Information Security
FBI Needs to Address Weaknesses in Critical Network Gao ID: GAO-07-368 April 30, 2007The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. GAO was asked to assess information security controls for one of FBI's critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.
Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources. Specifically, FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats. These weaknesses existed, in part, because FBI had not fully implemented key information security program activities for the critical network reviewed. FBI has developed an agencywide information security program, which includes an organization to monitor and protect the bureau's information systems from external attacks and insider misuse and to serve as the central focal point of contact for near-real-time security monitoring. However, shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-07-368, Information Security: FBI Needs to Address Weaknesses in Critical Network
This is the accessible text file for GAO report number GAO-07-368
entitled 'Information Security: FBI Needs to Address Weaknesses in
Critical Network' which was released on May 24, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Honorable F. James Sensenbrenner Jr., House of
Representatives:
United States Government Accountability Office:
GAO:
April 2007:
Information Security:
FBI Needs to Address Weaknesses in Critical Network:
GAO-07-368:
GAO Highlights:
Highlights of GAO-07-368, a report to F. James Sensenbrenner Jr., House
of Representatives
Why GAO Did This Study:
The Federal Bureau of Investigation (FBI) relies on a critical network
to electronically communicate, capture, exchange, and access law
enforcement and investigative information. Misuse or interruption of
this critical network, or disclosure of the information traversing it,
would impair FBI‘s ability to fulfill its missions. Effective
information security controls are essential for ensuring that
information technology resources and information are adequately
protected from inadvertent or deliberate misuse, fraudulent use,
disclosure, modification, or destruction.
GAO was asked to assess information security controls for one of FBI‘s
critical networks. To assess controls, GAO conducted a vulnerability
assessment of the internal network and evaluated the bureau‘s
information security program associated with the network operating
environment. This report summarizes weaknesses in information security
controls in one of FBI‘s critical networks.
What GAO Found:
Certain information security controls over the critical internal
network reviewed were ineffective in protecting the confidentiality,
integrity, and availability of information and information resources.
Specifically, FBI did not consistently (1) configure network devices
and services to prevent unauthorized insider access and ensure system
integrity; (2) identify and authenticate users to prevent unauthorized
access; (3) enforce the principle of least privilege to ensure that
authorized access was necessary and appropriate; (4) apply strong
encryption techniques to protect sensitive data on its networks; (5)
log, audit, or monitor security-related events; (6) protect the
physical security of its network; and (7) patch key servers and
workstations in a timely manner. Taken collectively, these weaknesses
place sensitive information transmitted on the network at risk of
unauthorized disclosure or modification, and could result in a
disruption of service, increasing the bureau‘s vulnerability to insider
threats.
These weaknesses existed, in part, because FBI had not fully
implemented key information security program activities for the
critical network reviewed. FBI has developed an agencywide information
security program, which includes an organization to monitor and protect
the bureau‘s information systems from external attacks and insider
misuse and to serve as the central focal point of contact for near-real-
time security monitoring. However, shortcomings exist with certain
program elements for the network, including an outdated risk
assessment, incomplete security plan, incomplete specialized security
training, insufficient testing, untimely remediation of weaknesses, and
inadequate service continuity planning. Without a fully implemented
program, certain security controls will likely remain inadequate or
inconsistently applied.
What GAO Recommends:
GAO recommends several actions to fully implement an information
security program. In a separate classified report, GAO makes
recommendations to correct specific weaknesses. FBI agreed with many of
the recommendations but disagreed with the characterization of risk to
its information and noted that it has made significant strides in
reducing risks. GAO believes that increased risk remains.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-368].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory C. Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Objective, Scope, and Methodology:
Certain Controls over FBI's Network Were Ineffective:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Comments from the Federal Bureau of Investigation:
Appendix II: GAO Contacts and Staff Acknowledgments:
Abbreviations:
C&A: certification and accreditation:
DOJ: Department of Justice:
ESOC: Enterprise Security Operations Center:
FBI: Federal Bureau of Investigation:
FISMA: Federal Information Security Management Act:
NIST: National Institute of Standards and Technology:
OIG: Office of Inspector General:
OMB: Office of Management and Budget:
United States Government Accountability Office:
Washington, DC 20548:
April 30, 2007:
The Honorable F. James Sensenbrenner Jr.
House of Representatives:
The Federal Bureau of Investigation (FBI) relies on automated systems
and networks to electronically communicate, capture, exchange, and
access law enforcement and investigative information. As part of its
ongoing efforts to improve information technology capabilities, the
bureau deployed and began operating a network in April 2004 as part of
its Trilogy modernization effort. Misuse or interruption of this
network, or disclosure of the information traversing it, would impair
FBI's ability to fulfill its missions. Prior to this network's
deployment, misuse was illustrated by former agent Robert Hanssen, who
exploited information security weaknesses at the bureau to track the
FBI's most sensitive espionage investigations.
In response to your request as Chairman of the House Judiciary
Committee for the 109th Congress, we assessed whether FBI has
effectively implemented appropriate information security controls on a
critical internal network, deployed as part of the Trilogy
modernization effort, to protect the confidentiality, integrity and
availability of its law enforcement and investigative information. Such
controls are essential for ensuring that information technology
resources and information are adequately protected from inadvertent or
deliberate misuse, fraudulent use, disclosure, modification, or
destruction.
This report summarizes shortcomings identified in information security
controls on this critical internal network. It does not always contain
specific examples of the weaknesses identified due to the sensitive
nature of the information discussed.
Results in Brief:
Certain information security controls over the critical internal
network were ineffective in protecting the confidentiality, integrity,
and availability of law enforcement and investigative information.
