Information Security

Federal Agencies Show Mixed Progress in Implementing Statutory Requirements Gao ID: GAO-06-527T March 16, 2006

For many years, GAO has reported that ineffective information security is a widespread problem that has potentially devastating consequences. In its reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue--most recently in January 2005. Concerned with accounts of attacks on commercial systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the federal information security program, evaluation, and reporting requirements established for federal agencies. This testimony discusses the federal government's progress and challenges in implementing FISMA, as reported by the Office of Management and Budget (OMB), the agencies, and the Inspectors General (IGs), and actions needed to improve FISMA reporting and address underlying information security weaknesses.

In its fiscal year 2005 report to Congress, OMB discusses progress in implementing key information security requirements, but at the same time cites challenging weaknesses that remain. The report notes several governmentwide findings, such as the varying effectiveness of agencies' security remediation processes and the inconsistent quality of agencies' certification and accreditation (the process of authorizing operation of a system, including the development and implementation of risk assessments and security controls). Nevertheless, fiscal year 2005 data reported by 24 major agencies, compared with data reported for the previous 2 fiscal years, show that these agencies have made steady progress in certifying and accrediting systems, although they reported mixed progress in meeting other key statutory information security requirements. For example, agencies reported that only 61 percent of their systems had tested contingency plans, thereby reducing assurance that agencies will be able to recover from the disruption of those systems with untested plans. Federal entities can act to improve the usefulness of the annual FISMA reporting process and to mitigate underlying information security weaknesses. OMB has taken several actions to improve FISMA reporting--such as requiring agencies to provide performance information based on the relative importance or risk of the systems--and can further enhance the reliability and quality of reported information. Agencies also can take actions to fully implement their FISMA-mandated programs and address the weaknesses in their information security controls. Such actions include completing and maintaining accurate inventories of major systems, prioritizing information security efforts based on system risk levels, and strengthening controls that are to prevent, limit, and detect access to the agencies' information and information systems.

GAO-06-527T, Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements This is the accessible text file for GAO report number GAO-06-527T entitled 'Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements' which was released on March 17, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the House Committee on Government Reform: For Release on Delivery: Expected at 10:00 a.m. EST Thursday, March 16, 2006: Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements: Statement of Gregory C. Wilshusen, Director, Information Security Issues: GAO-06-527T: GAO Highlights: Highlights of GAO-06-527T, a testimony to the House Committee on Government Reform: Why GAO Did This Study: For many years, GAO has reported that ineffective information security is a widespread problem that has potentially devastating consequences. In its reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue”most recently in January 2005. Concerned with accounts of attacks on commercial systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the federal information security program, evaluation, and reporting requirements established for federal agencies. This testimony discusses: * The federal government‘s progress and challenges in implementing FISMA, as reported by the Office of Management and Budget (OMB), the agencies, and the Inspectors General (IGs). * Actions needed to improve FISMA reporting and address underlying information security weaknesses. What GAO Found: In its fiscal year 2005 report to Congress, OMB discusses progress in implementing key information security requirements, but at the same time cites challenging weaknesses that remain. The report notes several governmentwide findings, such as the varying effectiveness of agencies‘ security remediation processes and the inconsistent quality of agencies‘ certification and accreditation (the process of authorizing operation of a system, including the development and implementation of risk assessments and security controls). Nevertheless, fiscal year 2005 data reported by 24 major agencies, compared with data reported for the previous 2 fiscal years (see fig.), show that these agencies have made steady progress in certifying and accrediting systems, although they reported mixed progress in meeting other key statutory information security requirements. For example, agencies reported that only 61 percent of their systems had tested contingency plans, thereby reducing assurance that agencies will be able to recover from the disruption of those systems with untested plans. Federal entities can act to improve the usefulness of the annual FISMA reporting process and to mitigate underlying information security weaknesses. OMB has taken several actions to improve FISMA reporting”such as requiring agencies to provide performance information based on the relative importance or risk of the systems”and can further enhance the reliability and quality of reported information. Agencies also can take actions to fully implement their FISMA-mandated programs and address the weaknesses in their information security controls. Such actions include completing and maintaining accurate inventories of major systems, prioritizing information security efforts based on system risk levels, and strengthening controls that are to prevent, limit, and detect access to the agencies‘ information and information systems. Reported Data for Selected Performance Measures for 24 Major Agencies [See PDF for image] [End of figure] www.gao.gov/cgi-bin/getrpt?GAO-06-527T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Mr. Chairman and Members of the Committee: I am pleased to be here today to discuss the state of federal information security and the efforts by federal agencies to implement requirements of the Federal Information Security Management Act of 2002 (FISMA).[Footnote 1] For many years, we have reported that poor information security is a widespread problem that has potentially devastating consequences.