Information Security
Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements Gao ID: GAO-05-552 July 15, 2005Federal agencies rely extensively on computerized information systems and electronic data to carry out their missions. The security of these systems and data is essential to prevent data tampering, disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. Concerned with accounts of attacks on systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack, Congress passed the Federal Information Security Management Act (FISMA) in 2002. In accordance with FISMA requirements that the Comptroller General report periodically to the Congress, GAO's objectives in this report are to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) the federal government's implementation of FISMA requirements.
Pervasive weaknesses in the 24 major agencies' information security policies and practices threaten the integrity, confidentiality, and availability of federal information and information systems. Access controls were not effectively implemented; software change controls were not always in place; segregation of duties was not consistently implemented; continuity of operations planning was often inadequate; and security programs were not fully implemented at the agencies. These weaknesses exist primarily because agencies have not yet fully implemented strong information security management programs. These weaknesses put federal operations and assets at risk of fraud, misuse, and destruction. In addition, they place financial data at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. Overall, the government is making progress in its implementation of FISMA. To provide a comprehensive framework for ensuring the effectiveness of information security controls, FISMA details requirements for federal agencies and their inspectors general (IG), the National Institute of Standards and Technology (NIST), and OMB. Federal agencies reported that they have been increasingly implementing required information security practices and procedures, although they continue to face major challenges. Further, IGs have conducted required annual evaluations, and NIST has issued required guidance in the areas of risk assessments and recommended information security controls, and has maintained its schedule for issuing remaining guidance required under FISMA. Finally, OMB has given direction to the agencies and reported to Congress as required; however, GAO's analysis of its annual reporting guidance identified opportunities to increase the usefulness of the reports for oversight. While progress has been made in implementing statutory requirements, agencies continue to have difficulty effectively protecting federal information and information systems.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-552, Information Security: Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements
This is the accessible text file for GAO report number GAO-05-552
entitled 'Information Security: Weaknesses Persist at Federal Agencies
Despite Progress Made in Implementing Related Statutory Requirements'
which was released on July 15, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
July 2005:
Information Security:
Weaknesses Persist at Federal Agencies Despite Progress Made in
Implementing Related Statutory Requirements:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-552]:
GAO Highlights:
Highlights of GAO-05-552, a report to congressional committees:
Why GAO Did This Study:
Federal agencies rely extensively on computerized information systems
and electronic data to carry out their missions. The security of these
systems and data is essential to prevent data tampering, disruptions in
critical operations, fraud, and inappropriate disclosure of sensitive
information. Concerned with accounts of attacks on systems via the
Internet and reports of significant weaknesses in federal computer
systems that make them vulnerable to attack, Congress passed the
Federal Information Security Management Act (FISMA) in 2002.
In accordance with FISMA requirements that the Comptroller General
report periodically to the Congress, GAO's objectives in this report
are to evaluate (1) the adequacy and effectiveness of agencies'
information security policies and practices and (2) the federal
government's implementation of FISMA requirements.
What GAO Found:
Pervasive weaknesses in the 24 major agencies' information security
policies and practices threaten the integrity, confidentiality, and
availability of federal information and information systems. Access
controls were not effectively implemented; software change controls
were not always in place; segregation of duties was not consistently
implemented; continuity of operations planning was often inadequate;
and security programs were not fully implemented at the agencies (see
figure). These weaknesses exist primarily because agencies have not yet
fully implemented strong information security management programs.
These weaknesses put federal operations and assets at risk of fraud,
misuse, and destruction. In addition, they place financial data at risk
of unauthorized modification or destruction, sensitive information at
risk of inappropriate disclosure, and critical operations at risk of
disruption.
Overall, the government is making progress in its implementation of
FISMA. To provide a comprehensive framework for ensuring the
effectiveness of information security controls, FISMA details
requirements for federal agencies and their inspectors general (IG),
the National Institute of Standards and Technology (NIST), and OMB.
Federal agencies reported that they have been increasingly implementing
required information security practices and procedures, although they
continue to face major challenges. Further, IGs have conducted required
annual evaluations, and NIST has issued required guidance in the areas
of risk assessments and recommended information security controls, and
has maintained its schedule for issuing remaining guidance required
under FISMA. Finally, OMB has given direction to the agencies and
reported to Congress as required; however, GAO's analysis of its annual
reporting guidance identified opportunities to increase the usefulness
of the reports for oversight. While progress has been made in
implementing statutory requirements, agencies continue to have
difficulty effectively protecting federal information and information
systems.
Information Security Weaknesses at the 24 Major Agencies:
[See PDF for image]
[End of figure]
What GAO Recommends:
GAO recommends that the Director of the Office of Management and Budget
(OMB) implement improvements in the annual FISMA reporting guidance. In
commenting on a draft of this report, OMB agreed with GAO's overall
assessment of information security at agencies but disagreed with
aspects of our recommendations to enhance its FISMA reporting guidance.
www.gao.gov/cgi-bin/getrpt?GAO-05-552.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory C. Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Pervasive Weaknesses in Federal Agencies' Information Security Policies
and Practices Place Data at Risk:
Government Makes Progress in Implementing FISMA, but Challenges Remain
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Office of Management and Budget:
GAO Comments:
Appendix III: GAO Staff Acknowledgments:
Related GAO Products:
Table:
Table 1: Agencies' Information Security Weaknesses for Fiscal Year
2004:
Figures:
Figure 1: Information Security Weaknesses at the 24 Major Agencies for
Fiscal Year 2004:
Figure 2: FISMA Requirements for Agency Information Security Programs:
Figure 3: Percentage of Employees and Contractors Who Received
Information Security Awareness Training in Fiscal Year 2004:
Figure 4: Percentage of Employees with Significant Security
Responsibilities Who Received Specialized Security Training in Fiscal
Year 2004:
Figure 5: Percentage of Agency Systems Reviewed during Fiscal Year
2004:
Figure 6: Percentage of Contractor Operations Reviewed during Fiscal
Year 2004:
Figure 7: Percentage of Systems with Contingency Plans that Have Been
Tested for Fiscal Year 2004:
Figure 8: Percentage of Systems during Fiscal Year 2004 that Were
Authorized for Processing after Certification and Accreditation:
Figure 9: Status of FISMA Guidance at NIST:
Abbreviations:
CIO: chief information officer:
DOD: Department of Defense:
FIPS: Federal Information Processing Standard:
FISMA: Federal Information Security Management Act of 2002:
IG: Inspector General:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
US CERT: United States Computer Emergency Readiness Team:
Letter July 15, 2005:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph I. Lieberman:
Ranking Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Tom Davis:
Chairman:
The Honorable Henry A. Waxman:
Ranking Member:
Committee on Government Reform:
House of Representatives:
Federal agencies rely extensively on computerized information systems
and electronic data to carry out their missions. The security of these
systems and data is essential to prevent data tampering, disruptions in
critical operations, fraud, and the inappropriate disclosure of
sensitive information. Concerned with accounts of attacks on systems
through the Internet and reports of significant weaknesses in federal
computer systems that make them vulnerable to attack, Congress passed
the Federal Information Security Management Act (FISMA) in 2002.
FISMA recognizes that the major underlying cause for the majority of
information security problems in federal agencies is the lack of an
effective information security management program. Therefore, FISMA set
forth a comprehensive framework for ensuring the effectiveness of
information security controls over information resources that support
federal operations and assets. In addition, FISMA provides a mechanism
for improved oversight of federal agency information security programs.
This mechanism includes mandated annual reporting by the agencies, the
Office of Management and Budget (OMB), and the National Institute of
Standards and Technology (NIST). FISMA also includes a requirement for
independent annual evaluations by the inspectors general (IG) or
independent external auditors.
In accordance with the FISMA requirement that the Comptroller General
report periodically to the Congress, our objectives were to evaluate
(1) the adequacy and effectiveness of agencies' information security
policies and practices and (2) implementation of the FISMA
requirements. To address these objectives, we analyzed IG, agency, and
GAO reports on information security. We conducted our evaluation from
September 2004 through May 2005 in accordance with generally accepted
government auditing standards. For further information about our
objectives, scope, and methodology, refer to appendix I.
Results in Brief:
Federal agencies have not consistently implemented effective
information security policies and practices. Pervasive weaknesses exist
in almost all areas of information security controls at 24 major
agencies, threatening the integrity, confidentiality, and availability
of information and information systems. Access controls were not
effectively implemented; software change controls were not always in
place; segregation of duties was not consistently implemented; and
continuity of operations planning was often inadequate. These
weaknesses exist because agencies have not yet fully implemented strong
information security management programs. As a result, federal
operations and assets are at increased risk of fraud, misuse, and
destruction. In addition, these weaknesses place financial data at risk
of unauthorized modification or destruction, sensitive information at
risk of inappropriate disclosure, and critical operations at risk of
disruption.
Overall, the government is making progress in its implementation of the
provisions of FISMA. To provide a comprehensive framework for ensuring
the effectiveness of information security controls, FISMA details
requirements for federal agencies and their IGs, NIST, and OMB. Federal
agencies reported that they have been increasingly implementing
required information security practices and procedures, although they
continue to face major challenges. Further, IGs have conducted the
required annual evaluations, and NIST has issued required guidance in
the areas of risk assessments and information security controls and has
maintained its schedule for issuing the remaining guidance required
under FISMA. Finally, OMB has given direction to the agencies and
reported to Congress as required; however, our analysis of the annual
reporting guidance identified opportunities to increase the usefulness
of the reports for oversight purposes. While progress has been made in
implementing statutory requirements, agencies continue to have
difficulty effectively protecting their information and information
systems.
In our prior reports, as well as in reports by the IGs, specific
recommendations were made to the agencies to remedy identified
information security weaknesses. In this report, we recommend that OMB
take several actions to enhance its FISMA reporting guidance to
agencies to increase the effectiveness and reliability of annual
reporting.
In commenting on a draft of this report, OMB agreed with our overall
assessment of information security at the agencies but disagreed with
one of our recommendations to enhance its FISMA reporting guidance and
provided comments on the others. OMB disagreed with our recommendation
to ensure that all key FISMA requirements are reported on in annual
reports and stated that reporting on additional sub-elements was not
necessary. OMB also provided comments on actions it had or has taken
related to the other recommendations. In addition, OMB provided other
comments related to the contents of this report.