Specifically, FBI did not consistently (1) configure network devices
and services securely to prevent unauthorized insider access; (2)
identify and authenticate users to prevent unauthorized access; (3)
enforce the principle of least privilege to ensure that authorized
access was necessary and appropriate; (4) apply strong encryption
techniques to protect sensitive data on its networks; (5) log, audit,
or monitor security-related events; (6) protect the physical security
of its network; and (7) patch key servers and workstations in a timely
manner. Taken collectively, these weaknesses place sensitive
information transmitted on the network at increased risk of
unauthorized disclosure or modification, and could result in a
disruption of service.
These weaknesses existed, in part, because FBI had not fully
implemented key information security program activities for the network
reviewed. FBI has developed an agencywide information security program,
which includes an organization to monitor and protect the bureau's
information systems from external attacks and insider misuse and to
serve as the central focal point of contact for near-real-time security
monitoring. However, shortcomings exist with certain program elements
for the network, including an outdated risk assessment, incomplete
security plan, incomplete specialized security training, insufficient
testing, untimely remediation of weaknesses, and inadequate service
continuity planning. Also, although the bureau had documented
information security policies and procedures, it lacked detailed
standards that addressed some of the weaknesses identified. Without a
fully implemented program, security controls will likely remain
inadequate or inconsistently applied.
We are making recommendations to the FBI Director to take several steps
to fully implement key activities of the bureau's information security
program for the network. These activities include updating assessments
and plans to reflect the bureau's current operating environment,
providing more comprehensive coverage of system tests and correcting
weaknesses in a timely manner. In a separate classified report, we are
making recommendations to address the specific control weaknesses
identified.
In commenting on a draft of this report, the FBI Chief Information
Officer concurred with many of our recommendations, but did not believe
that the bureau had placed sensitive information at an unacceptable
risk for unauthorized disclosure, modification, or insider threat
exploitation. He cited significant strides in reducing risk since the
Robert Hanssen espionage investigation. However, we believe that until
weaknesses identified in network devices and services, identification
and authentication, authorization, cryptography, audit and monitoring,
physical security, and patch management are addressed, increased risk
to FBI's critical network remains. Further, until the bureau fully and
effectively implements certain information security program activities
for the network, security controls will likely remain inadequate or
inconsistently applied.
Background:
Information security is critical for any organization that depends on
information systems and computer networks to carry out its mission or
business. It is especially important for government agencies, where the
public's trust is essential. The dramatic expansion in computer
interconnectivity and the rapid increase in the use of the Internet are
changing the way our government, the nation, and much of the world
communicate and conduct business. Without proper safeguards, systems
are vulnerable to individuals and groups with malicious intent who can
intrude and use their access to obtain sensitive information, commit
fraud, disrupt operations, or launch attacks against other computer
systems and networks. These concerns are well founded for a number of
reasons, including a dramatic increase in reports of security
incidents, ease of obtaining and using hacking tools, a steady advance
in the sophistication and effectiveness of attack technology, and dire
warnings of new and more destructive attacks to come.
Computer-supported federal operations are similarly at risk. Our
previous reports, and those of agency inspectors general, describe
persistent information security weaknesses that place a variety of
federal operations at risk of disruption, fraud, or inappropriate
disclosure of sensitive data. We have designated information security
as a governmentwide high-risk area since 1997[Footnote 1]--a
designation that remains today.[Footnote 2]
Recognizing the importance of securing federal agencies' information
systems, Congress enacted the Federal Information Security Management
Act (FISMA)[Footnote 3] in December 2002 to strengthen the security of
information and systems within federal agencies. FISMA requires each
agency, using a risk-based approach to information security management,
to develop, document, and implement an agency-wide information security
program to provide information security for the information and systems
that support the operations and assets of the agency--including those
operated or maintained by contractors or others on behalf of the
agency.
FBI Operations:
The Federal Bureau of Investigation (FBI), which is a component of the
Department of Justice (DOJ), has mission responsibilities that include
investigating serious federal crimes, protecting the nation from
foreign intelligence and terrorist threats, and assisting other law
enforcement agencies. Over 12,000 special agents and 16,000 analysts
and mission support personnel are located in the bureau's Washington,
D.C., headquarters and in more than 70 offices in the United States and
50 offices in foreign countries.
Mission responsibilities at the bureau are divided among the following
five major organizational components.
* Administration: manages the bureau's personnel programs, budgetary
and financial services, records, information resources, and information
security.
* National Security: integrates investigative and intelligence
activities against current and emerging national security threats, and
provides information and analysis for the national security and law
enforcement communities.
* Criminal Investigations: investigates serious federal crimes and
probes federal statutory violations involving exploitation of the
Internet and computer systems.
* Law Enforcement Services: provides law enforcement information and
forensic services to federal, state, local, and international agencies.
* Office of the Chief Information Officer: develops the bureau's
information technology strategic plan and operating budget and develops
and maintains technology assets.
The organizational components are further organized into subcomponents,
such as divisions, offices, and other groups.
The FBI Security Division, within the Administration component, and the
Office of the Chief Information Officer collaborated to establish
information security initiatives. One initiative included the
establishment of the Enterprise Security Operations Center (ESOC),
which monitors and protects FBI's systems from external attacks and
insider misuse and ensures the availability, confidentiality, and
nonrepudiation of FBI information. A second initiative was the
deployment of a Public Key Infrastructure, which provided strong
authentication of users' identification to applications.
To execute its mission responsibilities, FBI relies extensively on
information technology. The bureau operates and maintains hundreds of
computerized systems, networks, databases, and applications.