[Footnote 2] Since 1997, we have identified information security as a governmentwide high-risk issue in reports to Congress.[Footnote 3] Concerned with accounts of attacks on commercial systems via the Internet and reports of significant weaknesses in federal computer systems that made them vulnerable to attack, Congress passed FISMA, which permanently authorized and strengthened the federal information security program, evaluation, and reporting requirements established for federal agencies. In my testimony today, I will summarize our analysis of the reported status of the federal government's implementation of FISMA. I will note areas where the agencies have made progress in implementing the requirements of the Act and those areas where weaknesses remain. I will also touch on additional actions that federal entities can take to help fully implement the mandated information security programs and to improve the effectiveness of information security controls. In conducting this work, we reviewed and summarized OMB's fiscal year 2005 report to Congress on FISMA implementation, dated March 1, 2006. We also analyzed and summarized the fiscal year 2005 FISMA reports from 24 major federal agencies[Footnote 4] and their inspectors general (IGs). In addition, we reviewed standards and guidance issued by OMB and the National Institute of Standards and Technology (NIST) pursuant to their responsibilities under the Act. We did not validate the accuracy of the data reported by the agencies or OMB, but we did analyze the IGs' fiscal year 2005 FISMA reports to identify any issues related to the accuracy of agency-reported information. Finally, we examined and summarized key findings of related GAO products. We performed our work from October 2005 to March 2006 in accordance with generally accepted government auditing standards. Results in Brief: In its fiscal year 2005 report to Congress, OMB noted that the federal government has made progress in meeting key performance measures for information security; however, uneven implementation of security efforts has left weaknesses in several areas. OMB identified weaknesses with the extent of agencies' oversight of contractor systems, testing of security controls, and reporting of security incidents, as well as the quality of agencies' plans of action and milestones and certification and accreditation processes. The report presented a plan of action that OMB is pursuing with federal agencies to improve their management of information security. The fiscal year 2005 reports submitted by the agencies present a mixed picture of FISMA implementation in the federal government. In their fiscal year 2005 reports, 24 major federal agencies generally reported an increasing number of systems meeting key information security performance measures, such as percentage of systems certified and accredited and percentage of contingency plans tested. Nevertheless, progress was uneven. For example, the percentage of agency systems reviewed declined from 96 percent in 2004 to 84 percent in 2005, and the percentage of employees and contractors receiving security awareness training also declined, from 88 percent in 2004 to 81 percent in 2005. Federal entities can act to improve the usefulness of the annual FISMA reporting process and to mitigate underlying information security weaknesses. OMB has taken several actions to improve FISMA reporting - -such as requiring agencies to indicate the relative importance or risk level of their systems --and can further enhance the reliability and quality of reported information. Agencies can also take actions to fully implement their FISMA-mandated programs and address the weaknesses in their information security controls. Such actions include completing and maintaining accurate inventories of major systems, prioritizing information security efforts based on system risk levels, and strengthening controls that are designed to prevent, limit, and detect access to the agencies' information and information systems. Background: Increasing computer interconnectivity--most notably growth in the use of the Internet--has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While this interconnectivity offers us huge benefits, without proper safeguards it also poses significant risks to the government's computer systems and, more importantly, to the critical operations and infrastructures they support. We reported in 2005 that while federal agencies showed improvement in addressing information security, they also continued to have significant control weaknesses in federal computer systems that put federal operations and assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at the risk of disruption.[Footnote 5] The significance of these weaknesses led us to conclude in the audit of the federal government's fiscal year 2005 financial statements[Footnote 6] that information security was a material weakness.[Footnote 7] Our audits also identified instances of similar types of weaknesses in non- financial systems. To fully understand the significance of the weaknesses we identified, it is necessary to link them to the risks they present to federal operations and assets. Virtually all federal operations are supported by automated systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets. Hence, the degree of risk caused by security weaknesses is high. The weaknesses we identified place a broad array of federal operations and assets at risk. For example, * Resources, such as federal payments and collections, could be lost or stolen. * Computer resources could be used for unauthorized purposes or to launch attacks on other computer systems. * Sensitive information, such as taxpayer data, social security records, medical records, and proprietary business information could be inappropriately disclosed, browsed, or copied for purposes of industrial espionage or other types of crime. * Critical operations, such as those supporting national defense and emergency services, could be disrupted. * Data could be modified or destroyed for purposes of fraud, identity theft, or disruption. * Agency missions could be undermined by embarrassing incidents that result in diminished confidence in federal organizations' abilities to conduct operations and fulfill their fiduciary responsibilities. Congress and the administration have established specific information security requirements, in both law and policy, to help protect the information and information systems that support these critical operations and assets. FISMA Authorized and Strengthened Information Security Requirements: Enacted into law on December 17, 2002, as title III of the E-Government Act of 2002, FISMA authorized and strengthened information security program, evaluation, and reporting requirements. The Act assigns