Information Security

Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses Gao ID: GAO-09-546 July 17, 2009

For many years, GAO has reported that weaknesses in information security are a widespread problem that can have serious consequences--such as intrusions by malicious users, compromised networks, and the theft of intellectual property and personally identifiable information--and has identified information security as a governmentwide high-risk issue since 1997. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which authorized and strengthened information security program, evaluation, and reporting requirements for federal agencies. In accordance with the FISMA requirement that the Comptroller General report periodically to Congress, GAO's objectives were to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) federal agencies' implementation of FISMA requirements. To address these objectives, GAO analyzed agency, inspectors general, Office of Management and Budget (OMB), and GAO reports.

Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft. For fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls. An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs. As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise. In prior reports, GAO has made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls. Federal agencies reported increased compliance in implementing key information security control activities for fiscal year 2008; however, inspectors general at several agencies noted shortcomings with agencies' implementation of information security requirements. Agencies reported increased implementation of control activities, such as providing awareness training for employees and testing system contingency plans. However, agencies reported decreased levels of testing security controls and training for employees who have significant security responsibilities. In addition, inspectors general at several agencies disagreed with performance reported by their agencies and identified weaknesses in the processes used to implement these activities. Further, although OMB took steps to clarify its reporting instructions to agencies for preparing fiscal year 2008 reports, the instructions did not request inspectors general to report on agencies' effectiveness of key activities and did not always provide clear guidance to inspectors general. As a result, the reporting may not adequately reflect agencies' implementation of the required information security policies and procedures.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


GAO-09-546, Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses This is the accessible text file for GAO report number GAO-09-546 entitled 'Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses' which was released on July 17, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: July 2009: Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses: GAO-09-546: GAO Highlights: Highlights of GAO-09-546, a report to congressional committees. Why GAO Did This Study: For many years, GAO has reported that weaknesses in information security are a widespread problem that can have serious consequences” such as intrusions by malicious users, compromised networks, and the theft of intellectual property and personally identifiable information” and has identified information security as a governmentwide high-risk issue since 1997. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which authorized and strengthened information security program, evaluation, and reporting requirements for federal agencies. In accordance with the FISMA requirement that the Comptroller General report periodically to Congress, GAO‘s objectives were to evaluate (1) the adequacy and effectiveness of agencies‘ information security policies and practices and (2) federal agencies‘ implementation of FISMA requirements. To address these objectives, GAO analyzed agency, inspectors general, Office of Management and Budget (OMB), and GAO reports. What GAO Found: Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft. For fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls (see figure). An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs. As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise. In prior reports, GAO has made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls. Federal agencies reported increased compliance in implementing key information security control activities for fiscal year 2008; however, inspectors general at several agencies noted shortcomings with agencies‘ implementation of information security requirements. Agencies reported increased implementation of control activities, such as providing awareness training for employees and testing system contingency plans. However, agencies reported decreased levels of testing security controls and training for employees who have significant security responsibilities. In addition, inspectors general at several agencies disagreed with performance reported by their agencies and identified weaknesses in the processes used to implement these activities. Further, although OMB took steps to clarify its reporting instructions to agencies for preparing fiscal year 2008 reports, the instructions did not request inspectors general to report on agencies‘ effectiveness of key activities and did not always provide clear guidance to inspectors general. As a result, the reporting may not adequately reflect agencies‘ implementation of the required information security policies and procedures. Figure: Information Security Weaknesses at Major Federal Agencies for Fiscal Year 2008: [Refer to PDF for image: vertical bar graph] Weakness category: Access control; Number of agencies: 23. Weakness category: Configuration management; Number of agencies: 21, Weakness category: Segregation of duties; Number of agencies: 14. Weakness category: Continuity of operations; Number of agencies: 17. Weakness category: Security management; Number of agencies: 23. Source: GAO analysis of IG, agency, and GAO reports. [End of figure] What GAO Recommends: GAO is recommending that the Director of OMB take several actions, including revising guidance. OMB generally agreed with GAO‘s overall assessment of information security at agencies, but did not concur with one aspect of GAO‘s assessment of OMB‘s review activities. View [hyperlink, http://www.gao.gov/products/GAO-09-546] or key components. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Background: Weaknesses in Information Security Place Sensitive Information at Risk: Agencies Continue to Report Progress in Implementing Requirements: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Office of Management and Budget: Appendix III: Cybersecurity Experts Highlighted Key Improvements for Strengthening the Nation's Cyber Security: Appendix IV: GAO Contact and Staff Acknowledgments: Related GAO Products: Tables: Table 1: Total Number of Agency and Contractor Systems in FY 2007 and FY 2008 by Impact Level: Table 2: Key Improvements Needed to Strengthen the Nation's Cybersecurity Posture: Figures: Figure 1: Incidents Reported to US-CERT, FY 2006-FY 2008: Figure 2: Percentage of Incidents Reported to US-CERT in FY06-FY08 by Category: Figure 3: Number of Major Agencies Reporting Significant Deficiencies in Information Security: Figure 4: Information Security Weaknesses at 24 Major Agencies for FY 2008: Figure 5: Control Weaknesses Identified in GAO Reports, May 2007-April 2009: Figure 6: Reported Data for Selected Performance Metrics for 24 Major Agencies: Figure 7: Specialized Training for 24 Major Agencies: Abbreviations: CD: compact disk: CIO: chief information officer: FISMA: Federal Information Security Management Act of 2002: IG: Inspector General: IP: Internet Protocol: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: POA&M: Plan of Action and Milestones: US-CERT: U.S. Computer Emergency Readiness Team: US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: [End of section] United States Government Accountability Office: Washington, DC 20548: July 17, 2009: The Honorable Joseph I. Lieberman: Chairman: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Edolphus Towns: Chairman: The Honorable Darrell Issa: Ranking Member: Committee on Oversight and Government Reform: House of Representatives: Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business. It is especially important for government agencies, where the public's trust is essential. The need for a vigilant approach to information security is demonstrated by the increase in reports of security incidents, the wide availability of hacking tools, and steady advances in the sophistication and effectiveness of attack technology. Over the past few years, 24 major federal agencies[Footnote 1] have reported numerous security incidents in which sensitive information has been lost or stolen, including personally identifiable information, which has exposed millions of Americans to a loss of privacy, identity theft, and other financial crimes. Since 1997, we have identified information security as a governmentwide high-risk issue in our biennial reports to Congress.[Footnote 2] Concerned by reports of significant weaknesses in federal computer systems, Congress passed the Federal Information Security Management Act (FISMA) of 2002,[Footnote 3] which requires agencies to develop and implement an information security program, evaluation processes, and annual reporting. FISMA requires mandated annual reports by federal agencies, the Office of Management and Budget (OMB), and the National Institute of Standards and Technology (NIST). FISMA also includes a requirement for independent annual evaluations by the agencies' inspectors general or independent external auditors. In accordance with the FISMA requirement that we report periodically to Congress, our objectives were to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) federal agencies' implementation of FISMA requirements. To accomplish these objectives, we analyzed agency, inspector general, OMB, and our reports on information security. Where possible, we categorized findings from those reports into areas defined by FISMA and the Federal Information System Controls Audit Manual.[Footnote 4] We did not include systems categorized as national security systems in our review, nor did we review the adequacy or effectiveness of the security policies and practices for those systems. We conducted this performance audit from December 2008 to May 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. For more details on our objectives, scope, and methodology, see appendix I. Background: Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intentions who can intrude and use their access to obtain and manipulate sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. The risks to federal systems are well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology. Recognizing the importance of securing federal systems and data, Congress passed FISMA in 2002. The act sets forth a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. FISMA's framework creates a cycle of risk management activities necessary for an effective security program; these activities are similar to the principles noted in our study of the risk management activities of leading private-sector organizations[Footnote 5]-- assessing risk, establishing a central management focal point, implementing appropriate policies and procedures, promoting awareness, and monitoring and evaluating policy and control effectiveness. In order to ensure the implementation of this framework, the act assigns specific responsibilities to agency heads, chief information officers, inspectors general, and NIST. It also assigns responsibilities to OMB that include developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, and reviewing agency information security programs, at least annually, and approving or disapproving them. Agency Responsibilities: FISMA requires each agency, including agencies with national security systems, to develop, document, and implement an agencywide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Specifically, FISMA requires information security programs to include, among other things: * periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems; * risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system; * subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate; * security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency; * periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems; * a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency; * procedures