Recognizing the need to modernize its computer systems and networks,
FBI proposed a major technology upgrade plan to Congress in September
2000. The Information Technology Upgrade Project, which FBI
subsequently renamed Trilogy, was FBI's largest automated information
systems modernization initiative to date. Trilogy consisted of three
parts: (1) the information presentation component to upgrade computer
hardware and software, (2) the transportation network component to
upgrade the communication network, and (3) the user application
component to upgrade and consolidate the most important investigative
applications.
FBI completed the first two components--the information presentation
and the transportation network--in April 2004, upgrading its
information technology infrastructure with new desktop computers and
deploying a wide area network to enhance electronic communication among
offices and with other law enforcement organizations. The data
traversing the network includes privacy act and sensitive investigative
information.
Previously Reported Information Security Weaknesses:
FBI information system security weaknesses have been exploited by
insiders in the past. The U.S. Secret Service, along with CERTŪ
Coordination Center,[Footnote 4] studied insider threats, and stated in
a May 2005 report that "insiders pose a substantial threat by virtue of
their knowledge of, and access to, employer systems and/or databases."
The espionage of Robert Hanssen, a former FBI agent, illustrated how an
insider can take advantage of inadequacies in the bureau's information
system security controls. After discovery of Hanssen's espionage, in
2001, the Attorney General commissioned an outside review of FBI's
security program. The commission found significant deficiencies in
bureau information security policies and practices, in areas such as
certification and accreditation (C&A),[Footnote 5] physical security,
security awareness training, access control, and auditing. The report
stated that those deficiencies flow from a pervasive inattention to
security, which had been at best a low priority. Additionally, shortly
after Hanssen's arrest in 2001, the Senate Select Committee on
Intelligence and the Attorney General requested that the DOJ Office of
Inspector General (OIG) review FBI's performance in deterring,
detecting, and investigating the espionage activities. The report
pointed out that the agent exploited serious weaknesses in FBI's
information security and made a specific recommendation on detecting
improper computer usage and enforcing "need to know"--granting access
only when it is an operational necessity. According to agency
officials, the bureau is addressing this and other recommendations.
Objective, Scope, and Methodology:
The objective of our review was to determine whether the FBI has
effectively implemented appropriate information security controls on a
critical internal network, deployed as part of the Trilogy
modernization effort, to protect the confidentiality, integrity, and
availability of its law enforcement and investigative information.
To evaluate the effectiveness of the security controls over this
critical network, we examined routers, network management servers,
switches, firewalls, and controlled interfaces at FBI headquarters. Our
evaluation was based on (1) our Federal Information System Controls
Audit Manual,[Footnote 6] which provides guidance for reviewing
information system controls that affect the confidentiality, integrity,
and availability of computerized data; (2) previous reports from the
DOJ OIG; and (3) the Federal Information Security Management Act, which
establishes key elements that are required for an effective information
security program.
Specifically, we evaluated information system controls that are
intended to:
* limit, detect, and monitor access to sensitive network computing
resources, thereby safeguarding them from misuse and protecting them
from unauthorized disclosure and modification;
* encrypt sensitive data on the network;
* prevent the introduction of unauthorized changes to application or
system software;
* protect physical access to network resources; and:
* ensure completion of appropriate background investigations of bureau
personnel with privileged access on the network.
In addition, we evaluated FBI's information security program as it
related to the network operating environment. Such a program includes
key activities such as assessing risk; developing and implementing
policies, procedures, and security plans; providing security awareness
and training; testing and evaluating control effectiveness; planning,
implementing, evaluating, and documenting remedial actions to address
information security deficiencies; and ensuring continuity of
operations.
To evaluate these controls and activities, we identified and examined
pertinent DOJ and FBI security policies and procedures. In addition, to
determine whether network security controls were in place, adequately
designed, and operating effectively, we conducted vulnerability
assessments of the network's key servers, routers, and switches. These
assessments included discussions with agency staff to gain an
understanding of FBI's processes and controls. In order to take
advantage of prior work in this area, we also held discussions with OIG
staff and reviewed information security reports pertaining to FBI
networks and information systems.
We performed our review at FBI headquarters in Washington, D.C., from
March 2006 through December 2006 in accordance with generally accepted
government auditing standards.
Certain Controls over FBI's Network Were Ineffective:
Weaknesses existed in certain access controls and other controls
intended to protect the confidentiality, integrity, and availability of
the law enforcement and investigative information transmitted by a
critical internal network. Our review of the network revealed
weaknesses in access controls and patch management. A key reason for
these weaknesses was that, although FBI had developed an information
security program, it had not effectively or fully implemented key
activities of this program for the network. As a result, sensitive data
traversing this network were vulnerable to unauthorized access,
disclosure, and modification and these weaknesses could lead to
disruptions in FBI operations.
Access Controls:
A basic management objective for any organization is to protect the
resources that support its critical operations from unauthorized
access. Organizations accomplish this objective by designing and
implementing controls that are intended to prevent, limit, and detect
unauthorized access to computing resources, programs, and information.
Access controls include those related to network devices and services,
user identification and authentication, authorization, cryptography,
audit and monitoring of security-related events, and physical access to
information resources. Inadequate controls diminish the reliability of
computerized information and increase the risk of unauthorized
disclosure, modification, and destruction of sensitive information, and
of disruption of service.
Specific examples associated with the weaknesses reported below are
described in more detail in a classified version of this report.
