activities so that its cyber exercises can
help both public and private sector participants coordinate their
responses to significant cyber incidents. DHS agreed with the
recommendation. To date, DHS has continued to make progress in
completing some identified activities but has yet to do so for others.
Developing Sector Specific Plans that Fully Address All of the Cyber-
Related Criteria:
In 2007, we reported and testified[Footnote 18] on the cybersecurity
aspects of CIP plans for 17 critical infrastructure sectors, referred
to as sector-specific plans. Lead federal agencies, referred to as
sector-specific agencies, are responsible for coordinating critical
infrastructure protection efforts with the public and private
stakeholders in their respective sectors. DHS guidance requires each of
the sector-specific agencies to develop plans to address how the
sectors' stakeholders would implement the national plan and how they
would improve the security of their assets, systems, networks, and
functions.
We determined that none of the plans fully addressed the 30 key
cybersecurity-related criteria described in DHS guidance. Further,
while several sectors' plans fully addressed many of the criteria,
others were less comprehensive. In addition to the variations in the
extent to which the plans covered aspects of cybersecurity, there was
also variance among the plans in the extent to which certain criteria
were addressed. Consequently, we recommended[Footnote 19] that DHS
request that the sector-specific agencies, fully address all cyber-
related criteria by September 2008 so that stakeholders within the
infrastructure sectors will effectively identify, prioritize, and
protect the cyber aspects of their CIP efforts. We are currently
reviewing the progress made in the sector specific plans.
We testified in March 2009[Footnote 20] regarding the need to bolster
public/private partnerships associated with cyber CIP. According to
panel members, there are not adequate economic and other incentives
(i.e. a value proposition) for greater investment and partnering with
owners and operators of critical cyber assets and functions.
Accordingly, panelists stated that the federal government should
provide valued services (such as offering useful threat or analysis and
warning information) or incentives (such as grants or tax reductions)
to encourage action by and effective partnerships with the private
sector. They also suggested that public and private sector entities use
means such as cost-benefit analyses to ensure the efficient use of
limited cybersecurity-related resources. We are also currently
initiating a review of the status of the public/private partnerships in
cyber CIP.
Securing Internal Information Systems:
Besides weaknesses relating to external cybersecurity responsibilities,
DHS had not secured its own information systems. In July 2007, we
reported[Footnote 21] that DHS systems supporting the US-VISIT program
[Footnote 22] were riddled with significant information security
control weaknesses that place sensitive information--including
personally identifiable information--at increased risk of unauthorized
and possibly undetected disclosure and modification, misuse, and
destruction, and place program operations at increased risk of
disruption. Weaknesses existed in all control areas and computing
device types reviewed. For example, DHS had not implemented controls to
effectively prevent, limit, and detect access to computer networks,
systems, and information. To illustrate, it had not (1) adequately
identified and authenticated users in systems supporting US-VISIT, (2)
sufficiently limited access to US-VISIT information and information
systems, and (3) ensured that controls adequately protected external
and internal network boundaries. In addition, it had not always ensured
that responsibilities for systems development and system production had
been sufficiently segregated, and had not consistently maintained
secure configurations on the application servers and workstations at a
key data center and ports of entry. As a result, intruders, as well as
government and contractor employees, could potentially bypass or
disable computer access controls and undertake a wide variety of
inappropriate or malicious acts. These acts could include tampering
with data; browsing sensitive information; using computer resources for
inappropriate purposes, such as launching attacks on other
organizations; and disrupting or disabling computer-supported
operations. According to the department, it has started remediation
activities to strengthen security over these systems and implement our
recommendations.
In January 2009, we briefed congressional staff on security weaknesses
associated with the development of systems supporting the
Transportation Security Administration's (TSA) Secure Flight program.