Background:
Federal agencies and our nation's critical infrastructures--such as
power distribution, water supply, telecommunications, national defense,
and emergency services--rely extensively on computerized information
systems and electronic data to carry out their missions. The security
of these systems and data is essential to prevent data tampering,
disruptions in critical operations, fraud, and inappropriate disclosure
of sensitive information. Protecting federal computer systems and the
systems that support critical infrastructures has never been more
important due to escalating threats of computer security incidents, the
ease of obtaining and using hacking tools, the steady advances in the
sophistication and effectiveness of attack technology, and the
emergence of new and more destructive attacks.
Information security is a critical consideration for any organization
that depends on information systems and networks to carry out its
mission or business. It is especially important for federal agencies
where maintaining the public trust is essential. Without proper
safeguards, there is enormous risk that individuals and groups with
malicious intent may intrude into inadequately protected systems and
use this access to obtain sensitive information, commit fraud, disrupt
operations, or launch attacks against other computer systems and
networks.
Enacted into law on December 17, 2002, as title III of the E-Government
Act of 2002, FISMA permanently authorized and strengthened information
security program, evaluation, and reporting requirements. It assigns
specific responsibilities to agency heads and chief information
officers (CIO), IGs, NIST, and OMB.
Agency Responsibilities:
FISMA requires each agency, including agencies with national security
systems, to develop, document, and implement an agencywide information
security program to provide security for the information and
information systems that support the operations and assets of the
agency, including those provided or managed by another agency,
contractor, or other source. Specifically, this program is to include:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information or information systems;
* risk-based policies and procedures that cost effectively reduce
information security risks to an acceptable level and ensure that
information security is addressed throughout the life cycle of each
information system;
* subordinate plans for providing adequate information security for
networks, facilities, and systems or groups of information systems;
* security awareness training for agency personnel, including
contractors and other users of information systems that support the
operations and assets of the agency;
* periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices, performed with a
frequency depending on risk, but no less than annually, and that
includes testing of management, operational, and technical controls for
every system identified in the agency's required inventory of major
information systems;
* a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in the information security
policies, procedures, and practices of the agency, through plans of
action and milestones;[Footnote 1]
* procedures for detecting, reporting, and responding to security
incidents; and:
* plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
FISMA also requires each agency to annually report to OMB, selected
congressional committees, and the Comptroller General on the adequacy
of information security policies, procedures, and practices and
compliance with requirements. In addition, agency heads are required to
annually report the results of their independent evaluations to OMB,
except to the extent that an evaluation pertains to a national security
system; then only a summary and assessment of that portion of the
evaluation is reported to OMB.
Furthermore, FISMA established a requirement that each agency develop,
maintain, and annually update an inventory of major information systems
(including major national security systems) operated by the agency or
under its control. This inventory is to include an identification of
the interfaces between each system and all other systems or networks,
including those not operated by or under the control of the agency.
Responsibilities of the Inspectors General:
Under FISMA, the IG for each agency must perform an independent annual
evaluation of the agency's information security program and practices.
The evaluation should include testing of the effectiveness of
information security policies, procedures, and practices of a
representative subset of agency systems. In addition, the evaluation
must include an assessment of the compliance with the act and any
related information security policies, procedures, standards, and
guidelines. For agencies without an IG, evaluations of nonnational
security systems must be performed by an independent external auditor.
Evaluations related to national security systems are to be performed by
an entity designated by the agency head.
Responsibilities of the National Institute of Standards and Technology:
Under FISMA, NIST is tasked with developing, for systems other than
national security systems, (1) standards to be used by all agencies to
categorize all their information and information systems, based on the
objectives of providing appropriate levels of information security,
according to a range of risk levels; (2) guidelines recommending the
types of information and information systems to be included in each
category; and (3) minimum information security requirements for
information and information systems in each category. NIST must also
develop a definition of and guidelines concerning detection and
handling of information security incidents as well as guidelines,
developed in conjunction with the Department of Defense (DOD) and the
National Security Agency, for identifying an information system as a
national security system.
The law also assigns other information security functions to NIST,
including:
* providing technical assistance to agencies on such elements as
compliance with the standards and guidelines and the detection and
handling of information security incidents;
* evaluating private-sector information security policies and practices
and commercially available information technologies to assess potential
application by agencies;
* evaluating security policies and practices developed for national
security systems to assess their potential application by agencies;
and:
* conducting research, as needed, to determine the nature and extent of
information security vulnerabilities and techniques for providing cost-
effective information security.
NIST is also required to prepare an annual public report on activities
undertaken in the previous year and planned for the coming year.
Responsibilities of the Office of Management and Budget:
FISMA states that the Director of OMB shall oversee agency information
security policies and practices, including:
* developing and overseeing the implementation of policies, principles,
standards, and guidelines on information security;
* requiring agencies to identify and provide information security
protections commensurate with risk and magnitude of the harm resulting
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information collected or maintained by
or on behalf of an agency, or information systems used or operated by
an agency, or by a contractor of an agency, or other organization on
behalf of an agency;
* coordinating information security policies and procedures with
related information resource management policies and procedures;
* overseeing agency compliance with FISMA to enforce accountability;
and:
* reviewing at least annually, and approving or disapproving, agency
information security programs.
In addition, the act requires that OMB report to Congress no later than
March 1 of each year on agency compliance with FISMA.
Pervasive Weaknesses in Federal Agencies' Information Security Policies
and Practices Place Data at Risk:
The 24 major federal agencies[Footnote 2] continue to have significant
control weaknesses in their computer systems that threaten the
integrity, confidentiality, and availability of federal information and
systems. In addition, these weaknesses place financial information at
risk of unauthorized modification or destruction, sensitive information
at risk of inappropriate disclosure, and critical operations at risk of
disruption.
The weaknesses appear in the five major categories of information
system controls (see fig. 1) defined in our audit methodology for
performing information security evaluations and audits.[Footnote 3]
These areas are (1) access controls, which ensure that only authorized
individuals can read, alter, or delete data; (2) software change
controls, which provide assurance that only authorized software
programs are implemented; (3) segregation of duties, which reduces the
risk that one individual can independently perform inappropriate
actions without detection; (4) continuity of operations planning, which
provides for the prevention of significant disruptions of computer-
dependent operations, and (5) an agencywide security program, which
provides the framework for ensuring that risks are understood and that
effective controls are selected and properly implemented.
Figure 1: Information Security Weaknesses at the 24 Major Agencies for
Fiscal Year 2004:
[See PDF for image]
[End of figure]
Most agencies had weaknesses in access controls, software change
controls, segregation of duties, continuity of operations, and
agencywide security programs, as shown in table 1. As a result, federal
information, systems, and operations were at risk of fraud, misuse, and
disruption.
Table 1: Agencies' Information Security Weaknesses for Fiscal Year
2004:
Agency/department: Agriculture;
Weaknesses: Access controls; Software change controls; Continuity of
operations; Agencywide security programs.
Agency/department: AID;
Weaknesses: Access controls; Software change controls; Agencywide
security programs.
Agency/department: Commerce;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: Defense;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: Education;
Weaknesses: Access controls; Software change controls; Agencywide
security programs.
Agency/department: Energy;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: EPA;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: Homeland Security;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: GSA;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: HHS;
Weaknesses: Access controls; Software change controls; Continuity of
operations; Agencywide security programs.
Agency/department: HUD;
Weaknesses: Access controls; Software change controls; Continuity of
operations; Agencywide security programs.
Agency/department: Interior;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: Justice;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: Labor;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: NASA;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: NRC;
Weaknesses: Software change controls; Agencywide security programs.
Agency/department: NSF;
Weaknesses: Access controls; Continuity of operations; Agencywide
security programs.
Agency/department: OPM;
Weaknesses: Access controls; Software change controls; Continuity of
operations; Agencywide security programs.
Agency/department: SBA;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: SSA;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: State;
Weaknesses: Access controls; Agencywide security programs.
Agency/department: Transportation;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Agency/department: Treasury;
Weaknesses: Access controls; Software change controls; Continuity of
operations; Agencywide security programs.
Agency/department: Veterans Affairs;
Weaknesses: Access controls; Software change controls; Segregation of
duties; Continuity of operations; Agencywide security programs.
Source: GAO analysis of IG, agency, and GAO reports.
[End of table]
The significance of these weaknesses has led us to continue to report
information security as a material weakness[Footnote 4] in our audit of
the fiscal year 2004 financial statements of the U.S. government
[Footnote 5] and to continue to include it in our high risk
list.[Footnote 6] In the 24 major agencies' fiscal year 2004 reporting
regarding their financial systems, 10 reported information security as
a material weakness and 12 reported it as a reportable
condition.[Footnote 7] Our audits also identified similar weaknesses in
nonfinancial systems. In our prior reports, listed in the Related GAO
Products section, we have made specific recommendations to the agencies
to mitigate identified information security weaknesses. The IGs have
also made specific recommendations as part of their information
security review work.
Access Controls Were Not Effectively Implemented:
A basic management control objective for any organization is to protect
data supporting its critical operations from unauthorized access, which
could lead to improper modification, disclosure, or deletion of the
data. As detailed in our methodology for performing information
security audits, organizations accomplish this by designing and
implementing controls that are intended to prevent, limit, and detect
access to computing resources (computers, networks, programs, and
data), thereby protecting these resources from unauthorized use,
modification, loss, and disclosure. Access controls can be both
electronic and physical. Electronic access controls include control of
user accounts, use of passwords, and assignment of user rights.
Physical security controls are important for protecting computer
facilities and resources from espionage, sabotage, damage, and theft.
These controls involve restricting physical access to computer
resources, usually by limiting access to the buildings and rooms in
which they are housed. Physical control measures may include guards,
badges, and locks, used alone or in combination.
Our analysis of IG, agency, and GAO reports has shown that agencies
have not always effectively implemented controls to allow only
authorized individuals to read, alter, or delete data. Twenty-three of
24 major agencies had access control weaknesses. We identified
weaknesses in controls such as user accounts, passwords, and access
rights. For example, users created passwords that were common words.