specific responsibilities to agency heads, chief information officers, and IGs. It also assigns responsibilities to OMB, which include developing and overseeing the implementation of policies, principles, standards, and guidelines on information security and reviewing at least annually, and approving or disapproving, agency information security programs. Overall, FISMA requires each agency (including agencies with national security systems) to develop, document, and implement an agencywide information security program. This program should provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Specifically, this program is to include: * periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems; * risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system, including minimally acceptable system configuration requirements; * subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; * security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency; * periodic evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems; * a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; * procedures for detecting, reporting, and responding to security incidents; and: * plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. FISMA also established a requirement that each agency develop, maintain, and annually update an inventory of major information systems (including major national security systems) that are operated by the agency or under its control. This inventory is to include an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency. Each agency is also required to have an annual independent evaluation of its information security program and practices, including control testing and compliance assessment. Evaluations of non-national security systems are to be performed by the agency IG or by an independent external auditor, while evaluations related to national security systems are to be performed only by an entity designated by the agency head. The agencies are to report annually to OMB, selected congressional committees, and the Comptroller General on the adequacy of information security policies, procedures, practices, and compliance with FISMA requirements. In addition, agency heads are required to make annual reports of the results of their independent evaluations to OMB. OMB must submit a report to Congress no later than March 1 of each year on agency compliance, including a summary of the findings of agencies' independent evaluations. Other major provisions direct that the National Institute of Standards and Technology (NIST) develop, for systems other than national security systems: (1) standards to be used by all agencies to categorize all their information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; (2) guidelines recommending the types of information and information systems to be included in each category; and (3) minimum information security requirements for information and information systems in each category. NIST must also develop a definition of and guidelines concerning detection and handling of information security incidents and guidelines. OMB Reporting Instructions and Guidance Emphasize Performance Measures: OMB provides instructions to the agencies and their IGs on the annual FISMA reporting requirements. OMB's fiscal year 2005 reporting instructions, similar to the 2004 instructions, have a strong focus on performance measures. OMB has developed performance measures in the following areas: * certification and accreditation,[Footnote 8] * testing of security controls, * agency systems and contractor systems reviewed annually, * testing of contingency plans, * incident reporting, * annual security awareness training for employees and contractors, * annual specialized training for employees with significant security responsibilities, and: * minimally acceptable configuration requirements. Further, OMB has provided instructions for continued agency reporting on the status of remediation efforts through plans of action and milestones. Required for all programs and systems where an IT security weakness has been found, these plans list the weaknesses and show estimated resource needs or other challenges to resolving them, key milestones and completion dates, and the status of corrective actions. The plans are to be submitted twice a year to OMB. In addition, agencies are to submit quarterly updates that indicate the number of weaknesses for which corrective action has been completed as originally scheduled, or has been delayed, as well as the number of new weaknesses discovered since the last update. The annual IGs' reports requested by OMB are to be based on the results of their independent evaluations, including work performed throughout the reporting period (such as work performed as part of the annual financial audits of the agencies). While OMB asked the IGs to respond to some of the same questions as the agencies, it also asked them to assess whether their agency had developed, implemented, and was managing an agencywide plan of actions and milestones. Further, OMB asked the IGs to assess the quality of the certification and accreditation process at their agencies, as well as the status of their agency's inventory of major information systems. OMB did not request that the IGs validate agency responses to the performance measures. Instead, as part of their independent evaluations of a subset of agency systems, IGs were asked to assess the reliability of the data for those systems that they evaluated. OMB's Report to Congress Noted Improvements and Weaknesses: In its March 2006 report to Congress on fiscal year 2005 FISMA implementation,[Footnote 9] OMB emphasized that the federal government has made progress in meeting key performance measures for IT security; however, uneven implementation of security efforts leaves weaknesses in several areas. OMB determined through its assessment of FISMA reports that advances have occurred at a governmentwide level in the following areas of IT security: * Systems certification and accreditation. Agencies recorded a 19 percent increase in the total number of IT systems and reported that the percentage of certified and accredited systems rose from 77 percent in fiscal year 2004 to 85 percent in 2005. Moreover, OMB noted that 88 percent of systems assessed as high-risk have been certified and accredited. * Assessed quality of the certification and accreditation process. OMB's analysis of reports from the IGs revealed an increase in agencies with a certification process rated as "satisfactory" or higher, from 15 in 2004 to 17 in 2005. * Plans of action and milestone process. OMB noted that out of 25 agencies that it reviewed in detail,[Footnote 10] 19 IGs report that their agencies have effective remediation