[Footnote 23] Specifically, TSA had not taken sufficient steps to
ensure that operational safeguards and substantial security measures
were fully implemented to minimize the risk that the systems will be
vulnerable to abuse and unauthorized access from hackers and other
intruders. For example, TSA had not completed testing and evaluating
key security controls, performed disaster recovery tests, or corrected
high-and moderate-risk vulnerabilities. Accordingly, we recommended
that TSA take steps to complete security testing, mitigate known
vulnerabilities, and update key security documentation prior to initial
operations. TSA subsequently undertook a number of actions to complete
these activities. In May 2009, we concluded that TSA had generally met
its requirements related to systems information security and satisfied
our recommendations.[Footnote 24]
NIST Has Developed Important Federal Information Security Standards and
Guidelines:
NIST has taken steps to address its FISMA-mandated responsibilities by
developing a suite of required security standards and guidelines as
well as other publications that are intended to assist agencies in
developing and implementing information security programs and
effectively managing risks to agency operations and assets. In addition
to developing specific standards and guidelines, NIST developed a set
of activities to help agencies manage a risk-based approach for an
effective information security program. These activities are known as
the NIST Risk Management Framework. Several special publications
support this framework and collectively provide guidance that agencies
can apply to their information security programs for selecting the
appropriate security controls for information systems--including the
minimum controls necessary to protect individuals and the operations
and assets of the organization.
NIST has developed and issued the following documents to meet its FISMA
mandated responsibilities:
* Federal Information Processing Standards Publication 199, Standards
for Security Categorization of Federal Information and Information
Systems, February 2004. This standard addresses NIST's requirement for
developing standards for categorizing information and information
systems. It requires agencies to categorize their information systems
as low-impact, moderate-impact, or high-impact for the security
objectives of confidentiality, integrity, and availability. The
security categories are based on the harm or potential impact to an
organization should certain events occur which jeopardize the
information and information systems needed by the organization to
accomplish its assigned mission, protect its assets, fulfill its legal
responsibilities, maintain its day-to-day functions, and protect
individuals. Security categories are to be used in conjunction with
vulnerability and threat information in assessing the risk to an
organization.
* Special Publication 800-60 Volume I, revision 1, Volume I: Guide for
Mapping Types of Information and Information Systems to Security
Categories, August 2008. This guide is to assist federal government
agencies with categorizing information and information systems. It is
intended to help agencies consistently map security impact levels to
types of (1) information (e.g., privacy, medical, proprietary,
financial, investigation); and (2) information systems (e.g., mission
critical, mission support, administrative). Furthermore, it is intended
to facilitate application of appropriate levels of information security
according to a range of levels of impact or consequences that might
result from the unauthorized disclosure, modification, or use of the
information or information system.
* Federal Information Processing Standards Publication 200, Minimum
Security Requirements for Federal Information and Information Systems,
March 2006. This is the second of the mandatory security standards and
specifies minimum security requirements for information and information
systems supporting the executive agencies of the federal government and
a risk-based process for selecting the security controls necessary to
satisfy the minimum security requirements. Specifically, this standard
specifies minimum security requirements for federal information and
information systems in 17 security-related areas. Federal agencies are
required to meet the minimum security requirements through the use of
the security controls in accordance with NIST Special Publication 800-
53.
* Special Publication 800-61, revision 1, Computer Security Incident
Handling Guide, March 2008. This publication is intended to assist
organizations in establishing computer security incident response
capabilities and handling incidents efficiently and effectively. It
provides guidelines for organizing a computer security incident
response capability; handling incidents from initial preparation
through post-incident lessons learned phase; and handling specific
types of incidents, such as denial of service, malicious code,
unauthorized access, and inappropriate usage.
* Special Publication 800-59, Guideline for Identifying an Information
System as a National Security System, August 2003. The purpose of this
guide is to assist agencies in determining which, if any, of their
systems are national security systems as defined by FISMA and are to be
governed by applicable requirements for such systems.
* Special Publication 800-55, revision 1, Performance Measurement Guide
for Information Security, July 2008. The purpose of this guide is to
assist in the development, selection, and implementation of measures to
be used at the information system and program levels. These measures
indicate the effectiveness of security controls applied to information
systems and supporting information security programs.
* Special Publication 800-30, Risk Management Guide for Information
Technology Systems, July 2002. This guide provides a foundation for the
development of an effective risk management program, containing both
the definitions and the practical guidance necessary for assessing and
mitigating risks identified within IT systems. It also provides
information on the selection of cost-effective security controls that
can be used to mitigate risk for the better protection of mission-
critical information and the IT systems that process, store, and carry
this information.