Network Devices and Services:
Networks are collections of interconnected computer systems and devices
that allow individuals to share resources, such as computer programs
and information. Because sensitive programs and information are stored
on or transmitted along networks, effectively securing networks is
essential to protecting computing resources and data from unauthorized
access, manipulation, and use. Organizations secure their networks, in
part, by installing and configuring network devices that permit
authorized network service requests, deny unauthorized requests, and
limit the services that are available on the network. Devices used to
secure networks include (1) firewalls that prevent unauthorized access
to the network, (2) routers that filter and forward data along the
network, (3) switches that forward information among segments of a
network, and (4) servers that host applications and data. Network
services consist of protocols for transmitting data between network
devices. The National Security Agency (NSA) offers guidance for
securely configuring devices and services. Insecurely configured
network devices and services can make a system vulnerable to internal
or external threats. Because networks often include both external and
internal access points for electronic information assets, failure to
secure these assets increases the risk of unauthorized access to
sensitive information and systems, or disruption of service.
FBI used various devices to secure its network; however, it did not
consistently configure network devices and services to prevent
unauthorized access to, and ensure the integrity of, the network.
User Identification and Authentication:
A computer system must be able to identify and authenticate different
users so that activities on the system can be linked to specific
individuals. When an organization assigns unique user accounts to
specific users, the system needs to be able to distinguish one user
from another--a process called identification. The system must also
establish the validity of a user's claimed identity by requesting some
kind of information, such as a password, that is known only by the
user--a process known as authentication. DOJ policy requires that
systems control and limit user access based on identification and
authentication of the user, and that each user is authenticated before
access is permitted. FBI policy addresses identification and
authentication as the foundation for information system access control
and for user accountability, with passwords being a means of
authentication.
FBI did not adequately control user identification and authentication
to ensure that only authorized individuals were granted access to its
network devices. As a result, increased risk of unauthorized access to
servers and other network devices exists, particularly by insiders.
Authorization:
Authorization is the process of granting or denying access rights and
privileges to a protected resource, such as a network, system,
application, function, or file. A key component of granting or denying
access rights is the concept of "least privilege." Least privilege is a
basic principle for securing computer resources and data. It means that
users are granted only those access rights and permissions that they
need to perform their official duties. To restrict legitimate users'
access to only those programs and files that they need in order to do
their work, organizations establish access rights and permissions.
"User rights" are allowable actions that can be assigned to users or to
groups of users. File and directory permissions are rules that are
associated with a particular file or directory and regulate which users
can access it--and the extent of that access. To avoid unintentionally
giving users unnecessary access to sensitive files and directories, an
organization must give careful consideration to its assignment of
rights and permissions. DOJ policy requires that each individual be
granted access to information only when such access is an operational
necessity, sometimes referred to as "need to know." Also, the policy
requires that system security features have the technical ability to
restrict the user's access to only that information which is necessary
for operations. Further, FBI policy defines least privilege as
determining the minimum set of privileges required to perform job
functions, and restricting the user to those privileges and nothing
more.
FBI granted rights and permissions to network devices that allowed more
access to these devices than users needed to perform their jobs. As a
result, increased risk exists that users could perform inappropriate
activities.
Cryptography:
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information.
Encryption--one type of cryptography--is the process of converting
readable or plaintext information into unreadable or ciphertext
information using a special value known as a key and a mathematical
process known as an algorithm. The strength of a key and an algorithm
is determined by their length and complexity--the longer and more
complex they are, the stronger they are. FBI policy requires that
passwords be encrypted before being transmitted over the network. It
also requires that sensitive and classified information be safeguarded
such that it is accessible to only those individuals with a "need to
know."
FBI did not always safeguard sensitive data using encryption. As a
result, sensitive information may be disclosed to unauthorized
individuals who do not have a legitimate need for the information.
Audit and Monitoring of Security Relevant Events:
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is crucial
to determine what, when, and by whom specific actions have been taken
on a system. Organizations accomplish this by implementing system or
security software that provides an audit trail that they can use to
determine the source of a transaction or attempted transaction and to
monitor users' activities. The way in which organizations configure
system or security software determines the nature and extent of
information that the audit trails can provide. DOJ policy requires that
audit records, including all system transactions, be subject to
recording and routine review for inappropriate or illegal activity, and
that audit trails should be sufficient in detail to facilitate
reconstruction of events if compromise or malfunction occurs. Further,
FBI policy requires that audit trails be monitored and reviewed for
suspicious activity.
FBI established the Enterprise Security Operations Center (ESOC) to
monitor and protect the bureau's information systems from external
attacks and insider misuse, and to serve as the central point of
contact for near real-time security monitoring.
Although ESOC had established audit and monitoring capabilities, it did
not always effectively audit and monitor security-relevant system
activity on the network reviewed. As a result, increased risk exists
that suspicious activities may not be detected.
Physical Security:
Physical security controls are important for protecting computer
facilities and resources from espionage, sabotage, damage, and theft.
These controls restrict physical access to computer resources, usually
by limiting access to the buildings and rooms in which the resources
are housed and by periodically reviewing the access granted, in order
to ensure that access continues to be appropriate. DOJ physical
security policy requires that physical access to facilities where
information is stored, processed, or transmitted be restricted to
cleared and authorized personnel.
FBI did not always effectively implement physical controls. For
example, in some instances, personnel did not follow physical security
policies and procedures for areas containing sensitive information,
creating the potential for unauthorized individuals gaining access to
these resources and data.
Other Information Security Controls:
In addition to access controls, other important security controls
should be in place to ensure the confidentiality, integrity, and
availability of an organization's information and systems. These
controls include techniques designed to ensure the implementation of
secure configurations on network devices and the timely completion of
background investigations for personnel with access to information
systems.
Patch Management:
To protect an organization's information, it is important to ensure
that only authorized applications and programs are placed in operation.