for detecting, reporting, and responding to security incidents; and: * plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. In addition, agencies must produce an annually updated inventory of major information systems (including major national security systems) operated by the agency or under its control, which includes an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency. FISMA also requires each agency to report annually to OMB, selected congressional committees, and the Comptroller General on the adequacy of its information security policies, procedures, practices, and compliance with requirements. In addition, agency heads are required to report annually the results of their independent evaluations to OMB, except to the extent that an evaluation pertains to a national security system; then only a summary and assessment of that portion of the evaluation needs to be reported to OMB. Responsibilities of NIST: Under FISMA, NIST is tasked with developing, for systems other than national security systems, standards and guidelines that must include, at a minimum (1) standards to be used by all agencies to categorize all their information and information systems based on the objectives of providing appropriate levels of information security, according to a range of risk levels; (2) guidelines recommending the types of information and information systems to be included in each category; and (3) minimum information security requirements for information and information systems in each category. NIST must also develop a definition of and guidelines for detection and handling of information security incidents as well as guidelines developed in conjunction with the Department of Defense and the National Security Agency for identifying an information system as a national security system. The law also assigns other information security functions to NIST, including: * providing technical assistance to agencies on elements such as compliance with the standards and guidelines and the detection and handling of information security incidents; * evaluating private-sector information security policies and practices and commercially available information technologies to assess potential application by agencies; * evaluating security policies and practices developed for national security systems to assess their potential application by agencies; and: * conducting research, as needed, to determine the nature and extent of information security vulnerabilities and techniques for providing cost- effective information security. As required by FISMA, NIST has prepared its annual public report on activities undertaken in the previous year and planned for the coming year. In addition, NIST's FISMA initiative supports the development of a program for credentialing public and private sector organizations to provide security assessment services for federal agencies. Responsibilities of Inspectors General: Under FISMA, the inspector general for each agency shall perform an independent annual evaluation of the agency's information security program and practices. The evaluation should include testing of the effectiveness of information security policies, procedures, and practices of a representative subset of agency systems. In addition, the evaluation must include an assessment of the compliance with the act and any related information security policies, procedures, standards, and guidelines. For agencies without an inspector general, evaluations of non-national security systems must be performed by an independent external auditor. Evaluations related to national security systems are to be performed by an entity designated by the agency head. Responsibilities of OMB: FISMA states that the Director of OMB shall oversee agency information security policies and practices, including: * developing and overseeing the implementation of policies, principles, standards, and guidelines on information security; * requiring agencies to identify and provide information security protections commensurate with risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency, or information systems used or operated by an agency, or by a contractor of an agency, or other organization on behalf of an agency; * overseeing agency compliance with FISMA to enforce accountability; and: * reviewing at least annually, and approving or disapproving, agency information security programs. In addition, the act requires that OMB report to Congress no later than March 1 of each year on agency compliance with FISMA. Weaknesses in Information Security Place Sensitive Information at Risk: Significant weaknesses in information security policies and practices threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies. Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk. Consequently, we have made hundreds of recommendations to agencies to address these security control deficiencies. Reported Incidents Are on the Rise and Place Sensitive Information at Risk: Since our report in July 2007, federal agencies have reported a spate of security incidents that have put sensitive data at risk, thereby exposing the personal information of millions of Americans to the loss of privacy and potential harm associated with identity theft. Agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices. The following examples, reported in 2008 and 2009, illustrate that a broad array of federal information and assets remain at risk. * In May 2009, the Department of Transportation Inspector General issued the results of an audit of Web applications security and intrusion detection in air traffic control systems at the Federal Aviation Administration (FAA). The inspector general reported that Web applications used in supporting air traffic control systems operations were not properly secured to prevent attacks or unauthorized access. To illustrate, vulnerabilities found in Web application computers associated with the Traffic Flow Management Infrastructure System, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower allowed audit staff to gain unauthorized access to data stored on these computers, including program source code and sensitive personally identifiable information. In addition, the inspector general reported that it found a vulnerability on FAA Web applications that could allow attackers to execute malicious codes on FAA users' computers, which was similar to an actual incident that occurred in August 2008. In February 2009, the FAA notified employees that an agency computer had been illegally accessed and employee personal identity information had been stolen electronically. Two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA payrolls as of the first week of February 2006. Law enforcement agencies were notified and are investigating the data theft. * In March 2009, U.S. Congressman Jason Altmire and U.S. Senator Bob Casey announced that they had sent a letter to the Under Secretary of Defense for Acquisition, Technology, and Logistics, asking for additional information on a recent security breach of the presidential helicopter, Marine One. According to the announcement, in February 2009, a company based in Cranberry, Pennsylvania, discovered that engineering and communications documents containing key details about the Marine One fleet had been downloaded to an Internet Protocol (IP) address in Iran. The documents were traced back to a defense contractor in Maryland, where an employee most likely downloaded a file-sharing program that inadvertently allowed others to access this information. According to information from the Congressman's Web site, recent reports have said that the federal government was warned last June that an Internet Web site with an IP address traced to Iran was actively seeking this information. * In March 2009, the United States Computer Emergency Readiness Team (US-CERT) issued an updated notice to warn agencies and organizations of the Conficker/Downadup worm activity and to help prevent further compromises from occurring. In the notice, US-CERT warned that the Conficker/Downadup worm could infect a Microsoft Windows system from a thumb drive, a network share, or directly across a network if the host is not patched. * According to a March 2009 media release from Senator Bill Nelson's office, cyber-invaders thought to be in China hacked into the computer network in Senator Nelson's office. There were two attacks on the same day in March 2009, and another one in February 2009 that targeted work stations used by three of Senator Nelson's staffers. The hackers were not able to take any classified information because that information is not kept on office computers, a spokesman said. The media release stated that similar incursions into computer networks in Congress were up significantly in the past few months. * The Department of Energy's Office of Health, Safety, and Security announced that a password-protected compact disk (CD) had been lost during a routine shipment on January 28, 2009. The CD contained personally identifiable information for 59,617 individuals who currently work or formerly worked at facilities at the Department of Energy's Idaho site. The investigation verified that protection measures had been applied in accordance with requirements applicable to organizations working under cooperative agreements and surmised that while the CD had been lost for 8 weeks at the time of the investigation, no evidence had been found that revealed that the personal information on the lost disk had been compromised. The investigation concluded that OMB and Department of Energy requirements for managing and reporting the loss of the information had not been transmitted to the appropriate organizations and that there was a failure to provide timely notifications of the actual or suspected loss of information in this incident. * In January 2009, the Program Director of the Office of Personnel and Management's USAJOBS Web site announced that their technology provider's (Monster.com) database had been illegally accessed and contact and account data had been taken, including user IDs and passwords, e-mail addresses, names, phone numbers, and some basic demographic data. The director pointed out that e-mail could be used for phishing activity and advised users to change their site login password. * In December 2008, the Federal Emergency Management Administration was alerted to an unauthorized breach of private information when an applicant notified it that his personal information pertaining to Hurricane Katrina had been posted on the Internet. The information posted to Web sites contained a spreadsheet with 16,857 lines of data that included applicant names, social security numbers, addresses, telephone numbers, e-mail addresses, and other information on disaster applicants who had evacuated to Texas. According to the Federal Emergency Management Administration, it took action to work with the Web site hosting the private information, and have that information removed from public view. Additionally, the agency reported that it worked to remove the same information from a second Web site. Further, the agency stated that while it believed most of the applicant information posted on the Web sites were properly released by them to a state agency, it did not authorize the subsequent public posting of much of this data. * In June 2008, the Walter Reed Army Medical Center reported that officials were investigating the possible disclosure of personally identifiable information through unauthorized sharing of a data file containing the names of approximately 1,000 Military Health System beneficiaries. Walter Reed officials were notified of the possible exposure on May 21 by an outside company. Preliminary results of an ongoing investigation identified a computer from which the data had apparently been compromised. Data security personnel from Walter Reed and the Department of the Army think it is possible that individuals named in the file could become victims of identity theft. The compromised data file did not include protected health information such as medical records, diagnosis, or prognosis for patients. * In March 2008, media reports surfaced noting that the passport files of three U.S. senators, who were also presidential candidates, had been improperly accessed by Department of State employees and contractor staff. As of April 2008, the system contained records on about 192 million passports for about 127 million