Using such words as passwords increases the possibility that an
attacker could guess the password and gain access to the account. Also,
agencies did not always deactivate unused accounts to prevent them from
being exploited by malicious users. In addition, agencies have
weaknesses in the controls that prevent unauthorized access to their
networks. For example, at one agency, we found an excessive number of
connections to the Internet. Each such connection could provide a path
for an attacker into the agency's network. Agencies often lacked
effective physical barriers to access, including locked doors, visitor
screening, and effective use of access cards. Inadequate access
controls diminish the reliability of computerized data and increase the
risk of unauthorized disclosure, modification, and use. As a result,
critical information held by the federal government is at heightened
risk of access by unauthorized persons--individuals who could obtain
personal data (such as taxpayer information) to perpetrate identity
theft and commit financial crimes.
Software Change Controls Were Not Always in Place:
Software change controls ensure that only authorized and fully tested
software is placed in operation. These controls, which also limit and
monitor access to powerful programs and sensitive files associated with
computer operations, are important in providing reasonable assurance
that access controls are not compromised and that the system will not
be impaired. These policies, procedures, and techniques help ensure
that all programs and program modifications are properly authorized,
tested, and approved. Failure to implement these controls increases the
risk that unauthorized programs or changes could be, inadvertently or
deliberately, placed into operation.
Our analysis revealed that 22 of the major agencies had weaknesses in
software change controls. Weaknesses in this area included the failure
to ensure that software was updated correctly and that changes to
computer systems were properly approved. In addition, approval,
testing, and implementation documentation for changes were not always
properly maintained. Consequently, there is an increased risk that
programming errors or deliberate execution of unauthorized programs
could compromise security controls, corrupt data, or disrupt computer
operations.
Segregation of Duties Was Not Consistently Implemented:
Segregation of duties refers to the policies, procedures, and
organizational structure that helps ensure that one individual cannot
independently control all key aspects of a process or computer-related
operation and, thereby, conduct unauthorized actions or gain
unauthorized access to assets or records. Proper segregation of duties
is achieved by dividing responsibilities among two or more individuals
or organizational groups. Dividing duties among individuals or groups
diminishes the likelihood that errors and wrongful acts will go
undetected because the activities of one individual or group will serve
as a check on the activities of the other. Without adequate segregation
of duties, there is an increased risk that erroneous or fraudulent
transactions can be processed, improper program changes implemented,
and computer resources damaged or destroyed.
Fourteen agencies had weaknesses regarding segregation of information
technology duties. Agencies did not always segregate duties for system
administration from duties relating to security administration. For
example, individuals at certain agencies could add fictitious users to
a system with elevated access privileges and perform unauthorized
activities without detection. As a result, these agencies may be
exposed to an increased risk of fraud and loss.
Continuity of Operations Planning Was Often Inadequate:
An organization must take steps to ensure that it is adequately
prepared to cope with the loss of operational capabilities due to
earthquake, fire, accident, sabotage, or any other disruption. An
essential element in preparing for such catastrophes is an up-to-date,
detailed, and fully tested continuity of operations plan. Such a plan
should cover all key computer operations and should include planning
for business continuity. This plan is essential for helping to ensure
that critical information systems, operations, and data such as
financial processing and related records can be properly restored if a
disaster occurred. To ensure that the plan is complete and fully
understood by all key staff, it should be tested, including surprise
tests, and test plans and results documented to provide a basis for
improvement. If continuity of operations controls are inadequate, even
relatively minor interruptions can result in lost or incorrectly
processed data, which can cause financial losses, expensive recovery
efforts, and inaccurate or incomplete mission-critical information.
Most agencies did not have adequate continuity of operations planning.
Twenty of the 24 major agencies had weaknesses in this area. In our
April 2005 report on federal continuity of operations plans,[Footnote
8] we determined that agencies had not developed plans that addressed
all the necessary elements. For example, fewer than half the plans
reviewed contained adequate contact information for emergency
communications. Few plans documented the location of all vital records
for the agencies, or methods of updating those records in an emergency.
Further, most of the agencies had not conducted tests, training, or
exercises frequently enough to have assurance that the plan would work
in an emergency. Losing the capability to process, retrieve, and
protect information maintained electronically can significantly affect
an agency's ability to accomplish its mission.
Security Programs Were Not Fully Implemented at Agencies:
The underlying cause for the information security weaknesses identified
at federal agencies is that they have not yet fully implemented
agencywide information security programs. An agencywide security
program provides a framework and continuing cycle of activity for
managing risk, developing security policies, assigning
responsibilities, and monitoring the adequacy of the entity's computer-
related controls. Without a well-designed program, security controls
may be inadequate; responsibilities may be unclear, misunderstood, and
improperly implemented; and controls may be inconsistently applied.
Such conditions may lead to insufficient protection of sensitive or
critical resources and disproportionately high expenditures for
controls over low-risk resources.
Our analysis has shown that none of the 24 major agencies had fully
implemented agencywide information security programs. Agencies often
did not adequately assess risks, develop sufficient risk-based policies
or procedures for information security, ensure that existing policies
and procedures were implemented effectively, or monitor operations to
ensure compliance and determine the effectiveness of existing controls.
For example, our report on wireless networking[Footnote 9] at federal
agencies revealed that the majority of agencies had not yet identified
and responded to the security implications of this emerging technology
at their facilities. Agencies had not developed policies and procedures
for wireless technology, including configuration requirements,
monitoring and compliance controls, or training requirements.
Agencies are also not applying information security program
requirements to emerging threats, such as spam, phishing, and
spyware,[Footnote 10] which pose security risks to federal information
systems.[Footnote 11] Spam consumes significant resources and is used
as a delivery mechanism for other types of cyber attacks; phishing can
lead to identity theft, loss of sensitive information, and use of
electronic government services; and spyware can capture and release
sensitive data, make unauthorized changes to software, and decrease
system performance. The blending of these threats creates additional
risks that cannot be easily mitigated with currently available tools.
Until agencies effectively and fully implement agencywide information
security programs, federal data and systems will not be adequately
safeguarded against unauthorized use, disclosure, and modification.
Many of the weaknesses discussed have been pervasive for years; our
reports attribute them to ineffective security program management--a
void that FISMA was enacted to address.
Government Makes Progress in Implementing FISMA, but Challenges Remain:
FISMA provides a comprehensive framework for developing effective
agencywide information security programs. Its provisions create a cycle
of risk management activities necessary for effective security program
management and include requirements for agencies, IGs, NIST, and OMB.
The government is progressing in its implementation of the information
security management requirements of FISMA, but challenges remain. For
example, although the agencies report progress in implementing the
provisions of the act, many agencies do not have complete, accurate
inventories as required. While the IGs have conducted annual
evaluations of the agencies' information security programs as required,
the lack of a commonly accepted framework for their evaluations has
created issues with consistency and comparability. NIST, however, has
developed a schedule for its required activities and has begun to issue
required guidance, and OMB has issued guidance on the roles and
responsibilities of both the agencies and NIST and has also issued
annual reporting guidance and reported annually, as required, to the
Congress. Our analysis of the annual reporting guidance identified
opportunities to increase the usefulness of the reports for oversight.
Agencies Reporting Progress in FISMA Implementation, but Challenges
Remain:
FISMA details requirements for the agencies to fulfill in order to
develop a strong agencywide information security program. These key
requirements are shown in figure 2. A detailed discussion of each of
the requirements follows.
Figure 2: FISMA Requirements for Agency Information Security Programs:
[See PDF for image]
[End of figure]
Periodic Risk Assessments:
As part of the agencywide information security program required for
each agency, FISMA mandates that agencies assess the risk and magnitude
of the harm that could result from the unauthorized access, use,
disclosure, disruption, modification, or destruction of their
information and information systems. Risk assessment is the first
process in the risk management process, and organizations use risk
assessment to determine the extent of the potential threat to
information and information systems and the risk associated with an
information technology system throughout its systems development life
cycle. Risk assessments help ensure that the greatest risks have been
identified and addressed, increase the understanding of risk, and
provide support for needed controls.
The Federal Information Processing Standard (FIPS) 199, Standards for
Security Categorization of Federal Information and Information Systems
and related NIST guidance provide a common framework for categorizing
systems according to risk. The framework establishes three levels of
potential impact on organizational operations, assets, or individuals
should a breach of security occur--high (severe or catastrophic),
moderate (serious), and low (limited)--and are used to determine the
impact for each of the FISMA-specified security objectives of
confidentiality, integrity, and availability. Once determined, security
categories are to be used in conjunction with vulnerability and threat
information in assessing the risk to an organization. For fiscal year
2003 FISMA reporting, OMB required agencies to provide the number and
percentage of systems assessed for risk.
In fiscal year 2003, half of the 24 major agencies reported assessing
the level of risk for 90 to 100 percent of their systems. In addition,
our review[Footnote 12] of 4 agencies' processes for authorizing their
systems found that only 72 percent of the 32 systems we reviewed had
current risk assessments. Furthermore, we identified one large federal
agency that did not have risk assessments for many of its systems. In
fiscal year 2004, agencies were not required by OMB to report on the
percentage of systems with risk assessments in their FISMA reports;
therefore, information on agencies' performance in this area since 2003
is not readily available.
Risk-Based Policies and Procedures:
FISMA requires agencies to include risk-based policies and procedures
that cost-effectively reduce information security risks to an
acceptable level and ensure that information security is addressed
throughout the life cycle of each information system in their
information security programs. These policies include determining
security control costs and developing minimally acceptable system
configuration requirements.
To indicate implementation of the security cost-benefit provisions in
FISMA, OMB requires that agencies' budget submissions specifically
identify and integrate security costs as part of life-cycle costs for
their information technology investments. It has also provided criteria
to be considered in determining such costs and requires that the
agencies report the number of their systems that have security control
costs integrated into their system life cycles.
Fiscal year 2004 data for this measure showed that agencies are
reporting increases in integrating the cost of security controls into
the life cycle of their systems. Specifically, 19 agencies reported
integrating security control costs for 90 percent or more of their
systems. This represents an increase from 9 agencies in 2003.
Governmentwide, OMB reported that 85 percent of agencies' systems had
security costs built into the life cycle of the system, an increase of
8 percent from fiscal year 2003. If agencies do not plan for security
costs in the life cycle of their systems, they may not allocate
adequate resources to ensure ongoing security for federal information
and information systems.
FISMA requires each agency to have policies and procedures that ensure
compliance with minimally acceptable system configuration requirements,
as determined by the agency. In fiscal year 2004, for the first time,
agencies reported on the degree to which they had implemented security
configurations for specific operating systems and software
applications.