processes, compared to 18 in 2004. In addition to these areas of improvement, OMB detected areas with continuing weaknesses: * Contractor systems oversight. IGs for 6 of 24 agencies (one agency IG did not respond) rated agency oversight of contractor systems in the "rarely" range, while 3 others rated this oversight in the next lowest range, "sometimes." * Security controls testing. Agencies tested the security controls on a lower percentage of systems, dropping from 76 percent in fiscal year 2004 to 72 percent in 2005. OMB noted a better rate of testing for high- risk systems, with a governmentwide total of 83 percent. * Incident reporting. OMB stated that some agencies continue to report security incidents to the Department of Homeland Security only sporadically and that others report notably low levels of incidents. * Agencywide plans of action and milestones. While IGs for 19 agencies reported effective POA&M processes, 6 others reported ineffective processes. * Certification and accreditation process. OMB commented that while no IG rated the certification and accreditation process for its agency as failing, eight rated the process as "poor." The OMB report also discusses a plan of action to improve performance, assist agencies in their information security activities, and promote compliance with statutory and policy requirements. OMB has set a goal for agencies to have 90 percent of their systems certified and accredited and their certification and accreditation process rated as "satisfactory" or better by their IGs. Agency 2005 FISMA Reports Show Mixed Results: In their FISMA-mandated reports for fiscal year 2005, the 24 major agencies reported both improvements and weaknesses in major performance indicators. The following key measures showed increased performance and/or continuing challenges: * percentage of systems certified and accredited; * percentage of agencies with an agencywide minimally acceptable configuration requirements policy; * percentage of agency systems reviewed annually; * percentage of contractor systems reviewed annually; * percentage of employees and contractors receiving annual security awareness training; * percentage of employees with significant security responsibilities receiving specialized security training annually; and: * percentage of contingency plans tested. Figure 1 illustrates that the major agencies have made steady progress in fiscal year 2005 certifying and accrediting their systems, although they have made mixed progress in meeting other key performance measures compared with the previous two fiscal years. Summaries of the results for specific measures follow. Figure 1: Reported Data for Selected Performance Measures for 24 Major Agencies: [See PDF for image] [End of figure] Certification and Accreditation: Included in OMB's policy for federal information security is a requirement that agency management officials formally authorize their information systems to process information and, thereby accept the risk associated with their operation. This management authorization (accreditation) is to be supported by a formal technical evaluation (certification) of the management, operational, and technical controls established in an information system's security plan. For FISMA reporting, OMB requires agencies to report the number of systems authorized for processing after completing certification and accreditation. Data reported for this measure showed continued overall increases for most agencies over the last three years. For example, 15 agencies reported an increase in the percentage of their systems that had completed certification and accreditation. Overall, 85 percent of agencies' systems governmentwide were reported as certified and accredited in 2005, compared to 77 percent in 2004 and 62 percent in 2003. In addition, 20 agencies reported that 90 percent or more of their systems had successfully completed the process, as illustrated in figure 2. Figure 2: Percentage of Agencies Reporting the Percentage of Their Systems that are Certified and Accredited for Processing in Fiscal Year 2005: [See PDF for image] [End of figure] Agencies appeared to appropriately focus their certification and accreditation efforts on high-risk systems. Agencies certified and accredited a higher percentage of their high-risk systems (88 percent) than their moderate-risk systems. Configuration Management: FISMA requires each agency to have policies and procedures that ensure compliance with minimally acceptable system configuration requirements, as determined by the agency. In fiscal year 2004, for the first time, agencies reported on the degree to which they had security configurations for specific operating systems and software applications. Our analysis of the 2005 agency FISMA reports found that all 24 major agencies reported that they had agencywide policies containing system configurations, an increase from the 20 agencies who reported having them in 2004. However, implementation of these requirements at the system level continues to be uneven. Specifically, 14 agencies reported having system configuration policies, but they did not always implement them on their systems. Annual Review of Agency Systems: FISMA requires that agency information security programs include periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices to be performed with a frequency that depends on risk, but no less than annually. This effort is to include testing of management, operational, and technical controls of every information system identified in the FISMA-required inventory of major systems. Periodically evaluating the effectiveness of security policies and controls and acting to address any identified weaknesses are fundamental activities that allow an organization to manage its information security risks cost-effectively, rather than reacting to individual problems ad hoc only after a violation has been detected or an audit finding has been reported. In order to measure the performance of security programs, OMB requires that agencies report the number and percentage of systems that they have reviewed during the year. Agencies reported a decrease in the percentage of their systems that underwent an annual review in 2005, after reporting major gains in this performance measure in 2004. In the 2005 reports, agencies stated that 84 percent of their systems had been reviewed in the last year, as compared to 96 percent in 2004. While 23 agencies reported that they had reviewed 90 percent or more of their systems in 2004, 19 agencies reported this achievement in 2005, as shown in figure 3. Figure 3: Percentage of Agencies Reporting the Percentage of Their Systems that have been Reviewed in Fiscal Year 2005: [See PDF for image] [End of figure] Annual Review of Contractor