This process consists of instituting policies, procedures, and
techniques to help ensure that all programs and program modifications
are properly authorized, tested, and approved. Patch management is an
important element in mitigating the risks associated with software
vulnerabilities. Up-to-date patch installation could help mitigate
vulnerabilities associated with flaws in software code that could be
exploited to cause significant damage--including the loss of control of
entire systems--thereby enabling malicious individuals to read, modify,
or delete sensitive information or disrupt operations. FBI policy
recognizes the need to establish management controls to ensure timely
and effective implementation of security patches and software upgrades.
It also specifies that critical patches be evaluated within 24 hours
and installed immediately after being tested, with moderate level of
criticality considered within 10 days and installed immediately after
testing, and with low level of criticality considered within 10 days
and installed with the next standard build of the system.
The bureau's patch management for the network was ineffective. ESOC
evaluated and provided patches to operations staff for installation on
systems; however, patches were not installed in a timely manner and
legacy devices contained obsolete software.
FBI has recognized deficiencies in its patch management process and has
identified missing elements needed to implement a more effective patch
management process. Also, according to agency officials, the bureau
plans to eventually remove legacy devices containing obsolete software
from the network. However, until FBI implements an effective patch
management program, it is unable to assure the confidentiality,
integrity, and availability of devices on its network.
Background Investigations:
According to Office of Management and Budget (OMB) Circular A-
130,[Footnote 7] it has long been recognized that the greatest harm to
computing resources has been done by authorized individuals engaged in
improper activities--whether intentionally or accidentally. Personnel
controls (such as screening individuals in positions of trust)
supplement technical, operational, and management controls,
particularly where the risk and magnitude of potential harm is high.
Background screenings (or investigations) help an organization to
determine whether a particular individual is suitable for a given
position by attempting to ascertain the person's trustworthiness and
appropriateness for the position. The exact type and rigor of screening
that takes place depends on the sensitivity of the position and
applicable regulations by which the agency is bound. FBI policy
requires that employees and contractors with access to the network have
a top secret clearance, and that individuals with a top secret
clearance undergo periodic reinvestigation every 5 years.
FBI generally complied with background investigation requirements. Of
the 44 individuals reviewed, 41 had current background investigations
that had been completed within the last 5 years. Three individuals'
investigations were more than 5 years old by a few months, and re-
investigations were in process at the time of our review.
Information Security Program:
Weaknesses in access controls and patch management existed, in part,
because FBI had not yet effectively or fully implemented key security
activities associated with its agencywide information security program
for the critical internal network reviewed. Although FBI has developed
an information security program, shortcomings exist with certain key
elements.
FISMA[Footnote 8] requires agencies to implement an agencywide
information security program that includes:
* periodic assessments of the risk and the magnitude of harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information systems;
* policies and procedures that (1) are based on risk assessments, (2)
cost-effectively reduce risks, (3) ensure that information security is
addressed throughout the life cycle of each system, and (4) ensure
compliance with applicable requirements;
* plans for providing adequate information security for networks,
facilities, and systems;
* security awareness training to inform personnel--including
contractors and other users of information systems--of information
security risks and of their responsibilities in complying with agency
policies and procedures;
* at least annual testing and evaluation of the effectiveness of
information security policies, procedures, and practices relating to
management, operational, and technical controls of every major
information system that is identified in the agencies' inventories;
* a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in their information
security policies, procedures, or practices; and:
* plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
However, FBI did not fully or effectively implement many of these
activities for the critical internal network reviewed.
Risk Assessments:
Identifying and assessing information security risks are essential
steps in determining what controls are required. Moreover, by
increasing awareness of risks, these assessments can generate support
for the policies and controls that are adopted in order to help ensure
that these policies and controls operate as intended. Further, OMB
Circular A-130, appendix III, prescribes, as does FBI policy, that risk
be reassessed when significant changes are made to computerized
systems--or at least every 3 years. The bureau's Certification &
Accreditation Handbook incorporates a risk management process by
requiring documentation in a risk management matrix throughout the
lifecycle of a system. This matrix is to address such topics as
threats, vulnerabilities, impact of a particular threat exploiting a
particular vulnerability, existing or recommended countermeasures to
mitigate the risk, business impact of implementing the countermeasures,
and a schedule for implementing the recommended countermeasures.
The risk assessment for the network was outdated and incomplete. In
2004, as part of its C&A process, FBI assessed risk for the network and
documented threats and vulnerabilities in a risk management matrix,
which addressed many of the weaknesses described in this report.
However, the bureau had not updated the matrix to reflect significant
changes, such as additional connectivity, in the network operating
environment. In addition, FBI did not have a comprehensive inventory--
an enterprisewide view--that reflected the current operating
environment, including new connections as well as interfaces with
legacy systems; as such, although individual risk assessments may have
existed for these connections or legacy systems, the bureau may not be
able to determine how any risks associated with them affect the overall
network. Further, the existing matrix did not address business impact
or schedule. Inadequately assessing risk can lead to implementing
inadequate or inappropriate security controls that might not address
the system's true risk; it also can lead to costly efforts to
subsequently implement effective controls. Also, other organizations
connected to the bureau depended on a risk assessment that was outdated
and incomplete.[Footnote 9]
Policies and Procedures:
Another key task in developing an effective information security
program is to establish and implement risk-based policies, procedures,
and technical standards that govern security over an agency's computing
environment. If properly implemented, policies and procedures should
help reduce the risk that could come from unauthorized access or
disruption of services. Technical configuration standards provide
consistent implementing guidance for each computing environment.
Because security policies and procedures are the primary mechanisms by
which management communicates its views and requirements, it is
important that policies and procedures be established and documented.