passport holders. These records included personally identifiable information, such as the applicant's name, gender, social security number, date and place of birth, and passport number. In July 2008, after investigating this incident, the Department of State's Office of Inspector General reported many control weaknesses--including a general lack of policies, procedures, guidance, and training--relating to the prevention and detection of unauthorized access to passport and applicant information and the subsequent response and disciplinary processes when a potential unauthorized access is substantiated. When incidents occur, agencies are to notify the federal information security incident center--US-CERT. As shown in figure 1, the number of incidents reported by federal agencies to US-CERT has risen dramatically over the past 3 years, increasing from 5,503 incidents reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008 (slightly more than 200 percent). Figure 1: Incidents Reported to US-CERT, FY 2006-FY 2008: [Refer to PDF for image: vertical bar graph] FY 2006: 5,503; FY 2007: 11,910; FY 2008: 16,842. Source: GAO analysis of US-CERT data. [End of figure] Agencies report the following types of incidents based on US-CERT- defined categories: * Unauthorized access: Gaining logical or physical access without permission to a federal agency's network, system, application, data, or other resource. * Denial of service: Preventing or impairing the normal authorized functionality of networks, systems, or applications by exhausting resources. This activity includes being the victim of or participating in a denial of service attack. * Malicious code: Installing malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are not required to report malicious logic that has been successfully quarantined by antivirus software. * Improper usage: Violating acceptable computing use policies. * Scans/probes/attempted access: Accessing or identifying a federal agency computer, open ports, protocols, service, or any combination of these for later exploit. This activity does not directly result in a compromise or denial of service. Under investigation: Investigating unconfirmed incidents that are potentially malicious, or anomalous activity deemed by the reporting entity to warrant further review. As noted in figure 2, the three most prevalent types of incidents reported to US-CERT during fiscal years 2006 through 2008 were unauthorized access, improper usage, and investigation (see fig. 2). Figure 2: Percentage of Incidents Reported to US-CERT in FY06-FY08 by Category: [Refer to PDF for image: pie-chart] Investigation: 34%; Improper usage: 22%; Unauthorized access: 18%; Malicious code: 14%; Scans/probes/attempted access: 12%; Denial of service: less than 1%. Source: GAO analysis of US-CERT data. [End of figure] Weaknesses in Controls Highlight Deficiencies in the Implementation of Security Policies and Practices: Reviews at federal agencies continue to highlight deficiencies in their implementation of security policies and procedures. In their fiscal year 2008 performance and accountability reports, 20 of the 24 agencies indicated that inadequate information security controls were either a material weakness or a significant deficiency[Footnote 6] (see fig. 3). Figure 3: Number of Major Agencies Reporting Significant Deficiencies in Information Security: [Refer to PDF for image: pie-chart] Significant deficiency: 13; Material weakness: 7; No significant weakness: 4. Source: GAO analysis of agency performance and accountability reports for FY 2008. [End of figure] Similarly, in annual reports required under 31 U.S.C. § 3512 (commonly referred to as the Federal Managers' Financial Integrity Act of 1982), [Footnote 7] 11 of 24 agencies identified material weaknesses in information security. Inspectors general have also noted weaknesses in information security, with 22 of 24 identifying it as a "major management challenge" for their agency.[Footnote 8] Similarly, our audits have identified control deficiencies in both financial and nonfinancial systems, including vulnerabilities in critical federal systems. For example: * In 2009, we reported that security weaknesses at the Securities and Exchange Commission continued to jeopardize the confidentiality, integrity, and availability of the commission's financial and sensitive information and information systems.[Footnote 9] Although the commission had made progress in correcting previously reported information security control weaknesses, it had not completed action to correct 16 weaknesses. In addition, we identified 23 new weaknesses in controls intended to restrict access to data and systems. Thus, the commission had not fully implemented effective controls to prevent, limit, or detect unauthorized access to computing resources. For example, it had not always (1) consistently enforced strong controls for identifying and authenticating users, (2) sufficiently restricted user access to systems, (3) encrypted network services, (4) audited and monitored security-relevant events for its databases, and (5) physically protected its computer resources. The Securities and Exchange Commission also had not consistently ensured appropriate segregation of incompatible duties or adequately managed the configuration of its financial information systems. As a result, the Securities and Exchange Commission was at increased risk of unauthorized access to and disclosure, modification, or destruction of its financial information, as well as inadvertent or deliberate disruption of its financial systems, operations, and services. The Securities and Exchange Commission agreed with our recommendations and stated that it plans to address the identified weaknesses. * In 2009, we reported that the Internal Revenue Service had made progress toward correcting prior information security weaknesses, but continued to have weaknesses that could jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.[Footnote 10] These deficiencies included some related to controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities, as well as a control important in mitigating software vulnerability risks. For example, the agency continued to, among other things, allow sensitive information, including IDs and passwords for mission-critical applications, to be readily available to any user on its internal network and to grant excessive access to individuals who do not need it. In addition, the Internal Revenue Service had systems running unsupported software that could not be patched against known vulnerabilities. Until those weaknesses are corrected, the Internal Revenue Service remains vulnerable to insider threats and is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services. The IRS agreed to develop a plan addressing each of our recommendations. * In 2008, we reported that although the Los Alamos National Laboratory--one of the nation's weapons laboratories--implemented measures to enhance the information security of its unclassified network, vulnerabilities continued to exist in several critical areas, including (1) identifying and authenticating users of the network, (2) encrypting sensitive information, (3) monitoring and auditing compliance with security policies, (4) controlling and documenting changes to a computer system's hardware and software, and (5) restricting physical access to computing resources.[Footnote 11] As a result, sensitive information on the network--including unclassified controlled nuclear information, naval nuclear propulsion information, export control information, and personally identifiable information-- were exposed to an unnecessary risk of compromise. Moreover, the risk was heightened because about 300 (or 44 percent) of 688 foreign nationals who had access to the unclassified network as of May 2008 were from countries classified as sensitive by the Department of Energy, such as China, India, and Russia. While the organization did not specifically comment on our recommendations, it agreed with the conclusions. * In 2008, we reported that the Tennessee Valley Authority had not fully implemented appropriate security practices to secure the control systems used to operate its critical infrastructures at facilities we reviewed.[Footnote 12] Multiple weaknesses within the Tennessee Valley Authority corporate network left it vulnerable to potential compromise of the confidentiality, integrity, and availability of network devices and the information transmitted by the network. For example, almost all of the workstations and servers that we examined on the corporate network lacked key security patches or had inadequate security settings. Furthermore, Tennessee Valley Authority had not adequately secured its control system networks and devices on these networks, leaving the control systems vulnerable to disruption by unauthorized individuals. In addition, we reported that the network interconnections provided opportunities for weaknesses on one network to potentially affect systems on other networks. Specifically, weaknesses in the separation of network segments could allow an individual who had gained access to a computing device connected to a less secure portion of the network to be able to compromise systems in a more secure portion of the network, such as the control systems. As a result, Tennessee Valley Authority's control systems were at increased risk of unauthorized modification or disruption by both internal and external threats and could affect its ability to properly generate and deliver electricity. The Tennessee Valley Authority agreed with our recommendations and provided information on steps it was taking to implement them. * In 2007, we reported that the Department of Homeland Security had significant weaknesses in computer security controls surrounding the information systems used to support its U.S. Visitor and Immigrant Status Technology (US-VISIT) program for border security.[Footnote 13] For example, it had not implemented controls to effectively prevent, limit, and detect access to computer networks, systems, and information. Specifically, it had not (1) adequately identified and authenticated users in systems supporting US-VISIT; (2) sufficiently limited access to US-VISIT information and information systems; (3) ensured that controls adequately protected external and internal network boundaries; (4) effectively implemented physical security at several locations; (5) consistently encrypted sensitive data traversing the communication network; and (6) provided adequate logging or user accountability for the mainframe, workstations, or servers. In addition, it had not always ensured that responsibilities for systems development and system production had been sufficiently segregated and had not consistently maintained secure configurations on the application servers and workstations at a key data center and ports of entry. As a result, increased risk existed that unauthorized individuals could read, copy, delete, add, and modify sensitive information--including personally identifiable information--and disrupt service on Customs and Border Protection systems supporting the US- VISIT program. The department stated that it directed Customs and Border Protection to complete remediation activities to address each of our recommendations. Weaknesses Persist in All Major Categories of Controls: According to our reports and those of agency inspectors general, persistent weaknesses appear in the five major categories of information system controls: (1) access controls, which ensure that only authorized individuals can read, alter, or delete data; (2) configuration management controls, which provide assurance that only authorized software programs are implemented; (3) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection; (4) continuity of operations planning, which provides for the prevention of significant disruptions of computer-dependent operations; and (5) an agencywide information security program, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. Most agencies continue to have weaknesses in each of these categories, as shown in figure 4. Figure 4: Information Security Weaknesses at 24 Major Agencies for FY 2008: [Refer to PDF for image: vertical bar graph] Weakness category: Access control; Number of agencies: 23. Weakness category: Configuration management; Number of agencies: 21, Weakness category: Segregation of duties; Number of agencies: 14. Weakness category: Continuity of operations; Number of agencies: 17. Weakness