Our analysis of the 2004 agency FISMA reports found that 20 agencies
reported that they had implemented agencywide policies containing
detailed, specific system configurations. However, these agencies did
not necessarily have minimally acceptable system configuration
requirements for operating systems and software applications that they
were running. Specifically, some agencies reported having system
configurations, but they did not always implement them on their
systems. Of the remaining 4 agencies, 1 reported that it did not have
system configurations, and 3 agencies provided insufficient data to
determine their status for this measure.
Subordinate Plans for Information Security:
FISMA requires that agencywide information security programs include
subordinate plans for providing adequate information security for
networks, facilities, and systems or groups of information systems, as
appropriate. These plans are commonly referred to as system security
plans. According to NIST guidance, the purpose of these plans is to (1)
provide an overview of the security requirements of the system and
describe the controls in place or planned for meeting those
requirements and (2) delineate the responsibilities and expected
behavior of all individuals who access the system.[Footnote 13]
In fiscal year 2003, federal agencies reported that they had developed
system security plans for 73 percent of agency systems. Although OMB
did not require agencies to report on this measure for fiscal year
2004, analysis of the IG FISMA reports for that year revealed that
agencies had weaknesses in their system security plans. For example,
IGs noted instances where security plans were not developed for all
systems or applications. Other weaknesses included plans that were not
updated after the systems were significantly modified. Without current,
complete system security plans, agencies cannot be assured that
vulnerabilities have been mitigated to acceptable levels.
Information Security Training:
FISMA requires agencies to provide security awareness training to
inform personnel, including contractors and other users of information
systems that support the operations and assets of the agency, of
information security risks associated with their activities and their
responsibilities in complying with agency policies and procedures
designed to reduce these risks. In addition, agencies are required to
provide appropriate training on information security to personnel with
significant security responsibilities. Agencies reported the number and
percentage of employees and contractors who received information
security awareness training and the number and percentage of employees
with significant security responsibilities who received specialized
training.
Our analysis found that agencies were reporting increases in the number
and percentages of employees and contractors who have received security
awareness training, but many of the agencies reported a decline in the
percentage of employees with significant security responsibilities who
have received specialized training. For example, 18 of the 24 major
agencies reported increasing percentages of employees and contractors
who received security awareness training in fiscal year 2004.
Furthermore, all 24 agencies reported that they provided security
awareness training to 60 percent or more of their employees and
contractors for fiscal year 2004, up from 19 agencies in fiscal year
2003. Similarly, 17 agencies reported that they provided security
awareness training for 90 percent or more of their employees, an
increase from 13 agencies in 2003 (see fig. 3).
Figure 3: Percentage of Employees and Contractors Who Received
Information Security Awareness Training in Fiscal Year 2004:
[See PDF for image] --graphic text:
Pie chart with two items.
Between 90 and 100% (17 agencies): 71%;
Between 50 and 89% (7 agencies): 29%.
Source: GAO analysis of agency-reported data.
[End of figure]
However, the governmentwide percentage of employees with significant
security responsibilities receiving specialized training decreased from
85 to 81 percent in fiscal year 2004. More specifically, 10 agencies
reported decreases in this performance measure. Figure 4 shows the
fiscal year 2004 results for this area.
Figure 4: Percentage of Employees with Significant Security
Responsibilities Who Received Specialized Security Training in Fiscal
Year 2004:
[See PDF for image] --graphic text:
Pie chart with three items.
Between 90 and 100% (10 agencies): 42%;
Between 50 and 89% (10 agencies): 42%;
Less than 50% (4 agencies): 17%.
Source: GAO analysis of agency-reported data.
[End of figure]
Failure to provide up-to-date information security awareness training
could contribute to the information security problems at agencies. For
example, in our report on wireless networks, we determined that the
majority of agencies did not address wireless security issues in
security awareness training. As a result, their employees may not have
been aware of the security risks when they set up unauthorized wireless
networks.
Periodic Testing and Evaluation of Information Security Policies,
Procedures, and Practices:
FISMA requires that agency information security programs include
periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices to be performed with a
frequency that depends on risk, but no less than annually. This is to
include testing of management, operational, and technical controls of
every information system identified in the FISMA-required inventory of
major systems. Periodically evaluating the effectiveness of security
policies and controls and acting to address any identified weaknesses
are fundamental activities that allow an organization to manage its
information security risks proactively, rather than reacting to
individual problems ad hoc only after a violation has been detected or
an audit finding has been reported. Further, management control testing
and evaluation as part of program reviews is an additional source of
information that can be considered along with control testing and
evaluation in IG and other independent audits to help provide a more
complete picture of the agencies' security postures. OMB requires that
agencies report the number of systems annually for which security
controls have been reviewed.
In 2004, 23 agencies reported that they had reviewed 90 percent or more
of their systems, as compared to only 11 agencies in 2003 that were
able to report those numbers (see fig. 5).
Figure 5: Percentage of Agency Systems Reviewed during Fiscal Year
2004:
[See PDF for image] --graphic text:
Pie chart with two items.
Between 90 and 100% (23 agencies): 96%;
Between 50 and 89% (1 agency): 4%.
Source: GAO analysis of agency-reported data.
[End of figure]
However, agencies have not reported the same progress in addressing
reviews of contractor operations. Even though the overall average of
contractor operations reviewed for the 24 major agencies increased
slightly to 83 percent in fiscal year 2004, 8 agencies reported
reviewing less than 60 percent of their contractor operations (see fig.
6). As a result, agencies cannot be assured that federal information
and information systems managed by contractors are protected in
accordance with agency policies.
Figure 6: Percentage of Contractor Operations Reviewed during Fiscal
Year 2004:
[See PDF for image] --graphic text:
Pie chart with two items.
Between 60 and 100% (16 agencies): 67%;
Less than 60% (8 agencies): 33%.
Source: GAO analysis of agency-reported data.
[End of figure]
Our recent report on the oversight of contractor operations[Footnote
14] indicated that the methods that agencies are using to ensure
information security oversight have limitations and need strengthening.
For example, most agencies have not incorporated FISMA requirements,
such as annual testing of controls, into their contract language.
Additionally, most of the 24 major agencies reported having policies
for contractors and users with privileged access to federal data and
systems; however, our analysis of submitted agency policies found that
only 5 agencies had established specific information security oversight
policies. Finally, while the majority of agencies reported using a NIST
self-assessment tool to review contractor security capabilities, only
10 agencies reported using the tool to assess users with privileged
access to federal data and systems, which may expose federal data to
increased risk.
Remedial Actions to Address Deficiencies in Information Security
Policies, Procedures, and Practices:
Another requirement of FISMA is that agencies' information security
programs include a process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies in information
security policies, procedures, and practices. Developing effective
corrective action plans is key to ensuring that remedial action is
taken to address significant deficiencies. These remediation plans,
called plans of action and milestones by OMB, are to list the
weaknesses and show estimated resource needs or other challenges to
resolving them, key milestones and completion dates, and the status of
corrective actions. OMB requires agencies to report whether they have a
remediation plan for all programs and systems where a security weakness
has been identified. OMB also requested that IGs assess whether the
agency has developed, implemented, and managed an agencywide process
for these plans.
According to the IGs' assessments of their agencies' remediation
processes, 14 of the 24 major agencies did not almost always
incorporate information security weaknesses for all systems into their
remediation plans. The IGs also reported that 13 agencies did not use
the remediation process to prioritize information security weaknesses
more than 95 percent of the time to help ensure that significant
weaknesses are addressed in an efficient and timely manner. Without a
sound remediation process, agencies cannot efficiently and effectively
correct weaknesses in their information security programs.
Security Incident Procedures:
Although even strong controls may not block all intrusions and misuse,
organizations can reduce the risks associated with such events if they
take steps to detect and respond to them before significant damage
occurs. Accounting for and analyzing security problems and incidents
are also effective ways for an organization to gain a better
understanding of threats to its information and of the cost of its
security-related problems. Such analyses can also pinpoint
vulnerabilities that need to be addressed to help ensure that they will
not be exploited again. Problem and incident reports can, therefore,
provide valuable input for risk assessments, help in prioritizing
security improvement, and be used to illustrate risks and related
trends in reports to senior management.
FISMA requires that agencies' information security programs include
procedures for detecting, reporting, and responding to security
incidents; mitigating risks associated with such incidents before
substantial damage is done; and notifying and consulting with the
information security incident center and other entities, as
appropriate, including law enforcement agencies and relevant IGs. NIST
has provided guidance to assist organizations in establishing computer
security incident-response capabilities and in handling incidents
efficiently and effectively. OMB requires agencies to report
information related to security incident reporting. This information
includes whether the agency follows documented policies and procedures
for reporting incidents internally, externally to law enforcement, and
to the United States Computer Emergency Readiness Team (US-
CERT).[Footnote 15]
Information reported for this requirement varied widely across the
agencies. Some agencies reported relatively few incidents internally
(fewer than 10), while others reported as many as 600,000 incidents.
Half (12 of 24) of the major agencies' CIOs stated that they reported
between 90 and 100 percent of incidents to US-CERT. One agency reported
between 75 and 89 percent of incidents to US-CERT. The other agencies
said that they reported 49 percent or fewer of their incidents to US-
CERT or provided information that was not comparable. OMB stated in its
March 1, 2005, FISMA report that it was concerned that very low numbers
of incidents were being reported to US-CERT. Our work in this
area[Footnote 16] also indicated that agencies were not consistently
reporting security incidents. Without adequate reporting, the federal
government cannot be fully aware of possible threats.
Continuity of Operations:
FISMA requires that agencywide information security programs include
plans and procedures to ensure continuity of operations for information
systems that support the operations and assets of the agency.
Contingency plans provide specific instructions for restoring critical
systems, including such elements as arrangements for alternative
processing facilities in case the usual facilities are significantly
damaged or cannot be accessed due to unexpected events such as
temporary power failure, accidental loss of files, or a major disaster.
It is important that these plans be clearly documented, communicated to
potentially affected staff, and updated to reflect current operations.