* Special Publication 800-18, revision 1, Guide for Developing Security
Plans for Federal Information Systems, February 2006. This guide
provides basic information on how to prepare a system security plan and
is designed to be adaptable in a variety of organizational structures
and used as a reference by those having assigned responsibility for
activities related to security planning.
NIST is also in the process of developing, updating, and revising a
number of special publications related to information security,
including the following:
* Special Publication 800-37, revision 1, Guide for Security
Authorization of Federal Information Systems, August 2008. This
publication is intended to, among other things, support the development
of a common security authorization process for federal information
systems. According to NIST, the new security authorization process
changes the traditional focus from the stove-pipe, organization-
centric, static-based approaches and provides the capability to more
effectively manage information system-related security risks in highly
dynamic environments of complex and sophisticated cyber threats, ever
increasing system vulnerabilities, and rapidly changing missions. The
process is designed to be tightly integrated into enterprise
architectures and ongoing system development life cycle processes,
promote the concept of near real-time risk management, and capitalize
on current and previous investments in technology, including automated
support tools.
* Special Publication 800-39, second public draft, Managing Risk from
Information Systems An Organizational Perspective, April 2008. The
purpose of this publication is to provide guidelines for managing risk
to organizational operations and assets, individuals, other
organizations, and the nation resulting from the operation and use of
information systems. According to NIST, the risk management concepts
described in the publication are intentionally broad-based, with the
specific details of assessing risk and employing appropriate risk
mitigation strategies provided by supporting NIST security standards
and guidelines.
* Special Publication 800-53, revision 3, Recommended Security Controls
for Federal Information Systems and Organizations, June 2009. This
publication has been updated from the previous versions to include a
standardized set of management, operational, and technical controls
intended to provide a common specification language for information
security for federal information systems processing, storing, and
transmitting both national security and non national security
information.
* Draft IR-7502, The Common Configuration Scoring System (CCSS):
Metrics for Software Security Configuration Vulnerabilities. This
publication defines proposed measures for the severity of software
security configuration issues and provides equations that can be used
to combine the measures into severity scores for each configuration
issue.
In addition, NIST has other ongoing and planned activities that are
intended to enhance information security programs, processes, and
controls. For example, it is supporting the development of a program
for credentialing public and private sector organizations to provide
security assessment services for federal agencies. To support
implementation of the credentialing program and aid security
assessments, NIST is participating or will participate in the following
initiatives:
* Training includes development of training courses, NIST publication
quick start guides, and frequently asked questions to establish a
common understanding of the standards and guidelines supporting the
NIST Risk Management Framework.
* Product and Services Assurance Assessment includes defining criteria
and guidelines for evaluating products and services used in the
implementation of controls outlined in NIST SP 800-53.
* Support Tools includes identifying or developing common protocols,
programs, reference materials, checklists, and technical guides
supporting implementation and assessment of SP 800-53-based security
controls in information systems.
* Mapping initiative includes identifying common relationships and the
mappings of FISMA standards, guidelines, and requirements with
International Organization for Standardization (ISO) standards for
information security management, quality management, and laboratory
testing and accreditation.
These planned efforts include implementing a program for validating
security tools.
Other Collaborative Activities Undertaken by NIST:
NIST collaborated with a broad constituency--federal and nonfederal--to
develop documents to assist information security professionals. For
example, NIST worked with the Office of the Director of National
Intelligence, the Department of Defense, and the Committee on National
Security Systems to develop a common process for authorizing federal
information systems for operation. This resulted in a major revision to
NIST Special Publication 800-37, currently issued as an initial public
draft. NIST also collaborated with these organizations on Special
Publication 800-53 and Special Publication 800-53A to provide
guidelines for selecting and specifying security controls for federal
government information systems and to help agencies develop plans and
procedures for assessing the effectiveness of these controls. NIST also
interacted with the DHS to incorporate guidance on safeguards and
countermeasures for federal industrial control systems in Special
Publication 800-53.
NIST is also working with public and private sector entities to
establish specific mappings and relationships between the security
standards and guidelines developed by NIST and the ISO and
International Electrotechnical Commission Information Security
Management System standard. For example, the latest draft of Special
Publication 800-53 introduces a three-part strategy for harmonizing the
FISMA security standards and guidelines with international security
standards including an updated mapping table for security controls.