FBI has developed and documented high-level information security
guidance, but specific guidance did not always exist for the network
environment. The bureau's Security Policy Manual and Certification &
Accreditation Handbook provided guidance on topics such as security
officer roles and responsibilities, personnel security, badges,
identification and authentication, and system certification
requirements. However, although technical configuration standards
existed for topics such as Windows configuration, other detailed
standards did not always exist. Without effectively developing,
documenting, and implementing policies, procedures and standards, the
bureau has less assurance that its systems and information are
protected from unauthorized access.
Security Plans:
The objective of system security planning is to improve the protection
of information technology resources. A system security plan is intended
to provide a complete and up-to-date overview of a system's security
requirements and describe the controls that are in place or planned to
meet those requirements. FISMA requires that agency information
security programs include subordinate plans for providing adequate
information security for networks, facilities, and systems or groups of
information systems, as appropriate. OMB Circular A-130 specifies that
agencies develop and implement system security plans for major
applications and for general support systems and that these plans
address policies and procedures for providing management, operational,
and technical controls. The National Institute of Standards and
Technology (NIST) recommends that security plans include, among other
topics, existing or planned security controls, the individual
responsible for the security of the system, description of the system
and its interconnected environment, and rules of behavior. FBI policy
requires that system security plans be developed as part of its C&A
process.
FBI had documented a system security plan for the network, but it was
incomplete and not up to date. The network security plan included many
elements required by NIST, such as the description of individuals
responsible for security and rules of behavior. Although the plan
addressed management, operational, and certain technical controls,
other specific technical controls, such as for communication
protection, were not included. Further, the plan did not reflect the
current operating environment because it did not completely address
system interconnectivity. As a result, FBI and other agencies that
connect to the network cannot ensure that appropriate controls are in
place to protect their systems and critical information.
Security Awareness Training:
Another FISMA requirement for an information security program is that
it promote awareness and provide required training for users so that
they can understand the system security risks and their role in
implementing related policies and controls to mitigate those risks.
Computer intrusions and security breakdowns often occur because
computer users fail to take appropriate security measures. For this
reason, it is vital that employees and contractors who use computer
resources in their day-to-day operations be made aware of the
importance and sensitivity of the information they handle, as well as
their roles and responsibilities, and what they need to do to protect
the confidentiality, integrity, and availability of that information.
FISMA mandates that all federal employees and contractors who use
agency information systems be provided with periodic training in
information security awareness and accepted information security
practice. DOJ policy requires all personnel who manage, operate,
develop, or use automated data processing and telecommunications to
take security training and refresher training at least annually.
Additionally, FISMA requires agency chief information officers to
ensure that personnel with significant information security
responsibilities receive specialized training.
FBI provided security awareness to most, but not all, employees and
contractors; however, not all individuals with security
responsibilities completed the specialized training. The bureau had
implemented a security awareness training program that included
computer-based training and a database to track completion. In fiscal
year 2006, 41 of 44 individuals reviewed completed the training.
Additionally, FBI had implemented a specialized security training
program that identified a number of roles with significant security
responsibilities. Each role had a required computer-based specialized
training curriculum, and FBI tracked users' progress and completion of
courses. However, for fiscal year 2006, only 17 of 44 individuals
reviewed had completed the required specialized training for their
role; 11 of 44 individuals had not completed any specialized training;
the remainder had completed some but not all of the training. FBI
officials explained that the specialized training program was new in
fiscal year 2006 and that they had initial problems identifying
individuals with significant information security responsibilities
along with obtaining an appropriate number of licenses for the
training. Until FBI fully implements an effective security awareness
and training program, it is at increased risk that individuals could
accidentally or intentionally allow unauthorized access to sensitive
information.
Tests and Evaluations of Control Effectiveness:
Another key element of an information security program is testing and
evaluating system controls to ensure they are appropriate, effective,
and comply with policies. An effective program of ongoing tests and
evaluations can be used to identify and correct information security
weaknesses. This type of oversight demonstrates management's commitment
to the security program, reminds employees of their roles and
responsibilities, and identifies and mitigates areas of noncompliance
and ineffectiveness. Although control tests may encourage compliance
with security policies, the full benefits of testing are not achieved
unless the test results are analyzed by security specialists and
business managers and used as a means of identifying new problem areas,
reassessing the appropriateness of existing controls, and identifying
the need for new controls. FISMA requires that agencies test and
evaluate the information security controls of their systems and that
the frequency of such tests be based on risk, but occur no less than
annually. Similarly, the FBI Certification & Accreditation Handbook
requires periodic testing to ensure that the accredited system has
maintained its documented configuration baseline and to identify new
vulnerabilities that may be inherent in the system and not previously
identified.
Although FBI had various initiatives under way to test and evaluate its
network, the tests were not comprehensive. The network had undergone
certification testing as part of FBI's C&A process, and ESOC conducts
periodic system scans to detect vulnerabilities on its network.
However, the bureau, as noted earlier, did not appropriately consider
risks associated with the current operating environment. Further, the
scans conducted by the monitoring group were limited in capabilities
since the group had not been given administrative access to conduct
these tests. As a result, certain vulnerabilities were not detected.
Without appropriate tests and evaluations, the agency has limited
assurance that policies and controls are appropriate and working as
intended. Additionally, increased risk exists that undetected
vulnerabilities could be exploited to allow unauthorized access to
sensitive information.
Remedial Actions:
Remedial action plans, also known as plans of actions and milestones,
can assist agencies in identifying, assessing, prioritizing, and
monitoring progress in correcting security weaknesses in information
systems. According to OMB Circular A-123, agencies should take timely
and effective action to correct deficiencies that they have identified
through a variety of information sources. To accomplish this, remedial
action plans should be developed and progress tracked for each
deficiency. FBI's Certification & Accreditation Handbook requires that
plans of actions and milestones serve as a management tool to address
corrective actions associated with system deficiencies and any new
vulnerabilities.