The testing of contingency plans is essential to determining whether
the plans will function as intended in an emergency situation. The most
useful tests involve simulating a disaster situation to test overall
service continuity. Such a test would include testing whether the
alternative data processing site will function as intended and whether
critical computer data and programs recovered from off-site storage are
accessible and current. In executing the plan, managers will be able to
identify weaknesses and make changes accordingly. Moreover, tests will
assess how well employees have been trained to carry out their roles
and responsibilities in a disaster situation. To show the status of
implementing this requirement, OMB required that agencies report the
percentage of systems that have a contingency plan and the percentage
that have contingency plans that have been tested.
Overall, federal agencies reported that 57 percent of their systems had
contingency plans that had been tested. Although 19 agencies reported
increases in the testing of contingency plans, 6 agencies reported that
less than 50 percent of their systems had tested contingency plans (see
fig. 7).
Figure 7: Percentage of Systems with Contingency Plans that Have Been
Tested for Fiscal Year 2004:
[See PDF for image] --graphic text:
Pie chart with three items.
Between 90 and 100% (7 agencies): 29%;
Between 50 and 89% (11 agencies): 46%;
Less than 50% (6 agencies): 25%.
Source: GAO analysis of agency-reported data.
[End of figure]
Also, three agencies reported having contingency plans for all their
systems and only 1 reported testing the plans for all their systems.
Without testing, agencies have limited assurance that they will be able
to recover mission-critical applications, business processes, and
information in the event of an unexpected interruption.
Inventory of Major Systems:
FISMA also requires that each agency develop, maintain, and annually
update an inventory of major information systems operated by the agency
or under its control. A complete and accurate inventory of major
information systems is a key element of managing the agency's
information technology resources, including the security of those
resources. The inventory is used to track the agency systems for annual
testing and evaluation and contingency planning. In addition, the total
number of agency systems is a key element in OMB's performance
measures, in that agency progress is indicated by the percentage of
total systems that meet specific information security requirements.
Thus, inaccurate or incomplete data on the total number of agency
systems affect the percentage of systems shown as meeting the
requirements.
In fiscal year 2004 FISMA reports, 20 of the 24 major agencies reported
having complete, accurate inventories that were updated at least
annually. There was disagreement among the agencies and IGs regarding
the accuracy of the number of programs, systems, and contractor
operations or facilities. For instance, although 20 agencies reported
having inventories that were updated at least annually, only 8 IGs
agreed with the accuracy of those inventories. Without complete,
accurate inventories, agencies cannot efficiently maintain and secure
their systems. Moreover, the performance measures that are stated as a
percentage of systems, including systems and contractor operations
reviewed annually, continuity plans tested, and certification and
accreditation, may not accurately reflect the extent to which these
security practices have been implemented.
Certification and Accreditation:
In addition to the FISMA requirements, OMB requires agencies to report
on their certification and accreditation process. Certification and
accreditation is the requirement that agency management officials
formally authorize their information systems to process information;
thereby accepting the risk associated with their operation. This
management authorization (accreditation) is to be supported by a formal
technical evaluation (certification) of the management, operational,
and technical controls established in an information system's security
plan. This process is not included in FISMA but does include statutory
requirements such as risk assessments and security plans. Therefore,
OMB eliminated separate reporting requirements for risk assessments and
security plans. For annual reporting, OMB requires agencies to report
the number of systems authorized for processing after completing
certification and accreditation. For fiscal year 2004, OMB's guidance
also requested that IGs assess their agencies' certification and
accreditation process.
Data reported for this measure showed overall increases for most
agencies. According to OMB, 77 percent of government systems had
undergone certification and accreditation for fiscal year 2004. For
example, 19 of the 24 major agencies reported increasing percentages
from fiscal year 2003 to fiscal year 2004. In addition, 17 agencies
reported percentages of systems certified and accredited at or above 90
percent (see fig. 8).
Figure 8: Percentage of Systems during Fiscal Year 2004 that Were
Authorized for Processing after Certification and Accreditation:
[See PDF for image] --graphic text:
Pie chart with three items.
Between 90 and 100% (17 agencies): 71%;
Between 50 and 89% (5 agencies): 21%;
Less than 50% (8 agencies): 8%.
Source: GAO analysis of agency-reported data.
[End of figure]
Although agencies have reported progress in certifying and accrediting
their systems, weaknesses in the process remain. In a previously issued
report,[Footnote 17] we determined that agencies were unclear on the
number of systems that undergo the process, were inconsistent in their
reporting of certification and accreditation performance data, and
lacked quality assurance policies and procedures relating to the
certification and accreditation process.
The IGs also reported weaknesses in the certification and accreditation
process in their fiscal year 2004 FISMA reports. For example, IGs
reported systems that did not have formal authorization to operate or
were missing critical elements such as security plans, risk
assessments, and contingency plans. Furthermore, OMB's March 2005
report to Congress noted that seven IGs rated their agencies'
certification and accreditation process as poor. Therefore, agencies'
reported data may not accurately reflect the status of an agency's
implementation of this requirement.
Inspectors General Fulfill FISMA Requirements but Lack Framework:
FISMA requires the IGs to perform an independent evaluation of the
information security program and practices of the agency to determine
the effectiveness of such programs and practices. Each evaluation
should include (1) testing of the effectiveness of information security
policies, procedures, and practices of a representative subset of the
agency's information systems and (2) assessing compliance (based on the
results of the testing) with FISMA requirements and related information
security policies, procedures, standards, and guidelines.
The IGs have conducted annual evaluations as required and have reported
on the results. However, they do not have a common approach to the
annual evaluations. As a result, IGs may not be performing their
evaluations with peak effectiveness, efficiency, and adequate quality
control.
A commonly accepted framework or methodology for the FISMA independent
evaluations could provide improved effectiveness, increased efficiency,
quality control, and consistency of application. Such a framework may
provide improved effectiveness of the annual evaluations by ensuring
that compliance with FISMA and all related guidance, laws, and
regulations is considered in the performance of the evaluation. IGs may
be able to use the framework to be more efficient by focusing
evaluative procedures on areas of higher risk and by following an
integrated approach designed to gather evidence efficiently. A commonly
accepted framework may offer quality control by providing a
standardized methodology that can be followed by all personnel.
Finally, IGs may obtain consistency of application through a documented
methodology.
A commonly accepted framework for performing the annual FISMA
evaluation could offer additional benefits as well. For example, it
might allow the IGs to coordinate on information security issues,
weaknesses, and initiatives that cross agency lines. It could also
facilitate appropriate coverage of major federal contractors who serve
multiple federal agencies. Such a framework could provide assistance to
the smaller IG offices by allowing them to leverage lessons learned by
larger IG offices, for example, through the development and use of
model statements of work for FISMA contracts.
Finally, the usefulness and comparability of the IGs' annual
evaluations for oversight bodies may be improved by the adoption of a
framework for the FISMA independent evaluations. The current
inconsistencies in methodology affect the consistency and comparability
of reported results. As a result, the usefulness of the IG reviews for
assessing the governmentwide information security posture is
potentially reduced.
The President's Council on Integrity and Efficiency[Footnote 18] has
recognized the importance of having a framework and is working to
develop one for FISMA reviews. The Council is including both OMB and us
in its deliberations. The Council, which currently maintains The
Financial Audit Manual, a commonly accepted framework for the
performance of government financial audits, brings expertise and
experience to the development of a FISMA evaluation framework.
NIST Maintains Timely Release of Guidance:
NIST has developed a plan for releasing important guidance for the
agencies and fulfilling its other responsibilities under FISMA. NIST is
required, among other things, to issue guidance on information security
policies and practices for the agencies, provide technical assistance,
conduct research as needed in information security, and assist in the
development of standards for national security systems.
After FISMA was enacted, NIST developed the FISMA Implementation
Project to enable it to fulfill its statutory requirements in a timely
manner. The project is divided into three phases. Phase I focuses on
the development of a suite of security standards and guidelines
required by FISMA as well as other FISMA-related publications necessary
to create a robust information security program and effectively manage
risk to agency operations and agency assets. NIST has already issued
one FIPS, which covers the categorization of systems according to risk.
A second FIPS concerning the minimum security requirements for each
risk category is due out soon. NIST has also issued guidance to assist
the agencies in determining the correct risk level for systems and
mapping the systems to the correct categories. This stage is due to be
completed in 2006. The status of the guidance is shown in figure 9.
Figure 9: Status of FISMA Guidance at NIST:
[See PDF for image]
Notes:
FIPS 199: Standards for Security Categorization of Federal Information
and Information Systems:
FIPS 200: Minimum Security Requirements for Federal Information
Systems:
SP 800-37: Guide for the Security Certification and Accreditation of
Federal Information Systems:
SP 800-53: Recommended Security Controls for Federal Information
Systems:
SP 800-53A: Guide for Assessing the Security Controls in Federal
Information Systems:
SP 800-59: Guideline for Identifying an Information System as a
National Security System:
SP 800-60: Guide for Mapping Types of Information and Information
Systems to Security Categories:
SP 800-26: Assessment Guide for Information Systems and Security
Programs:
SP 800-18: Guide for Developing Security Plans for Federal Information
Systems:
[End of figure]
Phase II will focus on the development of a program for accrediting
public and private sector organizations to conduct security
certification services for federal agencies, as part of agencies'
certification and accreditation requirements. Organizations that
participate in the organizational accreditation program[Footnote 19]
can demonstrate competency in the application of NIST security
standards and guidelines. NIST states that developing a network of
accredited organizations with demonstrated competence in the provision
of security certification services will give federal agencies greater
confidence in the acquisition and use of such services. Phase II is
planned for fiscal year 2006.
Phase III is the development of a program for validating security
tools. The program will rely on private sector, accredited testing
laboratories to conduct evaluations of the security tools. NIST will
provide validation services and laboratory oversight. Implementation of
this phase is also planned for fiscal year 2006.
The agency has also made progress in implementing other requirements.
For example, it is continuing to provide consultative services to
agencies on FISMA-related information security issues and has
established a Web site for federal agencies to identify, evaluate, and
disseminate best practices for critical infrastructure protection and
security. In addition, it has established a Web site for the private
sector to share nonfederal information security practices. NIST has
continued an ongoing dialogue with the National Security Agency and the
Committee on National Security Systems to coordinate and take advantage
of the security work these entities have under way within the federal
government.