Systems: Under FISMA, agency heads are responsible for providing information security protections for information collected or maintained by or on behalf of the agency and information systems used or operated by an agency or by a contractor. As OMB emphasized in its fiscal year 2005 FISMA reporting guidance, agency IT security programs apply to all organizations that possess or use federal information or that operate, use, or have access to federal information systems on behalf of a federal agency. Such other organizations may include contractors, grantees, state and local governments, and industry partners. According to longstanding OMB policy concerning sharing government information and interconnecting systems, federal security requirements continue to apply, and the agency is responsible for ensuring appropriate security controls. The key performance measure of annual review of contractor systems by agencies decreased from 83 percent in 2004 to 74 percent in 2005, reducing the rate of reviews performed to below 2003 levels. However, the number of agencies that reported reviewing over 90 percent of their contractor systems has increased from 10 in 2004 to 17 in 2005. A breakdown of the percentages for fiscal year 2005 is provided in figure 4. Figure 4: Percentage of Agencies Reporting the Percentage of Their Contractor Systems that have been Reviewed in Fiscal Year 2005: [See PDF for image] [End of figure] Although agencies reported that 74 percent of their contractor systems were reviewed in 2005, they only reviewed 51 percent of the contractor systems assessed as high-risk, as opposed to 89 percent of moderate- risk systems and 84 percent of low-risk systems. Without adequate contractor review, agencies cannot be assured that federal information held and processed by contractors is secure. Security Awareness Training: FISMA requires agencies to provide security awareness training. This training should inform personnel, including contractors and other users of information systems supporting the operations and assets of an agency, of information security risks associated with their activities and of the agency's responsibilities in complying with policies and procedures designed to reduce these risks. Our studies of best practices at leading organizations[Footnote 11] have shown that such organizations took steps to ensure that personnel involved in various aspects of information security programs had the skills and knowledge they needed. In their FISMA submissions for fiscal year 2005, agencies reported that they provided security awareness training to the majority of their employees and contractors. However, while 19 agencies reported that they had trained more than 90 percent of their employees and contractors in basic security awareness (see fig. 5), the overall percentage of employees trained among the 24 major federal agencies reviewed dropped from 88 percent in 2004 to 81 percent in 2005, a level almost equal to that reported in 2003. Figure 5: Percentage of Agencies Reporting the Level of Their Employees and Contractors that have Received IT Security Awareness Training in Fiscal Year 2005: [See PDF for image] [End of figure] Specialized Security Training: Under FISMA, agencies are required to provide training in information security to personnel with significant security responsibilities. As previously noted, our study of best practices at leading organizations has shown that such organizations recognized that staff expertise needed to be updated frequently to keep security employees current on changes in threats, vulnerabilities, software, technologies, security techniques, and security monitoring tools. OMB directs agencies to report on the percentage of their employees with significant security responsibilities who have received specialized training. Agencies reported varying levels of compliance in providing specialized training to employees with significant security responsibilities. Of the 24 agencies that we reviewed, 12 reported that they had provided specialized security training for 90 percent or more of these employees. (see fig. 6). Figure 6: Percentage of Agencies Reporting the Level of Their Employees with Significant Security Responsibilities that have Received Specialized Security Training in Fiscal Year 2005: [See PDF for image] [End of figure] Although there was a gain of one point in the percentage of employees who received specialized security training for fiscal year 2005 (82 percent) over 2004 (81 percent), both of these years show a decrease from the level reported in 2003 (85 percent). Given the rapidly changing threats in information security, agencies need to keep their IT security employees up to date on changes in technology. Otherwise, agencies may face increased risk of security breaches. Testing of Contingency Plans: Contingency plans provide specific instructions for restoring critical systems, including such elements as arrangements for alternative processing facilities in case the usual facilities are significantly damaged or cannot be accessed due to unexpected events such as a temporary power failure, the accidental loss of files, or a major disaster. It is important that these plans be clearly documented, communicated to potentially affected staff, and updated to reflect current operations. The testing of contingency plans is essential to determining whether the plans will function as intended in an emergency, and the frequency of plan testing will vary depending on the criticality of the entity's operations. The most useful tests involve simulating a disaster to test overall service continuity. Such a test includes testing whether the alternative data processing site will function as intended and whether critical computer data and programs to be recovered from off-site storage will be accessible and current. In executing the plan, managers are able to identify weaknesses and make changes accordingly. Moreover, such tests assess how well employees have been trained to carry out their roles and responsibilities during a disaster. To show the status of implementing this requirement, OMB specifies that agencies report the number of systems with tested contingency plans. Overall, agencies continued to report that they have not tested a significant number of their contingency plans with only 61 percent of systems with tested plans. Although this number continues to show small increases each year since 2003, figure 7 illustrates that 5 agencies reported less than 50 percent of their systems had tested contingency plans. Figure 7: Percentage of Agencies Reporting the Level of Their Systems that have Tested Contingency Plans in Fiscal Year 2005: [See PDF for image] [End of figure] In addition, agencies do not appear to be appropriately