FBI did not address remedial actions in a timely manner. For example,
the plan of actions and milestones for the network included 15
unresolved weaknesses that were over 2 years old. Eight of these
outstanding weaknesses were categorized as "high vulnerability" or
"very high vulnerability" weaknesses. Without an effective remediation
program, identified vulnerabilities may not be resolved in a timely
manner, thereby allowing continuing opportunities for unauthorized
individuals to exploit these weaknesses to gain access to sensitive
information and systems.
Continuity of Operations:
Service continuity controls can enable systems to be recovered quickly
and effectively following a service disruption or disaster. Such
controls include plans and procedures designed to protect information
resources and minimize the risk of unplanned interruptions, along with
a plan to recover critical operations should interruptions occur. These
controls should be designed to ensure that when unexpected events
occur, key operations continue without interruption or are promptly
resumed, and critical and sensitive data are protected. They should
also be tested annually or as significant changes are made. It is
important that these plans be clearly documented, communicated to
potentially affected staff, tested, and updated to reflect current
operations. FBI policy requires documented procedures to ensure the
continuity of essential functions under all circumstances. In addition,
the policy requires regularly scheduled testing of contingency plans.
FBI had not implemented comprehensive continuity of operations plans
and procedures for the internal network. Although the bureau had a 2004
contingency plan that reflected the planned Trilogy network
environment, the plan did not reflect the current internal network
operating environment. FBI also had a contingency plan for its data
center, but this plan did not cover the network. Further, there were
neither documented test plans nor test results indicating continuity of
operations testing had been performed specifically for the network.
According to FBI officials, redundancy has been implemented in the
internal network to ensure high availability. Officials also stated
that recovery of the internal network has already been exercised in
many real-life situations. However, until the bureau completes actions
to address these weaknesses, it is at risk of not being able to recover
from certain service disruptions to the internal network in a timely
manner.
Conclusions:
Ineffective controls threaten the confidentiality, integrity, and
availability of the sensitive law enforcement and investigative
information transmitted by the critical internal network. Certain
information security control weaknesses existed in network devices and
services, identification and authentication, authorization,
cryptography, audit and monitoring, physical security, and patch
management. The bureau's lack of a comprehensive inventory of the
current network operating environment--an enterprisewide view--
compounds the effect of these weaknesses. FBI developed an agency-wide
information security program; however, key activities associated with
this program had not been fully implemented for the network. Until FBI
ensures that the information security program associated with the
network is fully implemented, there is limited assurance that its
sensitive data will be adequately protected against unauthorized
disclosure or modification or that network services will not be
interrupted. These weaknesses leave the bureau vulnerable to insider
threats.
Recommendations for Executive Action:
We recommend that the FBI Director take the following eight actions to
fully implement information security program activities for the
critical internal network reviewed.
* Develop a comprehensive inventory of the current network operating
environment.
* Update the network's risk assessment to reflect the current operating
environment and ensure that the assessment includes elements required
by the FBI Certification & Accreditation Handbook.
* Develop technical standards that include guidance for addressing the
access control weaknesses identified.
* Update the network security plan to ensure that it reflects the
current operating environment and includes sections required by the FBI
Certification & Accreditation Handbook.
* Ensure that all network users receive security awareness training and
that all users with significant security responsibilities receive
specialized training as defined by their role.
* Provide comprehensive coverage of system testing and scans.
* Correct identified weaknesses in a timely manner.
* Develop a continuity of operations plan that addresses the current
network environment, and periodically test the plan.
To help strengthen information security controls over the network, we
are recommending in a separate classified report that the FBI Director
take action to address specific weaknesses associated with network
devices and services, identification and authentication, authorization,
cryptography, audit and monitoring, physical security, and patch
management.
Agency Comments and Our Evaluation:
In providing written comments (reprinted in app. I) on a draft of the
report, the FBI Chief Information Officer concurred with many of our
recommendations to address the weaknesses identified, and noted some
instances where weaknesses have already been addressed. However, he
took exception to the report's assertion that the collective result of
the weaknesses presents an increased risk to FBI information. The
bureau does not believe that it has placed sensitive information at an
unacceptable risk for unauthorized disclosure, modification, or insider
threat exploitation. We believe that until weaknesses identified in
network devices and services, identification and authentication,
authorization, cryptography, audit and monitoring, physical security
and patch management are addressed, increased risk to FBI's critical
network remains. Further, as noted in our conclusion, the lack of a
comprehensive inventory of the current network operating environment--
an enterprisewide view--compounds the effect of these weaknesses.
He also stated that FBI has made significant strides in reducing risk
since the Robert Hanssen espionage investigation. For example,
according to the Chief Information Officer, since its inception in
2002, the bureau's Information Assurance section has taken FBI from an
agency wherein only 8 percent of information systems were accredited to
maintaining 100 percent accreditation of its major systems. Further, he
stated that the bureau has increased its monitoring capabilities and
established a comprehensive vulnerability assessment program. As stated
in our report, we acknowledged that FBI has developed an agencywide
information security program. However, shortcomings existed in how the
bureau implemented certain elements of the program for the network. For
example, the network risk assessment associated with the accreditation
process was outdated and incomplete. Other shortcomings included an
incomplete security plan, incomplete specialized training, insufficient
testing, untimely remediation of weaknesses and inadequate service
continuity planning. Although positive efforts have been made, until
FBI fully and effectively implements key activities of the information
security program associated with its network, security controls will
likely remain inadequate or inconsistently applied, and the bureau will
have limited assurance that sensitive data will be adequately protected
against unauthorized disclosure or modification, or that network
services will not be interrupted.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies to
congressional committees with jurisdiction over FBI and executive
branch agencies' information security programs, the Attorney General,
the FBI Director, the DOJ Inspector General, and other interested
parties. We also will make copies available to others on request. In
addition, this report will be available at no charge on the GAO Web
site at www.gao.gov.