In addition to the specific responsibilities to develop standards and
guidance, other information security activities undertaken by NIST
include:
* operating a computer security expert assist team to assist federal
agencies in identifying and resolving security problems;
* conducting security research in areas such as access control,
wireless, mobile agents, smart cards, and quantum computing;
* improving the security of control systems that manage key elements of
the country's critical infrastructure; and:
* performing cyber security product certifications required for
government procurements.
Finally, NIST issued its annual status reports as required by FISMA in
April of 2003 and 2004.
OMB Oversees FISMA Implementation, but Analysis of Annual Reporting
Guidance Identified Opportunities for Improvement:
According to FISMA, the Director of OMB is responsible for developing
and overseeing the implementation of information security at the
agencies. OMB reported that it has used the information gathered under
this act to assist it in focusing its attention and resources on poorly
performing agencies.
To oversee the implementation of policies and practices relating to
information security, OMB has issued guidance to the agencies on their
requirements under FISMA. In its annual memorandum on reporting, it
instructed agencies that the use of NIST standards and guidance was
required. OMB has updated its budget guidance[Footnote 20] to gather
data on information security at the agencies. For example, it asks the
agencies to estimate a percentage of the total investment in
information technology that is associated with security. Agencies are
asked to consider the products, procedures, and personnel that are
dedicated primarily to provision of security. These procedures include
FISMA requirements, such as risk assessments, security plans, education
and training, system reviews, remedial plans, contingency planning and
testing, and reviews or inspections of contractor operations.
To oversee agency compliance with FISMA, OMB relies on annual reporting
by the agencies and the IGs. It reported the results of this annual
reporting to Congress by March 1 in 2004 and 2005, as required by
FISMA. In these reports, it evaluated the agencies' reported data
against performance measures it had developed. On August 23, 2004, OMB
issued its fiscal year 2004 reporting instructions. The reporting
instructions, similar to the 2003 instructions, emphasized a strong
focus on performance measures and formatted these instructions to
emphasize a quantitative, rather than a narrative, response.
OMB stated that it is using a combination of sources to fulfill its
requirement under FISMA to annually approve or disapprove of agencies'
information security programs; some information is taken from security
and privacy information submitted by the agencies during the budget
process, and other information comes from the annual reporting.
Analysis of Annual Reporting Identifies Opportunities to Enhance
Oversight of Agency Implementation:
Periodic reporting of performance measures for FISMA requirements and
related analysis provides valuable information on the status and
progress of agency efforts to implement effective security management
programs. However, as we have recently testified,[Footnote 21] our
analysis of OMB's annual reporting guidance identified areas where
additional reporting requirements would increase usefulness of annual
reports for oversight. These areas include reporting on the quality of
agency processes, risk-based reporting of data, including key FISMA
requirements, and ensuring clarity.
Limited Assurance of the Quality of Agency Processes:
Current performance measures offer limited assurance of the quality of
agency processes that implement key security policies, controls, and
practices. For example, for the annual review process, agencies report
the number of agency systems and contractor operations they reviewed.
They also report on, and the IGs confirm, whether they used appropriate
guidance. However, reporting on the quality of the reviews, such as
whether guidance was applied correctly or if results were tracked for
remediation, is not required. Moreover, as mentioned previously, our
work in this area revealed that the methods agencies were using for the
reviews had limitations and needed strengthening. Providing information
on the quality of the review process would further enhance the
usefulness of the annually reported data in this area for management
and oversight purposes.
OMB has recognized the need for assurance of quality for agency
processes. For example, it specifically requested that the IGs evaluate
the plan of action and milestones process and the certification and
accreditation process at their agencies. The results of these
evaluations call into question the reliability and quality of the data
reported by several agencies. Therefore, increased risk exists that the
performance data reported by the agencies may not accurately reflect
the status of agencies' implementation of these information security
activities.
Data Not Reported According to System Risk:
Performance measurement data are reported on the total number of agency
systems but do not indicate the assessed level of risk of those
systems. Reporting by system risk could provide information about
whether agencies are prioritizing their information security efforts
according to risk. For example, the performance measures for fiscal
year 2004 show that 57 percent of the total number of systems have
tested contingency plans, but do not indicate to what extent this 57
percent includes the agencies' high or moderate risk systems.
Therefore, agencies, the administration, and Congress cannot be sure
that critical federal operations can be restored if an unexpected event
disrupts service.
Reporting Does Not Include Aspects of Key Requirements:
Currently, OMB reporting guidance and performance measures do not
include separate and complete reporting on FISMA requirements. For
example, FISMA requires agencies to have procedures for detecting,
reporting, and responding to security incidents. Currently, the annual
reporting developed by OMB focuses on incident reporting: how the
agencies are reporting their incidents internally to law enforcement
and to the US-CERT. Although incident reporting is an important aspect
of incident handling, it is only one part of the process. Additional
questions that cover incident detection and response activities would
be useful to oversight bodies in determining the extent to which
agencies have implemented capabilities for managing security incidents.
Reporting on the remediation process does not include a key aspect of
this process. Current reporting guidance asks about the inclusiveness
of the plans, i.e. whether all known information security weaknesses
are included; however, if and how weaknesses are mitigated is not
reported. For example, the agencies do not report what percentage of
existing weaknesses they have remedied during the year. In addition,
agencies do not report the risk level of the systems on which the
weaknesses are found. Valuable information may be provided to oversight
bodies by posing additional questions on the remediation process.
The annual reporting process also does not include separate reporting
on certain FISMA requirements. For example, in the 2004 guidance, OMB
eliminated separate reporting on risk assessments and security plans.
Because the guidance on the certification and accreditation process
required both risk assessments and security plans, OMB did not require
agencies to answer separate questions in these areas. Although OMB did
ask for the IGs' assessments of the certification and accreditation
process, it did not require them to comment separately on these
specific requirements. As a result, agency management, Congress, and
OMB do not have complete information on the status of agencies'
implementation efforts for these requirements.
Reporting Instructions Need Clarity:
Several questions in OMB's 2004 reporting guidance could be subject to
differing interpretations by IGs and the agencies. For example, one of
the questions asked the IGs whether they and their agency used the plan
of actions and milestones as a definitive management tool; however, IGs
are not required to use these plans. Therefore, a negative answer to
this question could mean either that the agency and the IG were not
using the plan, or that one of them was not using the plan. As a
result, it may erroneously appear that agencies were not using the
plans as the major management tool for remediation of identified
weaknesses as required by OMB.
Another example of differing interpretations was one of the inventory
questions. It asked if the IG and agency agreed on the number of
programs, systems, and contractor operations in the inventory. Since
the question could be interpreted two ways, the meaning of the response
was unclear. For example, if an IG replied in the negative, it could
mean that while the IG agreed with the total numbers in the inventory,
it disagreed with how the agency identified whether the inventory entry
was a program, system, or contractor operations. Alternatively, a
negative response could mean that the IG disagreed with the overall
accuracy of the inventory. Additional questions in the areas of
configuration management and certification and accreditation also
generated confusion. As a result, unclear reporting instructions may
have decreased the reliability and consistency of reported performance
data.
Conclusions:
Federal agencies have not consistently implemented effective
information security policies and practices. As a result, pervasive
weaknesses exist in almost all areas of information security controls.
These weaknesses place federal operations and assets at risk of fraud,
misuse, and abuse, and may put financial data at risk of unauthorized
modification or destruction, sensitive information at risk of
inappropriate disclosure, and critical operations at risk of
disruption. In our prior reports, as well as in reports by the IGs,
specific recommendations were made to the agencies to mitigate
identified information security weaknesses.
The government is progressing in implementing FISMA requirements; the
agencies, IGs, NIST, and OMB have all made advances in fulfilling their
requirements. However, current reporting under FISMA by the agencies
produces performance data that may not accurately reflect the status of
agencies' implementation of required information security policies and
procedures. Oversight entities are not able to determine from the
reports a true or complete picture of the adequacy and effectiveness of
agencies' information security programs. However, opportunities exist
to improve reporting guidance that might lead to more useful and
complete information on the implementation of agencies' information
security programs. Until such information is available, there is little
assurance that the pervasive weaknesses in agencywide information
security programs are being addressed.
Recommendations for Executive Action:
We recommend that the Director of OMB take the following four actions
in revising future FISMA reporting guidance:
* request the inspectors general to report on the quality of additional
agency processes, such as the annual system reviews;
* require agencies to report FISMA data by risk category;
* ensure that all aspects of key FISMA requirements are reported on in
the annual reports; and:
* review guidance to ensure clarity of instructions.
Agency Comments and Our Evaluation:
In written comments on a draft of this report (reprinted in app. II),
the Administrator, Office of E-Government and Information Technology,
OMB, agreed with our overall assessment of information security at the
agencies, but disagreed with one of our recommendations to enhance
FISMA reporting guidance and provided comments on the others. In
addition, the Administrator made several general comments.
In commenting on our recommendation that OMB guidance request that the
IGs report on the quality of additional agency processes, OMB stated
that their current guidance has provided the IGs with the opportunity
to include supporting narrative responses for all questions and that
the guidance encourages the IGs to provide any additional meaningful
information they may have. We acknowledge that OMB has given the agency
IGs the opportunity to include such additional information as they
believe may be helpful. However, since specific information was not
requested, the resulting information that was reported, if any, was not
consistent or comparable across the agencies and over time. In our
report, we noted that OMB has recognized the need for assurance of
quality for agency processes. For example, OMB specifically requested
that the IGs evaluate the plans of actions and milestones and the
certification and accreditation processes at their agencies. We believe
that additional processes should be assessed for quality such as the
annual system review process. This would further enhance the usefulness
of the annually reported data for management and oversight purposes.
Regarding our recommendation to include FISMA data by risk category,
OMB noted in its comments that this recommendation is now addressed by
its fiscal year 2005 FISMA reporting guidance. This guidance was issued
in June 2005.
In responding to our recommendation to ensure that all key FISMA
requirements are reported on in the annual reports, OMB disagreed with
our assessment that additional sub-elements are necessary in its
reporting guidance and stated that its reporting guidance satisfies all
FISMA requirements through a combination of data collection and
specialized questions. OMB cited as examples its performance data on
agencies' certification and accreditation processes and its questions
to IGs regarding the quality of agency corrective plans of actions and
milestones. In addition, it commented that its guidance complied with
the remainder of FISMA's reporting requirements by having agencies
respond to specialized questions. As noted in our report, some FISMA
requirements are not specifically being addressed through these means,
such as reporting on risk assessments, subordinate security plans,
security incident detection and response activities, and whether
weaknesses are mitigated. We agree with OMB that the process of
certification and accreditation requires agencies to document risk
assessments and security plans. However, as stated in our report, the
IGs reported the certification and accreditation processes included
missing security plans, risk assessments, and contingency plans.