category: Security management; Number of agencies: 23. Source: GAO analysis of IG, agency, and GAO reports. [End of figure] Access Controls Were Not Adequate: Agencies use access controls to limit, prevent, or detect inappropriate access to computer resources (data, equipment, and facilities), thereby protecting them from unauthorized use, modification, disclosure, and loss. Such controls include both electronic and physical controls. Electronic access controls include those related to boundary protection, user identification and authentication, authorization, cryptography, and auditing and monitoring. Physical access controls are important for protecting computer facilities and resources from espionage, sabotage, damage, and theft. These controls involve restricting physical access to computer resources, usually by limiting access to the buildings and rooms in which they are housed and enforcing usage restrictions and implementation guidance for portable and mobile devices. At least 23 major federal agencies had access control weaknesses during fiscal year 2008. An analysis of our reports reveals that 48 percent of information security control weaknesses pertained to access controls (see figure 5). For example, agencies did not consistently (1) establish sufficient boundary protection mechanisms; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply encryption to protect sensitive data on networks and portable devices; (5) log, audit, and monitor security-relevant events; and (6) establish effective controls to restrict physical access to information assets. Without adequate access controls in place, agencies cannot ensure that their information resources are protected from intentional or unintentional harm. Figure 5: Control Weaknesses Identified in GAO Reports, May 2007-April 2009: [Refer to PDF for image: pie-chart] Access controls: 48%; Security management: 31%; Configuration management: 18%; Contingency planning: 2%; Segregation of duties: 1%. Source: GAO analysis of prior GAO reports. [End of figure] Boundary Protection: Boundary protection controls logical connectivity into and out of networks and controls connectivity to and from network connected devices. Agencies segregate the parts of their networks that are publicly accessible by placing these components in subnetworks with separate physical interfaces and preventing public access to their internal networks. Unnecessary connectivity to an agency's network increases not only the number of access paths that must be managed and the complexity of the task, but the risk of unauthorized access in a shared environment. In addition to deploying a series of security technologies at multiple layers, deploying diverse technologies at different layers helps to mitigate the risk of successful cyber attacks. For example, multiple firewalls can be deployed to prevent both outsiders and trusted insiders from gaining unauthorized access to systems, and intrusion detection technologies can be deployed to defend against attacks from the Internet. Agencies continue to demonstrate vulnerabilities in establishing appropriate boundary protections. For example, two agencies that we assessed did not adequately secure channels to connect remote users, increasing the risk that attackers will use these channels to gain access to restricted network resources. One of these agencies also did not have adequate intrusion detection capabilities, while the other allowed users of one network to connect to another, higher-security network. Such weaknesses in boundary protections impair an agency's ability to deflect and detect attacks quickly and protect sensitive information and networks. User Identification and Authentication: A computer system must be able to identify and authenticate different users so that activities on the system can be linked to specific individuals. When an organization assigns unique user accounts to specific users, the system is able to distinguish one user from another--a process called identification. The system also must establish the validity of a user's claimed identity by requesting some kind of information, such as a password, that is known only by the user--a process known as authentication. Agencies did not always adequately control user accounts and passwords to ensure that only valid users could access systems and information. In our 2007 FISMA report,[Footnote 14] we noted several weaknesses in agencies' identification and authentication procedures. Agencies continue to experience similar weaknesses in fiscal years 2008 and 2009. For example, certain agencies did not adequately enforce strong password settings, increasing the likelihood that accounts could be compromised and used by unauthorized individuals to gain access to sensitive information. In other instances, agencies did not enforce periodic changing of passwords or use of one-time passwords or passcodes, and transmitted or stored passwords in clear text. Poor password management increases the risk that unauthorized users could guess or read valid passwords to devices and use the compromised devices for an indefinite period of time. Authorization: Authorization is the process of granting or denying access rights and permissions to a protected resource, such as a network, a system, an application, a function, or a file. A key component of granting or denying access rights is the concept of least privilege, which is a basic principle for securing computer resources and information and means that users are granted only those access rights and permissions that they need to perform their official duties. To restrict legitimate users' access to only those programs and files that they need to do their work, agencies establish access rights and permissions. "User rights" are allowable actions that can be assigned to users or to groups of users. File and directory permissions are rules that regulate which users can access a particular file or directory and the extent of that access. To avoid unintentionally authorizing users access to sensitive files and directories, an agency must give careful consideration to its assignment of rights and permissions. Agencies continued to grant rights and permissions that allowed more access than users needed to perform their jobs. Inspectors general at 12 agencies reported instances where users had been granted excessive privileges. In our reviews, we also noted vulnerabilities in this area. For example, at one agency, users could inappropriately escalate their access privileges to run commands on a powerful system account, many had unnecessary and inappropriate access to databases, and other accounts allowed excessive privileges and permissions. Another agency allowed (on financial applications) generic, shared accounts that included the ability to create, delete, and modify users' accounts. Approximately 1,100 users at yet another agency had access to mainframe system management utilities, although such access was not necessarily required to perform their jobs. These utilities provided access to all files stored on disk; all programs running on the system, including the outputs; and the ability to alter hardware configurations supporting the production environment. We uncovered one agency that had provided a contractor with system access that was beyond what was needed, making the agency vulnerable to incidents on the contractor's network. Another agency gave all users of an application full access to the application's source code although their responsibilities did not require this level of privilege. Such weaknesses in authorization place agencies at increased risk of inappropriate access to data and sensitive system programs, as well as to the consequent disruption of services. Cryptography: Cryptography[Footnote 15] underlies many of the mechanisms used to enforce the confidentiality and integrity of critical and sensitive information. A basic element of cryptography is encryption. Encryption can be used to provide basic data confidentiality and integrity by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm. The National Security Agency recommends disabling protocols that do not encrypt information transmitted across the network, such as user identification and password combinations. Agencies did not always encrypt sensitive information on their systems or traversing the network. In our reviews of agencies' information security, we found that agencies did not always encrypt sensitive information. For example, five agencies that we reviewed did not effectively use cryptographic controls to protect sensitive resources. Specifically, one agency allowed unencrypted protocols to be used on its network devices. Another agency did not require encrypted passwords for network logins, while another did not consistently provide approved, secure transmission of data over its network. These weaknesses could allow an attacker, or malicious user, to view information and use that knowledge to obtain sensitive financial and system data being transmitted over the network. Auditing and Monitoring: To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Agencies accomplish this by implementing system or security software that provides an audit trail, or logs of system activity, that they can use to determine the source of a transaction or attempted transaction and to monitor users' activities. The way in which agencies configure system or security software determines the nature and extent of the information that can be provided by the audit trail. To be effective, agencies should configure their software to collect and maintain audit trails that are sufficient to track security- relevant events. Agencies did not sufficiently log and monitor key security-and audit- related events on their network. For example, agencies did not monitor critical portions of their networks for intrusions; record successful, unauthorized access attempts; log certain changes to data on a mainframe (which increases the risk of compromised security controls or disrupted operations); and capture all authentication methods and logins to a network by foreign nationals. Similarly, 14 agencies did not always have adequate auditing and monitoring capabilities. For example, one agency did not conduct a baseline assessment of an important network. This baseline determines a typical state or pattern of network activity. Without this information, the agency could have difficulty detecting and investigating anomalous activity to ascertain whether or not an attack was under way. Another agency did not perform source code scanning or have a process for manual source code reviews, which increases the risk that vulnerabilities would not be detected. As a result, unauthorized access could go undetected, and if a system is modified or disrupted, the ability to trace or recreate events could be impeded. Physical Security: Physical security controls help protect computer facilities and resources from espionage, sabotage, damage, and theft. These controls restrict physical access to sensitive computing and communications resources, usually by limiting access to the buildings and rooms in which the resources are housed. Examples of physical security controls include perimeter fencing, surveillance cameras, security guards, locks, and procedures for granting or denying individuals physical access to computing resources. Physical controls also include environmental controls such as smoke detectors, fire alarms, extinguishers, and uninterruptible power supplies. Considerations for perimeter security also include controlling vehicular and pedestrian traffic. In addition, visitors' access to sensitive areas must be managed appropriately. Our analysis of inspector general, GAO, and agency reports has shown that nine agencies did not sufficiently restrict physical access to sensitive computing and communication resources. The physical security measures employed by these agencies often did not comply with their own requirements or with federal standards. Access to facilities containing sensitive equipment and information was not always adequately restricted. For example, at one agency with buildings housing classified networks, cars were not stopped and inspected; a sign indicated the building's purpose; fencing was scalable; and access to buildings containing computer network equipment was not controlled by electronic or other means. Agencies did not adequately manage visitors, in one instance, placing network jacks in an area where unescorted individuals