If you or your staff have any questions regarding this report, please
contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or
Keith A. Rhodes at (202) 512-6412 or rhodesk@gao.gov. Contact points
for our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. Key contributors to this report
are listed in appendix II.
Sincerely yours,
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Signed by:
Keith A. Rhodes:
Chief Technologist:
[End of section]
Appendix I: Comments from the Federal Bureau of Investigation:
U.S. Department of Justice:
Federal Bureau of Investigation:
Washington, D. C. 20535-0001:
March 13, 2007:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Wilshusen:
Re: FBI Response To GAO'S Draft Report, "Information Security, FBI
Needs To Address Weaknesses In Critical Network," GAO-07-368:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report entitled "Information
Security, FBI Needs to Address Weaknesses in Critical Network"
(hereafter referred to as "the Report"). The Report has been reviewed
by various components of the Federal Bureau of Investigation (FBI),
including the Security Division and the Office of the Chief Information
Officer (OLIO). This letter constitutes the formal FBI response.
Based on our review of the Report, the FBI concurs with many of the
GAO's technical recommendations and the programmatic recommendation to
continue the implementation of information security activities in order
to fully establish a comprehensive Information Assurance Program.
However; the FBI takes exception with the GAO's conclusion that the
collective result of the information security weaknesses identified by
the GAO present an increased risk to FBI information. The FBI does not
agree that it has placed sensitive information at an unacceptable risk
for unauthorized disclosure, modification, or insider threat
exploitation. In fact, since the Robert Hanssen Espionage Investigation
and the implementation of the Trilogy modernization effort, the FBI has
made significant strides in reducing these risks by establishing
policy, processes and procedures to ensure the confidentiality,
integrity and availability of law enforcement, investigative and
intelligence information.
In April 2002, the FBI Security Division established the Information
Assurance Section (IAS). The mission of the IAS is to protect the FBI's
digital information through practical, effective, innovative security
solutions. The IAS acts under the joint authority of the Assistant
Director Security Division and the FBI CIO and provides in-depth risk
assessments of the technical, operational and management controls of
the FBI's information environment. Since its inception, the IAS has
taken the FBI from an agency wherein only 8% of information systems
were accredited to maintaining 100. accreditation of its major
information systems as required by the Federal Information Security
Management Act (FISMA). In April 2006, after an in-depth evaluation of
the FBI Certification and Accreditation (C&A) Program, the Director of
National Intelligence (DNI) awarded the FBI Director the authority to
accredit most complex security systems.
In October 2003, the FBI established an initial monitoring capability
when the Enterprise Security Operations Center (ESOC) received an
Interim Authority To Operate (IATU) on the FBI's Top Secret Enclave. In
October 2004, the ESOC charter to conduct insider threat detection was
approved by the Director. Additionally, ESOC received a full Approval
To Operate (ATO) on all three FBI information technology enclaves thus
expanding its monitoring capabilities and establishing a comprehensive
vulnerability assessment program. Furthermore the ESOC has established
sophisticated capabilities to support FBI internal investigations by
working closely with the Counterintelligence and Criminal Divisions.
Again, thank you for the opportunity to respond to the Report. Should
you or your staff have questions regarding our response, please feel
free to contact me or any of my staff.
Mr. Dean Hall:
Deputy CIO:
Office of the Chief Information Officer:
202- 324-2307:
Mr. Charles Fred Newberry, Jr.
Section Chief:
Information Assurance Section:
Security Division:
202-383-9606:
Sincerely yours,
Signed by:
Zalmal Azmi:
Information officer:
[End of section]
Appendix II: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov Keith A.
Rhodes, (202) 512-6412 or rhodesk@gao.gov:
Staff Acknowledgments:
In addition to the persons named above, Edward Alexander Jr., Michael
Derr, Steve Gosewehr, Jeffrey Knott, Duc Ngo, Eugene Stevens, and
William Thompson made key contributions to this report.
FOOTNOTES
[1] GAO, High-Risk Series: Information Management and Technology, GAO/
HR-97-9 (Washington, D.C.: February 1997).
[2] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.:
January 2007).
[3] Title III, E-Government Act of 2002, P.L. 107-347 (Dec. 17, 2002).
[4] CERT Coordination Center is a center of Internet security expertise
located at the Software Engineering Institute, a federally funded
research and development center operated by Carnegie Mellon University.
[5] Certification is the comprehensive evaluation of the management,
operational, and technical security controls in an information system
to determine the effectiveness of these controls and identify existing
vulnerabilities. Accreditation is the official management decision to
authorize operation of an information system. Authorization explicitly
accepts the risk remaining after the implementation of an agreed-upon
set of security controls.
[6] GAO, Federal Information System Controls Audit Manual, Volume I-
Financial Statements Audits, GAO/AIMD-12.19.6 (Washington, D.C.:
January 1999).
[7] Office of Management and Budget, Circular A-130, Appendix III,
Security of Federal Automated Information Resources (Nov. 28, 2000).
[8] FISMA requires each agency to develop, document, and implement an
agencywide information security program to provide information security
for the information and systems that support the operations and assets
of the agency, using a risk-based approach to information security
management.
[9] In an Interconnection Security Agreement, documenting whenever a
direct connection is made between two or more information systems that
are owned and operated by other authorities/organizations, each
organization is required to provide and update the C&A approval for the
interface systems. Reciprocal acceptance of these documents is expected
and any questions or concerns documented and addressed.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