Furthermore, seven IGs rated their agencies' certification and
accreditation processes as poor. Since the quality of the certification
and accreditation processes at some agencies has been called into
question by the IGs, we believe reporting separately on the risk
assessments and security plans at this time may provide better
information on the status of agencies' information security
implementation efforts.
OMB commented on our recommendation that it review guidance to ensure
clarity of instructions by stating that its staff worked with agencies
and the IGs throughout the year when developing the guidance and, in
particular, during the reporting period to ensure that agencies
adequately understood the reporting instructions. We acknowledge OMB's
efforts to help ensure better clarity, but believe more needs to be
done. As noted in this report, several questions in the guidance could
be subject to differing interpretations. For example, questions in the
areas of plans of actions and milestones, inventory, configuration
management, and certification and accreditation generated confusion. As
a result, the reported data may contain erroneous information, and its
reliability and consistency could be decreased.
OMB also strongly disagreed with any inference in the draft report that
its reporting guidance fails to meet the requirements of FISMA. We did
not make such a statement. Rather, our report provides that OMB needs
to enhance its reporting guidance to the agencies so that the annual
FISMA reports provide more information essential for effective
oversight.
Similarly, OMB commented that our report included the suggestion that,
unless it asked a specific question in a particular way and agencies
answered those questions once each year, agencies would not implement
FISMA nor provide adequate cost-effective security for their
information and systems. This characterization of our report is
incorrect. We noted that specific recommendations were previously made
to the agencies to remedy identified information security weaknesses.
Our recommendations in this report address the need for OMB to enhance
its FISMA reporting guidance to increase the effectiveness and
reliability of annual reporting.
Our report also emphasized the need to improve FISMA data for oversight
purposes. We believe that OMB can achieve this by implementing our
recommendations.
We are sending copies of this report to the Director of OMB and to
interested congressional committees. We will also make copies available
to others upon request. In addition, the report will be available on
GAO's Web site at [Hyperlink, http://www.gao.gov].
If you have any questions or wish to discuss this report, please
contact me at (202) 512-6244 or [Hyperlink, wilshuseng@gao.gov].
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who
made major contributions to this report are listed in appendix III.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
In accordance with the FISMA requirement that the Comptroller General
report periodically to the Congress, our objectives were to evaluate
(1) the adequacy and effectiveness of agencies' information security
policies and practices and (2) implementation of FISMA requirements.
To assess the adequacy and effectiveness of agencies' information
security policies and practices, we analyzed our related reports issued
from the beginning of fiscal year 2003 through May of 2005. We also
reviewed and analyzed the information security work and products of the
IGs. Both our reports and the IGs' products used the methodology
contained in The Federal Information System Controls Audit Manual.
Further, we reviewed and analyzed data on information security in
federal agencies' performance and accountability reports.
To assess implementation of FISMA requirements, we reviewed and
analyzed the Federal Information Security Management Act (Public Law
107-347); the 24 major federal agencies' and Office of Inspector
General FISMA reports for fiscal years 2003 and 2004, as well as the
performance and accountability reports for those agencies; the Office
of Management and Budget's FISMA guidance and mandated annual reports
to Congress; and the National Institute of Standards and Technology's
standards, guidance, and annual reports. We also held discussions with
agency officials and the agency inspectors general to further assess
the implementation of FISMA requirements. We did not include systems
categorized as national security systems in our review, nor did we
review the adequacy or effectiveness of the security policies and
practices for those systems.
Our work was conducted in Washington, D.C., from September 2004 through
May 2005 in accordance with generally accepted government auditing
standards.
[End of section]
Appendix II: Comments from the Office of Management and Budget:
EXECUTIVE OFFICE OF THE PRESIDENT:
OFFICE OF MANAGEMENT AND BUDGET:
WASHINGTON, D.C. 20503:
JUN 29 2005:
Gregory C. Wilshusen:
Director, Information Security Issues:
Government Accountability Office:
441 G Street, SW:
Washington, DC 20548:
Dear Mr. Wilshusen:
Thank you for the opportunity to comment on GAO's draft report on
agency implementation of the Federal Information Security Management
Act (FISMA), "INFORMATION SECURITY: Weaknesses Persists at Federal
Agencies Despite Progress Made in Implementing Related Statutory
Requirements" (GAO-05-552).
FISMA is the foundation of the Federal government's information
security program, and we appreciate GAO's careful analysis of FISMA's
requirements. In particular, we value GAO identifying specific
persistent information security problems at the agencies, and agree
that improvement is needed.
GAO's draft report includes four recommendations for OMB regarding
agency reporting on FISMA. In particular, GAO's draft report recommends
OMB expand its existing reporting guidance to agencies to include
additional elements.
OMB disagrees however, that additional sub-elements are necessary and
strongly disagrees with any inference in the draft report that OMB's
reporting guidance fails to meet the requirements of FISMA. OMB's
reporting instructions satisfy all FISMA requirements through a
combination of data collection and specialized questions. For instance,
OMB collects performance data from the agencies (including their
Inspectors General (IG) on their certification and accreditation
processes. This requires agencies to document all components of
security planning such as risk assessments, contingency plans, incident
response plans, security awareness and training plans, information
systems rules of behavior, configuration management plans, privacy
impact assessments, and system interconnection agreements. Similarly,
in asking IGs about the quality of agency corrective plans of action
and milestones, an essential element of any security program is
specifically addressed. Beyond certification and accreditation and
plans of action and milestones, OMB's guidance complies with the
remainder of FISMA's reporting requirements by having agencies respond
to specialized questions. These questions deal with matters such as
documented procedures for securing emerging technologies and how
agencies ensure secure contractor operations.
Additionally, the draft report infers that unless OMB asks a specific
question in a particular way and agencies answer those questions once
each year, agencies' will not implement FISMA nor provide adequate cost-
effective security for their information and systems.
Reporting to OMB is only one part of FISMA and the comprehensive agency
information security program called for in the Act. Scarce agency
resources should focus on developing and implementing a program to
secure information and systems. Even if we agreed OMB's reporting
guidance was deficient in some way, the simple fact is responsibility
and accountability for implementation and compliance with FISMA rests
in the agencies monitoring their own performance throughout the year.
In addition to expanded reporting elements, the draft report recommends
that OMB's guidance include a requirement that agency Inspector
Generals (IGs) report on the quality of agency processes, such as the
annual system review. OMB's guidance already provides IGs with the
opportunity to include supporting narrative responses for all questions
and encourages IGs to provide any additional meaningful information
they may have. Agency IG narratives are especially significant to OMB's
assessment of the certification and accreditation process because it
includes many key FISMA elements.
The draft report also recommends that OMB review our guidance to ensure
clarity. OMB staff work with agencies and the IGs throughout the year,
when developing the guidance, and in particular during the reporting
period, to ensure that agencies adequately understand our reporting
instructions.
Finally, we note that the recommendation to include FISMA data by risk
category is addressed by OMB's FY 2005 FISMA reporting guidance. Such
reporting would not have been meaningful until the National Institute
of Standards and Technology (KIST) issued specific guidance on risk
categorization as they did last year. Since the guidance has been
issued, we are asking agencies to report by the NIST categories.
Thank you for the opportunity to review and comment on your draft
report on this important issue of information security. While we agree
with your assessment that information security in the agencies can and
should continue to improve, we do not agree with the solutions you
propose in your draft report.
Sincerely,
Signed by:
Karen S. Evans:
Administrator:
Office of E-Government and Information Technology:
The following are GAO's comments on OMB's letter dated June 29, 2005.
GAO Comments:
1. As noted in our report, some FISMA requirements are not specifically
being addressed by OMB's reporting instructions, such as reporting on
risk assessments, subordinate security plans, security incident
detection and response activities, and whether weaknesses are
mitigated. We agree with OMB that the process of certification and
accreditation requires agencies to document components of security
planning such as risk assessment. However, as stated in our report, the
IGs reported the certification and accreditation process included
missing security plans, risk assessments, and contingency plans.
Furthermore, seven IGs rated their agencies' certification and
accreditation processes as poor. Since the quality of the certification
and accreditation process has been called into question by some IGs, we
believe that reporting separately on the components at this time may
provide better information on the status of agencies' information
security implementation efforts. Also, we disagree that our report
indicates that OMB's reporting guidance fails to meet the requirements
of FISMA. We did not make such a statement. Rather, our report provides
that OMB needs to enhance its reporting guidance to the agencies so
that the annual FISMA reports provide more information essential for
effective oversight.
2. We disagree with OMB comments that our report included the
suggestion that unless OMB asked a specific question in a particular
way and agencies answered those questions once each year, agencies
would not implement FISMA nor provide adequate cost-effective security
for their information and systems. We make no such statement or
suggestion. OMB also stated that responsibility and accountability for
implementation and compliance with FISMA rests with the agencies,
including monitoring their own performance throughout the year. As
noted in our report, FISMA clearly defines separate roles and
responsibilities for federal agencies and their IGs, NIST, and OMB, to
provide a comprehensive framework for ensuring the effectiveness of
information security controls. Therefore, we cannot fully agree with
OMB's statement that responsibility and accountability for
implementation and compliance with FISMA rests with the agencies. All
parties included in the act share in the responsibility. We do agree,
however, that FISMA includes the requirement that agencies monitor
their own performance throughout the year.
3. OMB's reporting guidance does not specifically address the issue of
the quality of agency processes used to gather information for FISMA
reporting. We acknowledge that OMB has given the agency IGs the
opportunity to include such additional information as they believe may
be helpful. However, since specific information has not been requested,
the resulting reported information has not been consistent or
comparable across the agencies and over time. In our report we noted
that OMB has recognized the need for assurance of quality for certain
agency processes. For example, it specifically requested that the IGs
evaluate the plan of actions and milestones process and the
certification and accreditation process at their agencies. We believe
that additional processes should be assessed for quality such as the
annual system reviews. Providing information on the quality of the
review process would further enhance the usefulness of the annually
reported data for management and oversight purposes.