NIST also undertook other information security activities, including:
* developing Federal Desktop Core Configuration checklists and:
* continuing a program of outreach and awareness through organizations
such as the Federal Computer Security Program Managers' Forum and the
Federal Information Systems Security Educators' Association.
Through NIST's efforts, agencies have access to additional tools and
guidance that can be applied to their information security programs.
Opportunities for Improving Information Security Metrics:
Despite federal agencies reporting increased compliance in implementing
key information security control activities for fiscal year 2008,
opportunities exist to improve the metrics used in annual reporting.
The information security metrics developed by OMB focus on compliance
with information security requirements and the implementation of key
control activities. OMB requires federal agencies to report on key
information security control activities as part of the FISMA-mandated
annual report on federal information security. To facilitate the
collection and reporting of information from federal agencies, OMB
developed a suite of information security metrics, including the
following:
* percentage of employees and contractors receiving security awareness
training,
* percentage of employees with significant security responsibilities
receiving specialized security training,
* percentage of systems tested and evaluated annually,
* percentage of systems with tested contingency plans,
* percentage of agencies with complete inventories of major systems,
and:
* percentage of systems certified and accredited.
In May 2009, we testified[Footnote 25] that federal agencies generally
reported increased compliance in implementing most of the key
information security control activities for fiscal year 2008, as
illustrated in figure 1.
Figure 1: Selected Performance Metrics for Agency Systems:
[Refer to PDF for image: multiple vertical bar graph]
Performance metric: Security awareness training;
Fiscal year 2005: 81%;
Fiscal year 2006: 91%;
Fiscal year 2007: 84%;
Fiscal year 2008: 89%.
Performance metric: Specialized security training;
Fiscal year 2005: 82%;
Fiscal year 2006: 86%;
Fiscal year 2007: 90%;
Fiscal year 2008: 76%.
Performance metric: Periodic testing and evaluation;
Fiscal year 2005: 73%;
Fiscal year 2006: 88%;
Fiscal year 2007: 95%;
Fiscal year 2008: 93%.
Performance metric: Tested contingency plans;
Fiscal year 2005: 61%;
Fiscal year 2006: 77%;
Fiscal year 2007: 86%;
Fiscal year 2008: 91%.
Performance metric: Agencies with 96-100 percent complete inventories;
Fiscal year 2005: 54%;
Fiscal year 2006: 75%;
Fiscal year 2007: 79%;
Fiscal year 2008: 88%.
Performance metric: Certification and Accreditation;
Fiscal year 2005: 85%;
Fiscal year 2006: 88%;
Fiscal year 2007: 92%;
Fiscal year 2008: 96%.
Source: GAO analysis of IG and agency data.
[End of figure]
However, reviews at 24 major federal agencies[Footnote 26] continue to
highlight deficiencies in their implementation of information security
policies and procedures. For example, in their fiscal year 2008
performance and accountability reports, 20 of 24 major agencies noted
that their information system controls over their financial systems and
information were either a material weakness or a significant
deficiency.[Footnote 27] In addition, 23 of the 24 agencies did not
have adequate controls in place to ensure that only authorized
individuals could access or manipulate data on their systems and
networks. We also reported that agencies did not consistently (1)
identify and authenticate users to prevent unauthorized access; (2)
enforce the principle of least privilege to ensure that authorized
access was necessary and appropriate; (3) establish sufficient boundary
protection mechanisms; (4) apply encryption to protect sensitive data
on networks and portable devices; and (5) log, audit, and monitor
security-relevant events. Furthermore, those agencies also had
weaknesses in their agencywide information security programs.
An underlying reason for the apparent dichotomy of increased compliance
with security requirements and continued deficiencies in security
controls is that the metrics defined by OMB and used for annual
information security reporting do not generally measure the
effectiveness of the controls and processes that are key to
implementing an agencywide security program. Results of our prior and
ongoing work indicated that, for example, annual reporting did not
always provide information on the quality or effectiveness of the
processes agencies use to implement information security controls.
Providing information on the effectiveness of controls and processes
could further enhance the usefulness of the data for management and
oversight of agency information security programs.