prioritizing testing of contingency plans by system risk level, with high-risk systems having the lowest rate of systems with tested plans of the three risk levels. Without testing, agencies can have limited assurance that they will be able to recover mission critical applications, business processes, and information in the event of an unexpected interruption. Inventory of Major Systems: FISMA requires that agencies develop, maintain, and annually update an inventory of major information systems operated by the agency, or under its control. The total number of agency systems is a key element in OMB's performance measures, in that agency progress is indicated by the percentage of total systems that meet specific information security requirements. For the 2005 reports, OMB required agencies to report the number of major systems and asked the IGs about the status and accuracy of their agencies' inventories. In 2005, agencies reported 10,261 systems, composed of 9,175 agency systems and 1,094 contractor systems. However, only 13 IGs reported that their agencies' inventories were substantially complete. A complete inventory of major information systems is a key element of managing the agency's IT resources, including the security of those resources. Without reliable information on agencies' inventories, the agencies, the administration, and Congress cannot be fully assured of agencies' progress in implementing FISMA. Risk Assessments: FISMA mandates that agencies assess the risk and magnitude of harm that could result from the unauthorized access, use, disclosure disruption, modification, or destruction of their information and information systems. The Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and related NIST guidance provide a common framework for categorizing systems according to risk. The framework establishes three levels of potential impact on organizational operation, assets, or individuals should a breach of security occur-- high (severe or catastrophic), moderate (serious), and low (limited)-- and is used to determine the impact for each of the FISMA-specified security objectives of confidentiality, integrity, and availability. Once determined, security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization. OMB's fiscal year 2005 reporting instructions included the new requirement that agencies report their systems and certain performance measures using FIPS 199 risk levels. If agencies did not categorize systems, or used a method other than FIPS 199 to determine risk level, they were required to explain why in their FISMA reports. For the first time, in the 2005 reporting, agencies reported the risk levels for their agency and contractor systems, as illustrated in table 1. Figure 8: Systems Reported by Risk Level in Fiscal year 2005: [See PDF for image] Source: GAO analysis. [End of table] Agencies reported that 9 percent of their systems were not categorized by risk level. The majority of systems without risk levels assigned were found at 4 agencies. One agency did not categorize 77 percent of its systems. Without assigned risk levels, agencies cannot make risk- based decisions on the security needs of their information and information systems. Actions are Needed to Improve FISMA Reporting and Underlying Information Security Weaknesses: There are actions that OMB and the agencies can take to improve FISMA reporting and compliance and to address underlying weaknesses in information security controls. In our July 2005 report,[Footnote 12] we evaluated the adequacy and effectiveness of agencies' information security policies and practices and the federal government's implementation of FISMA requirements. We recommended that the Director of OMB take actions in revising future FISMA reporting instructions to increase the usefulness of the agencies' annual reports to oversight bodies by: * requiring agencies to report FISMA data by risk category; * reviewing guidance to ensure the clarity of instructions; * requesting the IGs report on the quality of additional agency processes, such as the annual system reviews. These recommendations were designed to strengthen reporting under FISMA by encouraging more complete information on the implementation of agencies' information security programs. Consistent with our recommendation, OMB required agencies to report certain performance measures by system risk level for the first time in fiscal year 2005. As a result, we were able to identify potential areas of concern in the agencies' implementation of FISMA. For example, agencies do not appear to be prioritizing certain information security control activities, such as annual review of contractor systems or testing of contingency plans, based on system risk levels. For both of these activities, federal implementation of the control is lower for high-risk systems than it is for moderate or low-risk systems. OMB has also taken steps to increase the clarity of instructions in their annual guidance. It has removed several questions from prior years that could have been subject to differing interpretations by the IGs and the agencies. Those questions related to agency inventories and to plans of actions and milestones. In addition, OMB clarified reporting instructions for minimally acceptable configuration requirements. The resulting reports are more consistent and, therefore, easier to analyze and compare. However, opportunities still exist to enhance reporting on the quality of the agencies' information security-related processes. The qualitative assessments of the certification and accreditation process and the plans of actions and milestones have greatly enhanced Congress', OMB's, and our understanding of the implementation of these requirements at the agencies. Additional information on the quality of agencies' processes for annually reviewing or testing systems, for example, could improve understanding of these processes by examining whether federal guidance is applied correctly, or whether weaknesses discovered during the review or test are tracked for remediation. Extending qualitative assessments to additional agency processes could improve the information available on agency implementation of information security requirements. Federal Agencies Need to Take Actions to Increase FISMA Compliance and Address Already Identified Information Security Weaknesses: Agencies need to take action to implement the information security management program mandated by FISMA and use that program to address their outstanding information security weaknesses. An agencywide security program provides a framework and continuing cycle of activities for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity's computer- related controls. Without a well-designed program, security controls may be