Information Security

Comments on Proposed Government Information Act of 1999 Gao ID: T-AIMD-00-107 March 2, 2000

The proposed Government Information Security Act of 1999--S. 1993--seeks to strengthen information security practices throughout the federal government. GAO's work has shown that almost all government agencies are plagued by poor computer security. The dramatic rise in computer interconnectivity has increased the risk of severe disruptions to government operations. Government officials are increasingly worried about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare. S.1993 would update the legal framework that supports federal information security requirements and would address widespread federal information security weaknesses. In particular, the bill would prescribe a risk-based approach to information security and independent audits of security controls. It also would approach security from a governmentwide perspective, taking steps to accommodate the varying information needs of both national security and civilian agency operations. This testimony discusses how this proposal could substantially improve the federal government's efforts to address its computer security problems. GAO also raises two additional issues--the need for better-defined control standards and centralized leadership--that, if addressed, could further strengthen security practices and oversight.

GAO noted that: (1) the nation's computer-based infrastructures are at increasing risk of severe disruption; (2) the dramatic increase of computer interconnectivity has provided pathways among systems that can be used to gain unauthorized access to data and operations from remote locations; (3) government officials are increasingly worried about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare; (4) S. 1993 provides opportunities to address this problem; (5) it updates the legal framework that supports federal information security requirements and addresses widespread federal information security weaknesses; (6) the bill provides for a risk-based approach to information security and independent annual audits of security controls; and (7) it approaches security from a governmentwide perspective, taking steps to accommodate the significantly varying information security needs of both national security and civilian agency operations.



The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.