In summary, DHS has not fully satisfied aspects of its key
cybersecurity responsibilities, one of which includes its efforts to
protect our nation's cyber critical infrastructure and still needs to
take further action to address the key areas identified in our recent
reports, including enhancing partnerships with the private sector. In
addition, although DHS has taken actions to remedy security weaknesses
in its Secure Flight program, it still needs to address our remaining
recommendations for strengthening controls for systems supporting the
US-VISIT program. In taking these actions, DHS can improve its own
information security as well as increase its credibility to external
parties in providing leadership on cybersecurity. NIST has developed a
significant number of standards and guidelines for information security
and continues to assist organizations in implementing security controls
over their systems and information. While NIST's role is to develop
guidance, it remains the responsibility of federal agencies to
effectively implement and sustain sufficient security over their
systems. Developing and using metrics that measure how well agencies
implement security controls can contribute to increased focus on the
effective implementation of federal information security.
Chairman Wu, this concludes my statement. I would be happy to answer
questions at the appropriate time.
Contact and Acknowledgements:
If you have any questions regarding this report, please contact Gregory
C. Wilshusen, Director, Information Security Issues at (202) 512-6244
or by e-mail at wilshuseng@gao.gov. Other key contributors to this
report include Michael Gilmore (Assistant Director), Charles Vrabel
(Assistant Director), Bradley Becker, Larry Crosland, Lee McCracken,
and Jayne Wilson.
[End of section]
Footnotes:
[1] FISMA was enacted as title III, E-Government Act of 2002, Pub. L.
No.107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). It permanently
authorized and strengthened information security program, evaluation,
and annual reporting requirements for federal agencies. The act also
assigns specific responsibilities to agency heads and chief information
officers, NIST, and the Office of Management and Budget (OMB).
[2] Statement of the Director of National Intelligence before the
Senate Select Committee on Intelligence, Annual Threat Assessment of
the Intelligence Community for the Senate Select Committee on
Intelligence (Feb. 12, 2009).
[3] These include The Homeland Security Act of 2002, Homeland Security
Presidential Directive-7, and the National Strategy to Secure
Cyberspace.
[4] Critical infrastructures are systems and assets, whether physical
or virtual, so vital to nations that their incapacity or destruction
would have a debilitating impact on national security, national
economic security, national public health or safety, or any combination
of those matters. Federal policy established 18 critical infrastructure
sectors: agriculture and food, banking and finance, chemical,
commercial facilities, communications, critical manufacturing, dams,
defense industrial base, emergency services, energy, government
facilities, information technology, national monuments and icons,
nuclear reactors, materials and waste, postal and shipping, public
health and health care, transportation systems, and water.
[5] GAO, Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,
[hyperlink, http://www.gao.gov/products/GAO-05-434] (Washington, D.C.:
May 26, 2005) and Critical Infrastructure Protection: Challenges in
Addressing Cybersecurity, [hyperlink,
http://www.gao.gov/products/GAO-05-827T] (Washington, D.C.: July 19,
2005).
[6] Control systems are computer-based systems that perform vital
functions in many of our nation's critical infrastructures, including
electric power generation, transmission, and distribution; oil and gas
refining and pipelines; water treatment and distribution; chemical
production and processing; railroads and mass transit; and
manufacturing.
[7] Cyber Security Research and Development Act, Pub. L. No.107-305,
116 Stat. 2367 (Nov. 27, 2002).
[8] The White House, National Security Presidential Directive 54/
Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8,
2008).
[9] The White House, Cyberspace Policy Review: Assuring a Trusted and
Resilient Information and Communications Infrastructure (Washington,
D.C.: May 29, 2009).
[10] GAO, National Cybersecurity Strategy: Key Improvements Are Needed
To Strengthen the Nation's Posture, [hyperlink,
http://www.gao.gov/products/GAO-09-432T] (Washington, D.C.: March 10,
2009).
[11] GAO, Cyber Analysis and Warning: DHS Faces Challenges in
Establishing a Comprehensive National Capability, [hyperlink,
http://www.gao.gov/products/GAO-08-588] (Washington, D.C.: July 31,
2008).
[12] GAO, Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain,
[hyperlink, http://www.gao.gov/products/GAO-07-1036] (Washington, D.C.:
Sept. 10, 2007) and Critical Infrastructure Protection: Multiple
Efforts to Secure Control Systems Are Under Way, but Challenges Remain,
[hyperlink, http://www.gao.gov/products/GAO-08-119T] (Washington, D.C.:
Oct. 17, 2007).