4. We acknowledge OMB's efforts to help ensure better clarity but
believe more needs to be done. As we noted in our report, several
questions could be subject to differing interpretations. Questions in
the areas of plans of actions and milestones, inventory, configuration
management, and certification and accreditation generated confusion. As
a result, the reported data may contain erroneous information, and its
reliability and consistency may be decreased.
5. The guidance to report FISMA data by risk category was issued on
June 13, 2005--after our draft report was provided to OMB for comment.
Reporting by system risk could provide information about whether
agencies are appropriately prioritizing their information security
efforts.
6. In this report, we do not propose solutions to agency information
security weaknesses. Rather, we reported that pervasive weaknesses in
federal agencies' information security policies and practices place
data at risk. This statement is supported by our prior reports and
reports by the IGs. We noted that, in those prior reports, specific
recommendations were made to the agencies to remedy identified
information security weaknesses. In this report, we recommended that
OMB enhance FISMA reporting guidance to increase the effectiveness and
reliability of annual reporting.
[End of section]
Appendix III: GAO Staff Acknowledgments:
Staff Acknowledgments:
Larry Crosland, Season Dietrich, Nancy Glover, Carol Langelier, Suzanne
Lightman, and Stephanie Lee made key contributions to this report.
[End of section]
Related GAO Products:
Information Security: Federal Deposit Insurance Corporation Needs to
Sustain Progress. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-
486]. Washington, D.C.: May 19, 2005.
Information Security: Federal Agencies Need to Improve Controls Over
Wireless Networks. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-
383]. Washington, D.C.: May 17, 2005.
Information Security: Emerging Cybersecurity Issues Threaten Federal
Information Systems. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
05-231]. Washington, D.C.: May 13, 2005.
Continuity of Operations: Agency Plans Have Improved, but Better
Oversight Could Assist Agencies in Preparing for Emergencies.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-577]. Washington,
D.C.: April 28, 2005.
Continuity of Operations: Agency Plans Have Improved, but Better
Oversight Could Assist Agencies in Preparing for Emergencies.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-619T]. Washington,
D.C.: April 28, 2005.
Information Security: Improving Oversight of Access to Federal Systems
and Data by Contractors Can Reduce Risk. [Hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-05-362]. Washington, D.C.: April
22, 2005.
Information Security: Internal Revenue Service Needs to Remedy Serious
Weaknesses over Taxpayer and Bank Secrecy Act Data. [Hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-05-482]. Washington, D.C.: April
15, 2005.
Information Security: Department of Homeland Security Faces Challenges
in Fulfilling Statutory Requirements. [Hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-05-567T]. Washington, D.C.: April
14, 2005.
Information Security: Continued Efforts Needed to Sustain Progress in
Implementing Statutory Requirements. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-05-483T]. Washington, D.C.: April 7, 2005.
Information Security: Securities and Exchange Commission Needs to
Address Weak Controls over Financial and Sensitive Data. [Hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-05-262]. Washington, D.C.: March
23, 2005.
High-Risk Series: An Update. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-05-207]. Washington, D.C.: January 2005.
Financial Management: Department of Homeland Security Faces Significant
Financial Management Challenges. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-04-774]. Washington, D.C.: July 19, 2004.
Information Security: Agencies Need to Implement Consistent Processes
in Authorizing Systems for Operation. [Hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-04-376]. Washington, D.C.: June
28, 2004.
Information Technology: Training Can Be Enhanced by Greater Use of
Leading Practices. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-
791]. Washington, D.C.: June 24, 2004.
Information Security: Agencies Face Challenges in Implementing
Effective Software Patch Management Processes. [Hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-04-816T]. Washington, D.C.: June
2, 2004.
Information Security: Continued Action Needed to Improve Software Patch
Management. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-706].
Washington, D.C.: June 2, 2004.
Information Security: Information System Controls at the Federal
Deposit Insurance Corporation. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-04-630]. Washington, D.C.: May 28, 2004.
Technology Assessment: Cybersecurity for Critical Infrastructure
Protection. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-321].
Washington, D.C.: May 18, 2004.
Continuity of Operations: Improved Planning Needed to Ensure Delivery
of Essential Services. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-04-638T]. Washington, D.C.: April 22, 2004.
Critical Infrastructure Protection: Challenges and Efforts to Secure
Control Systems. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-
628T]. Washington, D.C.: March 30, 2004.
Information Security: Continued Efforts Needed to Sustain Progress in
Implementing Statutory Requirements. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-04-483T]. Washington, D.C.: March 16, 2004.
Critical Infrastructure Protection: Challenges and Efforts to Secure
Control Systems. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-
354]. Washington, D.C.: March 15, 2004.
Information Security: Technologies to Secure Federal Systems.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-467]. Washington,
D.C.: March 9, 2004.
Continuity of Operations: Improved Planning Needed to Ensure Delivery
of Essential Government Services. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-04-160]. Washington, D.C.: February 27, 2004.
Information Security: Further Efforts Needed to Address Serious
Weaknesses at USDA. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
04-154]. Washington, D.C.: January 30, 2004.
Information Security: Improvements Needed in Treasury's Security
Management Program. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
04-77]. Washington, D.C.: November 14, 2003.
Information Security: Computer Controls over Key Treasury Internet
Payment System. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-
837]. Washington, D.C.: July 30, 2003.
Information Security: Further Efforts Needed to Fully Implement
Statutory Requirements in DOD. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-03-1037T]. Washington, D.C.: July 24, 2003.
Information Security: Continued Efforts Needed to Fully Implement
Statutory Requirements. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-03-852T]. Washington, D.C.: June 24, 2003.
Information Security: Progress Made, but Weaknesses at the Internal
Revenue Service Continue to Pose Risks. [Hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-03-44]. Washington, D.C.: May 30,
2003.
High-Risk Series: An Update. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-03-119]. Washington, D.C.: January 2003.
Computer Security: Progress Made, But Critical Federal Operations and
Assets Remain at Risk. [Hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-03-303T]. Washington, D.C.: November 19, 2002.
(310548):
FOOTNOTES
[1] Plans of action and milestones are required for all programs and
systems where an information technology security weakness has been
found. The plan lists the weaknesses and shows estimated resource
needs, or other challenges to resolving them, key milestones and
completion dates, and the status of corrective actions.
[2] The 24 major departments and agencies are the Departments of
Agriculture, Commerce, Defense, Education, Energy, Health and Human
Services, Homeland Security, Housing and Urban Development, the
Interior, Justice, Labor, State, Transportation, the Treasury, and
Veterans Affairs, the Environmental Protection Agency, General Services
Administration, National Aeronautics and Space Administration, National
Science Foundation, Nuclear Regulatory Commission, Office of Personnel
Management, Small Business Administration, Social Security
Administration, and U.S. Agency for International Development.
[3] GAO, Federal Information System Controls Audit Manual, GAO/AIMD-
12.19.6 (Washington, D.C.: January 1999). This methodology is used for
our information security controls evaluations and audits, as well as by
the IGs for the information security control work done as part of
financial audits at the agencies.
[4] A material weakness is a condition that precludes the entity's
internal control from providing reasonable assurance that
misstatements, losses, or noncompliance material in relation to the
financial statements or to stewardship information would be prevented
or detected on a timely basis.
[5] Department of the Treasury, 2004 Financial Report of the United
States Government, (Washington, D.C.).
[6] GAO, High Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[7] Reportable conditions are significant deficiencies in the design or
operation of internal control that could adversely affect the entity's
ability to record, process, summarize, and report financial data
consistent with the assertions of management in the financial
statements.
[8] GAO, Continuity of Operations: Agency Plans Have Improved, but
Better Oversight Could Assist Agencies in Preparing for Emergencies,
GAO-05-577 (Washington, D.C.: Apr. 28, 2005).
[9] GAO, Information Security: Federal Agencies Need to Improve
Controls over Wireless Networks, GAO-05-383 (Washington, D.C.: May 17,
2005).
[10] Spam is unsolicited commercial e-mail. Phishing is the practice of
using fraudulent messages to obtain personal or sensitive data. Spyware
is software that monitors user activity without user knowledge or
consent.
[11] GAO, Information Security: Emerging Cybersecurity Issues Threaten
Federal Information Systems, GAO-05-231 (Washington, D.C.: May 13,
2005).
[12] GAO, Information Security: Agencies Need to Implement Consistent
Processes in Authorizing Systems for Operations, GAO-04-376
(Washington, D.C.: June 28, 2004).
[13] National Institute of Standards and Technology, Special
Publication 800-18: Guide for Developing Security Plans for Information
Technology Systems, (Washington, D.C.: December 1998).
[14] GAO, Information Security: Improving Oversight of Access to
Federal Systems and Data by Contractors Can Reduce Risk, GAO-05-362
(Washington, D.C.: April 22, 2005).
[15] FISMA charged the Director of OMB with ensuring the operation of a
federal information security center. The required functions are
performed by DHS's US-CERT, which was established to aggregate and
disseminate cybersecurity information to improve warning and response
to incidents, increase coordination of response information, reduce
vulnerabilities, and enhance prevention and protection.
[16] GAO, Information Security: Emerging Cybersecurity Issues Threaten
Federal Information Systems, GAO-05-231 (Washington, D.C.: May 13,
2005).
[17] GAO, Information Security: Agencies Need to Implement Consistent
Processes in Authorizing Systems for Operation, GAO-04-376 (Washington,
D.C.: June 28, 2004).
[18] The President's Council on Integrity and Efficiency was
established by executive order to address integrity, economy, and
effectiveness issues that transcend individual government agencies and
increase the professionalism and effectiveness of IG personnel
throughout government.
[19] The term accreditation is used in two different contexts in the
FISMA Implementation Project. Security accreditation is the official
management decision to authorize the operation of an information system
(as in certification and accreditation process). Organizational
accreditation involves comprehensive proficiency testing and the
demonstration of specialized skills in a particular area of interest.
[20] Office of Management and Budget, Circular A-11: Preparation,
Submission and Execution of the Budget (Washington, D.C.: July 2004).
[21] GAO, Information Security: Continued Efforts Needed to Sustain
Progress in Implementing Statutory Requirements, GAO-05-483T
(Washington, D.C.: Apr. 7, 2005).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