inadequate; responsibilities may be unclear, misunderstood, or improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources. As we have previously reported,[Footnote 13] none of the 24 major agencies has fully implemented agencywide information security programs as required by FISMA. Agencies often did not adequately assess risks, develop sufficient risk-based policies or procedures for information security, ensure that existing policies and procedures were implemented effectively, or monitor operations to ensure compliance and determine the effectiveness of existing controls. Moreover, as demonstrated by the 2005 FISMA reports, many agencies still do not have complete and accurate inventories of their major systems. Until agencies effectively and fully implement agencywide information security programs, federal data and systems will not be adequately safeguarded against unauthorized use, disclosure, and modification. Agencies need to take action to implement and strengthen their information security management programs. Such actions should include completing and maintaining an accurate, complete inventory of major systems, and prioritizing information security efforts based on system risk levels. Strong incident procedures are necessary to detect, report, and respond to security incidents effectively. Agencies also should implement strong remediation processes that include processes for planning, implementing, evaluating, and documenting remedial actions to address any identified information security weaknesses. Finally, agencies need to implement risk-based policies and procedures that efficiently and effectively reduce information security risks to an acceptable level. Even as federal agencies are working to implement information security management programs, they continue to have significant control weaknesses in their computer systems that threaten the integrity, reliability, and availability of federal information and systems. In addition, these weaknesses place financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. The weaknesses appear in both access controls and other information security controls defined in our audit methodology for performing information security evaluations and audits.[Footnote 14] These areas are (1) access controls, which ensure that only authorized individuals can read, alter, or delete data; (2) software change controls, which provide assurance that only authorized software programs are implemented; (3) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection; (4) continuity of operations planning, which provides for the prevention of significant disruptions of computer-dependent operations, and (5) an agencywide security program, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. In the 24 major agencies' fiscal year 2005 reporting regarding their financial systems, 6 reported information security as a material weakness and 14 reported it as a reportable condition.[Footnote 15] Our audits also identified similar weaknesses in nonfinancial systems. In our prior reports, we have made specific recommendations to the agencies to mitigate identified information security weaknesses. The IGs have also made specific recommendations as part of their information security review work. Agencies Should Address Weaknesses in Access Controls: Agencies would benefit from addressing common weaknesses in access controls. As we have previously reported, the majority of the 24 major agencies had access control weaknesses.[Footnote 16] A basic management control objective for any organization is to protect data supporting its critical operations from unauthorized access, which could lead to improper modification, disclosure, or deletion of the data. Based on our previous work performing information security audits, agencies can take steps to enhance the four basic areas of access controls: * User identification and authentication. To enable a computer system to identify and differentiate users so that activities on the system can be linked to specific individuals, agencies assign unique user accounts to specific users, a process called identification. Authentication is the method or methods by which a system establishes the validity of a user's claimed identity. Agencies need to implement strong user identification and authentication controls. * User access rights and file permissions. The concept of "least privileged" is a basic underlying principle for security computer systems and data. It means that users are only granted those access rights and file permissions that they need to do their work. Agencies would benefit from establishing the concept of least privilege as the basis for all user rights and permissions. * Network services and devices. Sensitive programs and information are stored on networks, which are collections of interconnected computer systems and devices that allow users to share resources. Organizations secure their networks, in part, by installing and configuring networks devices that permit authorized requests and limit services that are available.[Footnote 17] Agencies need to put in place strong controls that ensure only authorized access to their networks. * Audit and monitoring of security-related events. To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial that agencies implement system or security software that provides an audit trail that they can use to determine the source of a transaction, or to monitor the activities of users on the agencies' systems. To detect and prevent unauthorized activity, agencies should have strong monitoring and auditing capabilities. Agencies Need to Act to Implement Other Information Security Controls: In addition to electronic access controls, other important controls should be in place to ensure the security and reliability of an agency's data. * Software change controls. Counteracting identified weaknesses in software change controls would help agencies ensure that software was updated correctly and that changes to computer systems were properly approved. Software change controls ensure that only authorized and fully tested software is placed in operation. These controls --which also limit and monitor access to powerful programs and sensitive files associated with computer operations --are important in providing reasonable assurance that access controls are not compromised and that the system will not be impaired. These policies, procedures, and techniques help to ensure that all programs and program modifications are properly authorized, tested, and approved. Failure to implement these controls increases the risk that unauthorized programs or changes could be --inadvertently or deliberately --placed into operation. * Segregation of duties. Agencies have opportunities to implement