[13] GAO, Internet Infrastructure: Challenges in Developing a Public/
Private Recovery Plan, [hyperlink,
http://www.gao.gov/products/GAO-06-863T] (Washington, D.C.: July 28,
2006); and Internet Infrastructure: DHS Faces Challenges in Developing
a Joint Public/Private Recovery Plan, [hyperlink,
http://www.gao.gov/products/GAO-06-672] (Washington, D.C.: June 16,
2006).
[14] GAO, Internet Infrastructure: Challenges in Developing a Public/
Private Recovery Plan, [hyperlink,
http://www.gao.gov/products/GAO-08-212T] (Washington, D.C.: Oct. 23,
2007).
[15] GAO, Critical Infrastructure Protection: Further Efforts Needed to
Integrate Planning for and Response to Disruption on Converged Voice
and Data Networks, [hyperlink, http://www.gao.gov/products/GAO-08-607]
(Washington, D.C.: June 26, 2008).
[16] GAO, Critical Infrastructure Protection: DHS Needs To Fully
Address Lessons Learned from Its First Cyber Storm Exercise,
[hyperlink, http://www.gao.gov/products/GAO-08-825] (Washington, D.C.:
Sept. 9, 2008).
[17] At that time, DHS reported that one other activity had been
completed, but the department was unable to provide evidence
demonstrating its completion.
[18] GAO, Critical Infrastructure Protection: Sector-Specific Plans'
Coverage of Key Cyber Security Elements Varies, [hyperlink,
http://www.gao.gov/products/GAO-08-64T] (Washington D.C.: October 31,
2007) and Critical Infrastructure Protection: Sector- Specific Plans'
Coverage of Key Cyber Security Elements Varies, [hyperlink,
http://www.gao.gov/products/GAO-08-113] (Washington D.C.: Oct. 31,
2007).
[19] [hyperlink, http://www.gao.gov/products/GAO-08-113].
[20] [hyperlink, http://www.gao.gov/products/GAO-09-432T].
[21] GAO, Information Security: Homeland Security Needs to Immediately
Address Significant Weaknesses in Systems Supporting the US-VISIT
Program, [hyperlink, http://www.gao.gov/products/GAO-07-870]
(Washington, D.C.: July 13, 2007).
[22] The US-VISIT program was established by DHS to record and track
the entry and departure of foreign visitors who pass through U.S. ports
of entry by air, land, or sea; to verify their identities; and to
authenticate their travel documentation.
[23] This briefing contained information on our initial January 2009
assessment and recommendations. TSA, a component of DHS, developed an
advanced passenger prescreening program known as Secure Flight that
will allow TSA to match airline passenger information against terrorist
watch-list records.
[24] GAO, Aviation Security: TSA Has Completed Key Activities
Associated with Implementing Secure Flight, but Additional Actions Are
Needed to Mitigate Risks, [hyperlink,
http://www.gao.gov/products/GAO-09-292] (Washington, D.C.: May 13,
2009).
[25] GAO, Information Security: Agencies Make Progress in
Implementation of Requirements, but Significant Weaknesses Persist,
[hyperlink, http://www.gao.gov/products/GAO-09-701T] (Washington, D.C.:
May 19, 2009).
[26] The 24 major departments and agencies are the Departments of
Agriculture, Commerce, Defense, Education, Energy, Health and Human
Services, Homeland Security, Housing and Urban Development, the
Interior, Justice, Labor, State, Transportation, the Treasury, and
Veterans Affairs; the Environmental Protection Agency, General Services
Administration, National Aeronautics and Space Administration, National
Science Foundation, Nuclear Regulatory Commission, Office of Personnel
Management, Small Business Administration, Social Security
Administration, and U.S. Agency for International Development.
[27] A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected. A significant deficiency is a control
deficiency, or combination of control deficiencies, that adversely
affects the entity's ability to initiate, authorize, record, process,
or report financial data reliably in accordance with generally accepted
accounting principles such that there is more than a remote likelihood
that a misstatement of the entity's financial statements that is more
than inconsequential will not be prevented or detected. A control
deficiency exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their
assigned functions, to prevent or detect misstatements on a timely
basis.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