could use them to obtain electronic access to restricted computing resources, and in another failing to properly identify and control visitors at a facility containing sensitive equipment. Agencies did not always remove employees' physical access authorizations to sensitive areas in a timely manner when they departed or their work no longer required such access. Environmental controls at one agency did not meet federal guidelines, with fire suppression capabilities, emergency lighting, and backup power all needing improvements. Such weaknesses in physical access controls increase the risk that sensitive computing resources will inadvertently or deliberately be misused, damaged, or destroyed. Configuration Management Controls Were Not Always Implemented: Configuration management controls ensure that only authorized and fully tested software is placed in operation. These controls, which also limit and monitor access to powerful programs and sensitive files associated with computer operations, are important in providing reasonable assurance that access controls are not compromised and that the system will not be impaired. These policies, procedures, and techniques help ensure that all programs and program modifications are properly authorized, tested, and approved. Further, patch management is an important element in mitigating the risks associated with software vulnerabilities. Up-to-date patch installation could help mitigate vulnerabilities associated with flaws in software code that could be exploited to cause significant damage--including the loss of control of entire systems--thereby enabling malicious individuals to read, modify, or delete sensitive information or disrupt operations. Twenty-one agencies demonstrated weaknesses in configuration management controls. For instance, several agencies did not implement common secure configuration policies across their systems, increasing the risk of avoidable security vulnerabilities. In addition, agencies did not effectively ensure that system software changes had been properly authorized, documented, and tested, which increases the risk that unapproved changes could occur without detection and that such changes could disrupt a system's operations or compromise its integrity. Agencies did not always monitor system configurations to prevent extraneous services and other vulnerabilities from remaining undetected and jeopardizing operations. At least six agencies did not consistently update software on a timely basis to protect against known vulnerabilities or did not fully test patches before applying them. Without a consistent approach to updating, patching, and testing software, agencies are at increased risk of exposing critical and sensitive data to unauthorized and possibly undetected access. Segregation of Duties Was Not Appropriately Enforced: Segregation of duties refers to the policies, procedures, and organizational structure that helps ensure that one individual cannot independently control all key aspects of a process or computer-related operation and thereby conduct unauthorized actions or gain unauthorized access to assets or records. Proper segregation of duties is achieved by dividing responsibilities among two or more individuals or groups. Dividing duties among individuals or groups diminishes the likelihood that errors and wrongful acts will go undetected because the activities of one individual or group will serve as a check on the activities of the other. At least 14 agencies did not appropriately segregate information technology duties. These agencies generally did not assign employee duties and responsibilities in a manner that segregated incompatible functions among individuals or groups of individuals. For instance, at one agency, an individual who enters an applicant's data into a financial system also had the ability to hire the applicant. At another agency, 76 system users had the ability to create and approve purchase orders. Without adequate segregation of duties, there is an increased risk that erroneous or fraudulent actions can occur, improper program changes can be implemented, and computer resources can be damaged or destroyed. Continuity of Operations Plans Have Shortcomings: An agency must take steps to ensure that it is adequately prepared to cope with the loss of operational capabilities due to an act of nature, fire, accident, sabotage, or any other disruption. An essential element in preparing for such a catastrophe is an up-to-date, detailed, and fully tested continuity of operations plan. Such a plan should cover all key computer operations and should include planning to ensure that critical information systems, operations, and data such as financial processing and related records can be properly restored if an emergency or a disaster occurs. To ensure that the plan is complete and fully understood by all key staff, it should be tested--including unannounced tests--and test plans and results documented to provide a basis for improvement. If continuity of operations controls are inadequate, even relatively minor interruptions could result in lost or incorrectly processed data, which could cause financial losses, expensive recovery efforts, and inaccurate or incomplete mission-critical information. Although agencies have reported increases in the number of systems for which contingency plans have been tested, at least 17 agencies had shortcomings in their continuity of operations plans. For example, one agency's disaster recovery planning had not been completed. Specifically, disaster recovery plans for three components of the agency were in draft form and had not been tested. Another agency did not include a business impact analysis in the contingency plan control, which would assist in planning for system recovery. In another example, supporting documentation for some of the functional tests at the agency did not adequately support testing results for verifying readability of backup tapes retrieved during the tests. Until agencies complete actions to address these weaknesses, they are at risk of not being able to appropriately recover systems in a timely manner from certain service disruptions. Agencywide Security Programs Were Not Fully Implemented: An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented agencywide information security programs. An agencywide security program, as required by FISMA, provides a framework and continuing cycle of activity for assessing and managing risk, developing and implementing security policies and procedures, promoting security awareness and training, monitoring the adequacy of the entity's computer-related controls through security tests and evaluations, and implementing remedial actions as appropriate. Without a well-designed program, security controls may be inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources. Twenty-three agencies had not fully or effectively implemented agencywide information security programs. Agencies often did not adequately design or effectively implement policies for elements key to an information security program. Weaknesses in agency information security program activities, such as risk assessments, information security policies and procedures, security planning, security training, system testing and evaluation, and remedial action plans are described next. Risk Assessments: In order for agencies to determine what security controls are needed to protect their information resources, they must first identify and assess their information security risks. Moreover, by increasing awareness of risks, these assessments can generate support for policies and controls. Agencies have not fully implemented their risk assessment processes. In addition, 14 major agencies had weaknesses in their risk assessments. Furthermore, they did not always properly assess the impact level of their systems or evaluate potential risks for the systems we reviewed. For example, one agency had not yet finalized and approved its guidance for completing risk assessments. In another example, the agency had not properly categorized the risk to its system, because it had performed a risk assessment without an inventory of interconnections to other systems. Similarly, another agency had not completed risk assessments for its critical systems and had not assigned impact levels. In another instance, an agency had current risk assessments that documented residual risk assessed and potential threats, and recommended corrective actions for reducing or eliminating the vulnerabilities they had identified. However, that agency had not identified many of the vulnerabilities we found and had not subsequently assessed the risks associated with them. As a result of these weaknesses, agencies may be implementing inadequate or inappropriate security controls that do not address the systems' true risk, and potential risks to these systems may not be known. Policies and Procedures: According to FISMA, each federal agency's information security program must include policies and procedures that are based on risk assessments that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each agency's information system. The term 'security policy' refers to specific security rules set up by the senior management of an agency to create a computer security program, establish its goals, and assign responsibilities. Because policy is written at a broad level, agencies also develop standards, guidelines, and procedures that offer managers, users, and others a clear approach to implementing policy and meeting organizational goals. Thirteen agencies had weaknesses in their information security policies and procedures. For example, one agency did not have updated policies and procedures for configuring operating systems to ensure they provide the necessary detail for controlling and logging changes. Another agency had not established adequate policies or procedures to implement and maintain an effective departmentwide information security program or to address key OMB privacy requirements. Agencies also exhibited weaknesses in policies concerning security requirements for laptops, user access privileges, security incidents, certification and accreditation, and physical security. As a result, agencies have reduced assurance that their systems and the information they contain are sufficiently protected. Without policies and procedures that are based on risk assessments, agencies may not be able to cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each agency's information system. Security Plans: FISMA requires each federal agency to develop plans for providing adequate information security for networks, facilities, and systems or groups of systems. According to NIST 800-18, system security planning is an important activity that supports the system development life cycle and should be updated as system events trigger the need for revision in order to accurately reflect the most current state of the system. The system security plan provides a summary of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. NIST guidance also indicates that all security plans should be reviewed and updated, if appropriate, at least annually. Further, appendix III of OMB Circular A-130 requires security plans to include controls for, among other things, contingency planning and system interconnections. System security plans were incomplete or out of date at several agencies. For example, one agency had an incomplete security plan for a key application. Another agency had only developed a system security plan that covered two of the six facilities we reviewed, and the plan was incomplete and not up-to-date. At another agency, 52 of the 57 interconnection security agreements listed in the security plan were not current since they had not been updated within 3 years. Without adequate security plans in place, agencies cannot be sure that they have the appropriate controls in place to protect key systems and critical information. Specialized Training: Users of information resources can be one of the weakest links in an agency's ability to secure its systems and networks. Therefore, an important component of an agency's information security program is providing the required training so that users understand system security risks and their own role in implementing related policies and controls to mitigate those risks. Several agencies had not ensured that all information security employees and contractors, including those who have significant information security responsibilities, had