effective segregation of duties to address the weaknesses identified in this area. Segregation of duties refers to the policies, procedures, and organizational structure that help to ensure that one individual cannot independently control all key aspects of a process or computer- related operation and thereby conduct unauthorized actions or gain unauthorized access to assets or records. Proper segregation of duties is achieved by dividing responsibilities among two or more individuals or organizational groups. For example, agencies need to segregate duties to ensure that individuals cannot add fictitious users to a system, assign them elevated access privileges, and perform unauthorized activities without detection. Without adequate segregation of duties, there is an increased risk that erroneous or fraudulent transactions can be processed, improper program changes implemented, and computer resources damaged or destroyed. * Continuity of operations. The majority of agencies could benefit from having adequate continuity of operations planning. An organization must take steps to ensure that it is adequately prepared to cope with the loss of operational capabilities due to earthquake, fire, accident, sabotage, or any other disruption. An essential element in preparing for such catastrophes is an up-to-date, detailed, and fully tested continuity of operations plan. To ensure that the plan is complete and fully understood by all key staff, it should be tested, including surprise tests, and test plans and results documented to provide a basis for improvement. Among the aspects of continuity planning that agencies need to address should be: (1) ensuring that plans contain adequate contact information for emergency communications; (2) documenting the location of all vital records for the agencies and methods of updating those records in an emergency; (3) conducting tests, training, or exercises frequently enough to have assurance that the plan would work in an emergency. Losing the capability to process, retrieve, and protect information that is maintained electronically can significantly affect an agency's ability to accomplish its mission. * Physical security. Physical security controls are important for protecting computer facilities and resources from espionage, sabotage, damage, and theft. These controls restrict physical access to computer resources, usually by limiting access to the buildings and rooms in which the resources are housed. With inadequate physical security, there is increased risk that unauthorized individuals could gain access to sensitive computing resources and data and inadvertently or deliberately misuse or destroy them. In summary, through the continued emphasis of information security by Congress, the administration, agency management, and the accountability community, the federal government has seen improvements in its information security. However, despite the advances shown by increases in key performance measures, progress remains mixed. If information security is to continue to improve, agency management must remain committed to the implementation of FISMA and the information security management program it mandates. Only through the development of strong IT security management can the agencies address the persistent, long- standing weaknesses they face in information security controls. Mr. Chairman, this concludes my statement. I would be happy to answer any questions that you or members of the Committee may have at this time. Should you have any questions about this testimony, please contact me at (202) 512-6244. I can also be reached by e-mail at wilshuseng@gao.gov. Individuals making key contributions to this testimony include Suzanne Lightman, Assistant Director, Larry Crosland, Joanne Fiorino, and Mary Marshall. FOOTNOTES [1] Federal Information Security Management Act of 2002, Title III, E- Government Act of 2002, Pub. L. No. 107-347, Dec. 17, 2002 [2] GAO, Information Security: Opportunities for Improved OMB Oversight of Agency Practices, GAO/AIMD-96-110 (Washington, D.C.: Sept. 24, 1996) [3] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: Jan., 2005). [4] These 24 departments and agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Interior, Justice, Labor, State, Transportation, Treasury, and, Veterans Affairs, the Environmental Protection Agency, General Services Administration, Office of Personnel Management, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. [5] GAO, Information Security: Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements, GAO-05-552 (Washington, D.C.: July 15, 2005). [6] GAO, Fiscal Year 2005 U.S. Government Financial Statements: Sustained Improvement and Financial Management is Crucial to Addressing our Nation's Financial Conditions and Long-term Fiscal Imbalance, GAO- 06-406T (Washington, D.C.: March 1, 2006). [7] A material weakness is a condition that precludes the entity's internal control from providing reasonable assurance that misstatements, losses, or noncompliance material in relation to the financial statements or to stewardship information would be prevented or detected on a timely basis. [8] Agency management officials are required to formally authorize their information systems to process information and, thereby accept the risk associated with their operation. This management authorization (accreditation) is to be supported by a formal technical evaluation (certification) of the management, operational, and technical controls established in an information system's security plan. [9] Office of Management and Budget, FY2005 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002 (Washington, D.C.: March, 2006). [10] OMB includes the Smithsonian Institution in its list of major agencies. Our analysis in this testimony does not include the Smithsonian Institution. [11] GAO, Executive Guide: Information Security Management: Learning From Leading Organizations, GAO/AIMD-98-68 (May, 1998). [12] GAO-05-552 [13] GAO-05-552 [14] GAO, Federal Information System Controls Audit Manual, GAO/AIMD- 12.19.6 (Washington, D.C.: January 1999). This methodology is used for our information security controls evaluations and audits, as well as by the IGs for the information security control work done as part of financial audits at the agencies. [15] Reportable conditions are significant deficiencies in the design or operation of internal control that could adversely affect the entity's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. [16] GAO-05-552 [17] Devices used to secure networks include (1) firewalls that prevent unauthorized access to the network; (2) routers that filter and forward data; (3) switches that forward information through segments of a network; and, (4) servers that host applications and data.