Federal Information Security

GAO's recent audit findings present a disturbing picture of the state of computer security at government agencies. GAO's work--and the work of other audit entities--has revealed that many agencies' critical operations and processes are at serious risk of disruption because of weak security practices. GAO has included computer security on its list of government areas at high risk for waste, fraud, abuse, and mismanagement. The President's plan for protecting critical infrastructure reinforces this designation. This testimony discusses steps that agencies can take immediately to strengthen their security programs as well as other actions needed to make more fundamental and long-term improvements. This testimony also discusses governmentwide actions needed to support and encourage agency progress and congressional oversight of this progress.

GAO noted that: (1) federal agencies can act immediately to address federal information security weaknesses and reduce the related risks; (2) specifically, they can: (a) increase awareness; (b) ensure that existing controls are operating effectively; (c) ensure that software patches are up-to-date; (d) use automated scanning and testing tools to quickly identify problems; (e) propagate their best practices; and (f) ensure that their most common vulnerabilities are addressed; (3) none of these actions alone will ensure good security; (4) however, they take advantage of readily available information and tools and, thus, do not involve significant new resources; and (5) as a result, they are steps that can be made without delay.