received sufficient training. For example, users of one agency's IT systems had not been trained to check for continued functioning of their encryption software after installation. At another agency, officials stated that several of its components had difficulty in identifying and tracking all employees who have significant IT security responsibilities and thus were unable to ensure that they received the specialized training necessary to effectively perform their responsibilities. Without adequate training, users may not understand system security risks and their own role in implementing related policies and controls to mitigate those risks. System Tests and Evaluations: Another key element of an information security program is testing and evaluating system controls to ensure that they are appropriate, effective, and comply with policies. FISMA requires that agencies test and evaluate the information security controls of their major systems and that the frequency of such tests be based on risk, but occur no less than annually. NIST requires agencies to ensure that the appropriate officials are assigned roles and responsibilities for testing and evaluating controls over their systems. Agencies did not always implement policies and procedures for performing periodic testing and evaluation of their information security controls. For example, one agency had not adequately tested security controls. Specifically, the tests of a major application and the mainframe did not identify or discuss the vulnerabilities that we had identified during our audit. The same agency's testing did not reveal problems with the mainframe that could allow unauthorized users to read, copy, change, delete, and modify data. In addition, although testing requirements were stated in test documentation, the breadth and depth of the test, as well as the results of the test, had not always been documented. Also, agencies reported inconsistent testing of security controls among components. Without conducting the appropriate tests and evaluations, agencies have limited assurance that policies and controls are appropriate and working as intended. Additionally, there is an increased risk that undetected vulnerabilities could be exploited to allow unauthorized access to sensitive information. Remedial Action Processes and Plans: FISMA requires that agencies' information security programs include a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency. Since our 2007 FISMA report, we have continued to find weaknesses in agencies' plans and processes for remedial actions. Agencies indicated that they had corrected or mitigated weaknesses; however, our work revealed that those weaknesses still existed. In addition, the inspectors general at 14 of the 24 agencies reported weaknesses in the plans to document remedial actions. For example, at several agencies, the inspector general reported that weaknesses had been identified but not documented in the remediation plans. Inspectors general further reported that agency plans did not include all relevant information in accordance with OMB instructions. We also found that deficiencies had not been corrected in a timely manner. Without a mature process and effective remediation plans, the risk increases that vulnerabilities in agencies' systems will not be mitigated in an effective and timely manner. Until agencies effectively and fully implement agencywide information security programs, federal data and systems will not be adequately safeguarded to prevent disruption, unauthorized use, disclosure, and modification. Further, until agencies implement our recommendations to correct specific information security control weaknesses, their systems and information will remain at increased risk of attack or compromise. Opportunities Exist for Bolstering Federal Information Security: In prior reports,[Footnote 16] we and inspectors general have made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls. For example, we recommended that agencies correct specific information security deficiencies related to user identification and authentication, authorization, boundary protections, cryptography, audit and monitoring, physical security, configuration management, segregation of duties, and continuity of operations planning. We have also recommended that agencies fully implement comprehensive, agencywide information security programs by correcting weaknesses in risk assessments, information security policies and procedures, security planning, security training, system tests and evaluations, and remedial actions. The effective implementation of these recommendations will strengthen the security posture at these agencies. Agencies have implemented or are in the process of implementing many of our recommendations. In March 2009, we reported on 12 key improvements suggested by a panel of experts as being essential to improving our national cyber security posture (see appendix III).[Footnote 17] The expert panel included former federal officials, academics, and private-sector executives. Their suggested improvements are intended to address many of the information security vulnerabilities facing both private and public organizations, including federal agencies. Among these improvements are recommendations to develop a national strategy that clearly articulates strategic objectives, goals, and priorities and to establish a governance structure for strategy implementation. Due to increasing cyber security threats, the federal government has initiated several efforts to protect federal information and information systems. Recognizing the need for common solutions to improving security, the White House, OMB, and federal agencies have launched or continued several governmentwide initiatives that are intended to enhance information security at federal agencies. These key initiatives are discussed here. * 60-day cyber review: The National Security Council and Homeland Security Council recently completed a 60-day interagency review intended to develop a strategic framework to ensure that federal cyber security initiatives are appropriately integrated, resourced, and coordinated with Congress and the private sector. The resulting report recommended, among other things, appointing an official in the White House to coordinate the nation's cybersecurity policies and activities, creating a new national cybersecurity strategy, and developing a framework for cyber research and development.[Footnote 18] * Comprehensive National Cybersecurity Initiative: In January 2008, President Bush began to implement a series of initiatives aimed primarily at improving the Department of Homeland Security and other federal agencies' efforts to protect against intrusion attempts and anticipate future threats.[Footnote 19] While these initiatives have not been made public, the Director of National Intelligence stated that they include defensive, offensive, research and development, and counterintelligence efforts, as well as a project to improve public/ private partnerships.[Footnote 20] * The Information Systems Security Line of Business: The goal of this initiative, led by OMB, is to improve the level of information systems security across government agencies and reduce costs by sharing common processes and functions for managing information systems security. Several agencies have been designated as service providers for IT security awareness training and FISMA reporting. * Federal Desktop Core Configuration: For this initiative, OMB directed agencies that have Windows XP deployed and plan to upgrade to Windows Vista operating systems to adopt the security configurations developed by the National Institute of Standards and Technology, Department of Defense, and Department of Homeland Security. The goal of this initiative is to improve information security and reduce overall IT operating costs. * SmartBUY: This program, led by the General Services Administration, is to support enterprise-level software management through the aggregate buying of commercial software governmentwide in an effort to achieve cost savings through volume discounts. The SmartBUY initiative was expanded to include commercial off-the-shelf encryption software and to permit all federal agencies to participate in the program. The initiative is to also include licenses for information assurance. * Trusted Internet Connections Initiative: This effort, directed by OMB and led by the Department of Homeland Security, is designed to optimize individual agency network services into a common solution for the federal government. The initiative is to facilitate the reduction of external connections, including Internet points of presence, to a target of 50. We currently have ongoing work that addresses the status, planning, and implementation efforts of several of these initiatives. Agencies Continue to Report Progress in Implementing Requirements: Federal agencies reported increased compliance in implementing key information security control activities for fiscal year 2008; however, inspectors general at several agencies noted shortcomings with agencies' implementation of information security requirements. OMB also reported that agencies' were increasingly performing key activities. Specifically, agencies reported increases in the number and percentage of systems that had been certified and accredited,[Footnote 21] the number and percentage of employees and contractors receiving security awareness training, and the number and percentage of systems with tested contingency plans. However, the number and percentage of systems that had been tested and evaluated at least annually decreased slightly and the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly (see figure 6). Consistent with previous years, inspectors general continued to identify weaknesses with the processes and practices agencies have in place to implement FISMA requirements. Although OMB took steps to clarify its reporting instructions to agencies for preparing fiscal year 2008 reports, the instructions did not request inspectors general to report on agencies' effectiveness of key activities and did not always provide clear guidance to inspectors general. Figure 6: Reported Data for Selected Performance Metrics for 24 Major Agencies: [Refer to PDF for image: multiple vertical bar graph] Metric: Security awareness training; Fiscal year 2005: 81%; Fiscal year 2006: 91%; Fiscal year 2007: 84%; Fiscal year 2008: 89%. Metric: Specialized security training; Fiscal year 2005: 82%; Fiscal year 2006: 86%; Fiscal year 2007: 90%; Fiscal year 2008: 76%. Metric: Periodic testing and evaluation; Fiscal year 2005: 73%; Fiscal year 2006: 88%; Fiscal year 2007: 95%; Fiscal year 2008: 93%. Metric: Tested contingency plans; Fiscal year 2005: 61%; Fiscal year 2006: 77%; Fiscal year 2007: 86%; Fiscal year 2008: 91%. Metric: Agencies with 96-100 percent complete inventories; Fiscal year 2005: 54%; Fiscal year 2006: 75%; Fiscal year 2007: 79%; Fiscal year 2008: 88%. Metric: Certification and Accreditation; Fiscal year 2005: 85%; Fiscal year 2006: 88%; Fiscal year 2007: 92%; Fiscal year 2008: 96%. Source: GAO analysis of IG and agency data. [End of figure] Agencies Report Mixed Progress in Implementing Security Awareness and Specialized Training: Federal agencies rely on their employees to protect the confidentiality, integrity, and availability of the information in their systems. It is critical for system users to understand their security roles and responsibilities and to be adequately trained to perform them. FISMA requires agencies to provide security awareness training to personnel, including contractors and other users of information systems that support agency operations and assets. This training should explain information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks. In addition, agencies are required to provide appropriate training on information security to personnel who have significant security responsibilities. Agencies reported a slight increase in the percentage of employees and contractors who received security awareness training. According to agency reports, 89 percent of total employees and contractors had received security awareness training in 2008 compared to 84 percent of employees and contractors in 2007. While this change marks an improvement between fiscal years 2007 and 2008, the percentage of employees and contractors receiving security awareness training is still below the 91 percent reported for 2006. In addition, seven inspectors general reported disagreement with the percentage of employees and contractors receiving security awareness training reported by their agencies. Additionally, several inspectors general reported specific weaknesses related to security awareness training at their agencies; for example, one inspector general reported that the agency lacked the ability to document and track which system users had received awareness training, while another inspector general reported that training did not cover the recommended topics. Governmentwide, agencies reported a lower percentage of employees who had significant security responsibilities who had received specialized training. In fiscal year 2008, 76 percent of these employees had received specialized training compared with 90 percent of these employees in fiscal year 2007. Although the governmentwide percentage decreased, the majority of the 24 agencies reported increasing or unchanging percentages of employees receiving specialized training; 8 of the 24 agencies reported percentage decreases (see figure 7). [See PDF for image] [End of figure] Figure 7: Specialized Training for 24 Major Agencies: [Refer to PDF for image: vertical bar graph] Increased: 12 agencies; No change: 4 agencies; Decreased: 8 agencies. Source: GAO analysis of agency data. [End of figure] At least 12 inspectors general reported weaknesses related to specialized security training. One of the inspectors general reported that some groups did not have a training program for personnel who have critical IT responsibilities and another inspector general reported that the agency was unable to effectively track contractors who needed specialized training. Decreases in the number of individuals receiving specialized training at some federal agencies combined with continuing deficiencies in training programs could limit the ability of agencies to implement security measures effectively. Providing for the confidentiality, integrity, and availability of information in today's highly networked environment is not an easy or trivial task. The task is made that much more difficult if each person who owns, uses, relies on, or manages information and information systems does not know or is not properly trained to carry out his or her specific responsibilities. Weaknesses Reported in Testing and Evaluating System Security Controls: Periodically evaluating the effectiveness of security policies and controls and acting to address any identified weaknesses are fundamental activities that allow an agency to manage its information security risks proactively, rather than reacting to individual problems ad hoc after a violation has been detected or an audit finding has been reported. Management control testing and evaluation as part of a program review is an additional source of information that can be considered along with controls testing and evaluation in inspector general and other independent audits to help provide a more complete picture of an agency's security posture. FISMA requires that federal agencies periodically test and evaluate the effectiveness of their information security policies, procedures, and practices as part of implementing an agencywide security program. This testing is to be performed with a frequency depending on risk, but no less than annually, and consists of testing management, and operational and technical controls for every system identified in the agency's required inventory of major information systems. For the annual FISMA reports, OMB requires that agencies identify the number of agency and contractor systems for which security controls have been tested. In 2008, federal agencies reported testing and reviewing security controls for 93 percent of their systems, a slight decline from 95 percent in 2007. Despite this percentage remaining above 90 percent, inspectors general continued to identify deficiencies in agencies' testing and evaluation of security controls for their systems. For example, one agency's inspector general reported that systems owners only reviewed documents to assess security controls and did not use other assessment methods as suggested by NIST guidance, such as selecting samples for testing and interviewing responsible parties. Another inspector general identified instances where the agency did not document the test results in the system's security test and evaluation report. In addition, two inspectors general reported that their agencies had not always tested the controls for their systems at least annually. As a result, agencies may not have reasonable assurance that controls have been implemented correctly, are operating as intended, and are producing the desired outcome with respect to meeting the security requirements of the agency. Agencies Reported Testing More Contingency Plans, but Inspectors General often Cited Weaknesses: Continuity of operations planning ensures that agencies will be able to perform essential functions during any emergency or situation that disrupts normal operations. It is important that these plans be clearly documented, communicated to potentially affected staff, and updated to reflect current operations. In addition, testing contingency plans is essential to determining whether the plans will function as intended in an emergency situation. FISMA requires that agencywide information security programs include plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. To show the status of implementing contingency plans testing, OMB requires that agencies report the percentage of systems that have contingency plans tested in accordance with policy and guidance and requests that inspectors general also report this percentage for the subset of systems the inspector general selected for review. Federal agencies reported that 91 percent of their systems had contingency plans that had been tested, an increase from 86 percent tested in fiscal year 2007. In addition, agencies reported progress in the number of high-risk systems with tested contingency plans; 90 percent of these systems had tested contingency plans, an increase from 77 percent in fiscal year 2007. Agencies also reported 92 percent of moderate-risk systems, 90 percent of low-risk systems, and 96 percent of uncategorized systems with tested contingency plans. While agencies reported higher percentages of tested contingency plans, 14 inspectors general reported weaknesses in their agencies' contingency planning development and testing. For example, the inspector general of one agency reported that contingency plans were missing required elements. Regarding the testing of contingency plans, another inspector general reported that the agency had not ensured that the contractor had tested contingency plans or periodically conducted quality testing. At another agency, the inspector general reported that the agency had not performed a full, comprehensive disaster recovery test to ensure that essential and critical systems and applications could be recovered. Without developing contingency plans and ensuring that they are tested, an agency increases its risk that it will not be able to effectively recover and continue operations when an emergency occurs. Agencies Reported More Systems, but Deficiencies Were Identified in Inventory Processes: In fiscal year 2008, 24 major agencies reported a total of 10,587 systems, composed of 8,685 agency and 1,902 contractor systems as shown by impact level in table 1. This represents a slight increase in the total number of systems from fiscal year 2007. Specifically, the number of agency systems decreased slightly and the number of contractor systems increased by 40 percent. Table 1: Total Number of Agency and Contractor Systems in FY 2007 and FY 2008 by Impact Level: Impact level: High; Agency: FY07: 1,089; Agency: FY08: 1,043; Contractor: FY07: 121; Contractor: FY08: 113; Total: FY07: 1,210; Total: FY08: 1,156. Impact level: Moderate; Agency: FY07: 3,264; Agency: FY08: 3,556; Contractor: FY07: 513; Contractor: FY08: 535; Total: FY07: 3,777; Total: FY08: 4,091. Impact level: Low; Agency: FY07: 4,351; Agency: FY08: 3,943; Contractor: FY07: 334; Contractor: FY08: 738; Total: FY07: 4,685; Total: FY08: 4,681. Impact level: Not categorized; Agency: FY07: 229; Agency: FY08: 143; Contractor: FY07: 384; Contractor: FY08: 516; Total: FY07: 613; Total: FY08: 659. Impact level: Total; Agency: FY07: 8,933; Agency: FY08: 8,685; Contractor: FY07: 1,352; Contractor: FY08: 1,902; Total: FY07: 10,285; Total: FY08: 10,587. Source: GAO analysis of agency FY 2007 and FY 2008 FISMA reports. [End of table] Eleven inspectors general identified weaknesses in their agencies' inventory process. For example, one inspector general agreed that its agency's inventory accurately captured the number of active systems, but indicated the inventory had also included systems in development, which were not labeled as such and therefore could not be labeled and inventoried accurately. Another inspector general reported that its agency had not verified the inventory information reported by its components, but had instead relied on an honor system of reporting. Other weaknesses included contractor systems not listed in the inventory or an agency not having interfaces to other systems identified in its inventory. Without complete, accurate inventories, agencies cannot efficiently maintain and secure their systems. Agencies Reported Higher Percentages, but Inspectors General Highlight Weaknesses in the Quality of Certifications and Accreditations: OMB has continued to emphasize its long-standing policy of requiring a management official to formally authorize (accredit) an information system to process information and accept the risk associated with its operation based on a formal evaluation (certification) of the system's security controls. For the annual FISMA reports, OMB requires agencies to identify the number of systems and impact levels authorized for processing after completing certification and accreditation. OMB requests that inspectors general also report this percentage for the subset of systems reviewed. In addition, OMB asks the inspectors general to rate the quality of the agency's certification and accreditation process on a scale of failing to excellent. Inspectors general may also indicate which aspects of the certification and accreditation process have been considered in determining that rating, such as the security plan, system impact level, system test and evaluation, security control testing, incident handling, security awareness training, configurations/patching, and other items. OMB's annual reporting template also allows the inspectors general to comment on their agencies' certification and accreditation processes. Federal agencies reported higher percentages of systems that have been certified and accredited than in 2007. For fiscal year 2008, 96 percent of the agencies' systems were reported as being certified and accredited, as compared with 92 percent in 2007. In addition, agencies reported certifying and accrediting 98 percent of their high-risk systems, an increase from 95 percent in 2007. Although agencies continue to report higher percentages of certified and accredited systems, inspectors general continue to report mixed results in the quality of the certification and accreditation processes at their agencies. To illustrate, 17 inspectors general reported specific weaknesses in their agency's certification and accreditation processes. For example, two inspectors general rated their agencies' certification and accreditation process as poor or failing, while both of those agencies reported that more than 90 percent of their systems had been certified and accredited. In another example, the inspector general of one agency stated that systems had been authorized to operate without sufficient testing of the adequacy of mandatory security controls. Inspectors general also cited other weaknesses, such as the security plan not providing an adequate basis for certification and accreditation and the risk assessment not identifying risks for vulnerabilities exposed by previous testing. Without ensuring the complete certification and accreditation of a system, agency officials may not have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. Agencies Report Having Configuration Management Policies, but Did Not Always Implement Them: Risk-based policies and procedures cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system in an information security program; a key aspect of these policies and procedures is having minimally acceptable configuration standards. Configuration standards can minimize the security risks associated with specific software applications widely used in an agency or across agencies. Because IT products are often intended for a wide variety of audiences, restrictive security controls are usually not enabled by default, making many of the products vulnerable before they are used. FISMA requires each agency to have policies and procedures that ensure compliance with minimally acceptable system configuration requirements, as determined by the agency. In fiscal year 2008, for the first time, OMB required agencies to report on whether they had implemented security configurations prescribed under OMB's memorandum for Windows Vista and XP operating systems.[Footnote 22] For annual FISMA reporting, OMB requires agencies to report whether they have an agencywide security configuration policy; the extent to which they have implemented common security configurations, including those available from the NIST Web site, on applicable systems; and whether or not they have adopted and implemented Windows XP and Vista standard configurations, documented deviations, and implemented the settings. OMB also requested inspectors general to report on their agencies' implementation of these configurations. Reporting by agencies and inspectors general illustrates that, while many agencies had configuration policies, those policies had not always been implemented. All 24 major federal agencies reported that they had an agencywide security configuration policy. Even though 22 inspectors general agreed that their agency had such a policy, they did not agree that the implementation was always as high as the agencies had reported. For example, 12 agencies reported implementing common security configurations 96 to 100 percent of the time, but only 6 inspectors general reported this. In another example, only one agency reported implementing common security configurations 0 to 50 percent of the time, while seven inspectors general reported this level of implementation for their agencies. In addition, only seven agencies and six inspectors general reported that the agency had implemented standard security settings. If minimally acceptable configuration requirements policies are not properly implemented and applied to systems, agencies will not have assurance that products have been configured adequately to protect those systems, which could make them more vulnerable. Most Agencies Reported Following Security Incident Procedures, but Weaknesses in Procedures Continue at Selected Agencies: Although strong controls may not block all intrusions and misuse, agencies can reduce the risks associated with such events if they take steps to detect and respond to them before significant damage occurs. Accounting for and analyzing security problems and incidents are also effective ways for an agency to improve its understanding of threats and the potential costs of security incidents, and doing so can pinpoint vulnerabilities that need to be addressed so that they are not exploited again. FISMA requires that agencies' security programs include procedures for detecting, reporting, and responding to security incidents. NIST states that agencies are responsible for determining specific ways to meet these requirements. For FISMA reporting, OMB requires agencies to state whether or not the agency follows documented policies and procedures for reporting incidents internally, to the US-Computer Emergency Readiness Team (US-CERT), and to law enforcement. OMB also requires agencies to indicate additional information about their incident detection and monitoring capabilities, including what tools and technologies the agency uses for incident detection. For FISMA reporting, inspectors general are also requested to state whether or not their agencies follow documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement. All of the agencies reported that they had followed policies and procedures for reporting incidents internally and to law enforcement during fiscal year 2008, and only one agency reported that it had not followed documented policies and procedures for reporting incidents to US-CERT. While the majority of inspectors general continue to report that their agencies are following documented procedures for identifying and reporting incidents internally as well as to US-CERT and to law enforcement, there was a slight increase in the number of inspectors general who reported that their agencies were not following these procedures. Six inspectors general noted that their agency was not following procedures for internal incident reporting compared to five in fiscal year 2007. Four inspectors general noted that their agency was not following reporting procedures to US-CERT compared to two in 2007, and two noted that their agency was not following reporting procedures to law enforcement compared to one in 2007. At least 12 inspectors general also noted specific weaknesses in incident procedures such as a lack of fully documented policies and procedures for responding to security incidents, a lack of control procedures to ensure that audit trails were being maintained and reviewed, and instances where incidents were not always handled and reported in accordance with requirements. An incident response capability is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. Without proper incident response and documentation, agencies risk losing valuable information needed to prevent future exploits and to understand the nature and cost of the threats directed at them. Agencies Report Improvements in Remedial Actions, but Processes Could Be Strengthened: Developing remedial action plans is key to ensuring that remedial actions are taken to address significant deficiencies and reduce or eliminate known vulnerabilities. These plans should list the weaknesses and show the estimated resource needs and the status of corrective actions. The plans are intended to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. FISMA requires that agency information security programs include a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in information security policies, procedures, and practices. In addition, OMB requires agencies to report quarterly regarding their remediation efforts for all programs and systems where a security weakness has been identified. It also requests that inspectors general assess and report annually on whether their agency has developed, implemented, and managed an agencywide process for these plans. Inspectors general reported an increase in the number of agencies that had developed and implemented plans of action and milestones (POA&M) when weaknesses were identified. For 2008, 13 inspectors general reported that their agency had developed POA&Ms 96 to 100 percent of the time when weaknesses were identified; up from 11 inspectors general reporting this in 2007. However, many still cited weaknesses with their agency's POA&M process. Several mentioned that their agency did not always include weaknesses or vulnerabilities identified through security controls testing or inspector general reviews in the POA&M. They also reported that their agency did not always properly track weaknesses because the status of individual weaknesses was not always accurate. Without a sound remediation process, agencies cannot be assured that information security weaknesses have been efficiently and effectively corrected. Inspectors General Report Using Professional Standards for Conducting Independent Evaluations More, but Opportunities to Improve Consistency Remain: An increasing number of inspectors general reported conducting annual independent evaluations in accordance with professional standards and provided additional information about the effectiveness of their agency's security programs. FISMA requires agency inspectors general or their independent external auditors to perform an independent evaluation of the information security programs and practices of the agency to determine the effectiveness of the programs and practices. We have previously reported[Footnote 23] that the annual inspector general independent evaluations lacked a common approach and that the scope and methodology of the evaluations varied across agencies. We noted that there was an opportunity to improve these evaluations by conducting them in accordance with audit standards or a common approach and framework. In fiscal year 2008, 16 of 24 inspectors general cited using professional standards to perform the annual FISMA evaluations, up from 8 inspectors general who cited using standards the previous year. Of the 16 inspectors general, 13 reported performing evaluations that were in accordance with generally accepted government auditing standards, while the other 3 indicated using the "Quality Standards for Inspections" issued by the President's Council on Integrity and Efficiency.[Footnote 24] The remaining eight inspectors general cited using internally developed standards or did not indicate whether they had performed their evaluations in accordance with professional standards. In addition, an increasing number of inspectors general provided supplemental information about their agency's information security policies and practices. To illustrate, 21 of 24 inspectors general reported additional information about the effectiveness of their agency's security controls and programs that was above and beyond what was requested in the OMB template, an increase from the 18 who had provided such additional information in their fiscal year 2007 reports. The additional information included descriptions of significant control deficiencies and weaknesses in security processes that provided additional context to the agency's security posture. Although inspectors general reported using professional standards more frequently, their annual independent evaluations occasionally lacked consistency. For example, * Three inspectors general provided only template responses and did not identify the scope and methodology of their evaluation. (These three inspectors general were also among those who had not reported performing their evaluation in accordance with professional standards.) * Descriptions of the controls evaluated during the review as documented in the scope and methodology sections differed. For example, according to their FISMA reports, a number of inspectors general stated that their evaluations included a review of policies and procedures, whereas others did not indicate whether policies and procedures had been reviewed. Additionally, multiple inspectors general also indicated that technical vulnerability assessments had been conducted as part of the review, whereas others did not indicate whether such an assessment had been part of the review. * Eleven inspectors general indicated that their FISMA evaluations considered the results of previous information security reviews, whereas 13 inspectors general did not indicate whether they considered other information security work, if any. The development and use of a common framework or adherence to auditing standards could provide improved effectiveness, increased efficiency, quality control, and consistency in inspector general assessments. Opportunities Remain for OMB to Improve Annual Reporting and Oversight of Agency Information Security Programs: Although OMB has supported several governmentwide initiatives and provided additional guidance to help improve information security at agencies, opportunities remain for it to improve its annual reporting and oversight of agency information security programs. FISMA specifies that OMB, among other responsibilities, is to develop policies, principles, standards, and guidelines on information security and report to Congress not later than March 1 of each year on agencies' implementation of FISMA. Each year, OMB provides instructions to federal agencies and their inspectors general for preparing their FISMA reports and then summarizes the information provided by the agencies and the inspectors general in its report to Congress. Over the past 4 years, we have reported[Footnote 25] that, while the periodic reporting of performance measures for FISMA requirements and related analysis provides valuable information on the status and progress of agency efforts to implement effective security management programs, shortcomings in OMB's reporting instructions limited the utility of the annual reports. Accordingly, we recommended that OMB improve reporting by clarifying reporting instructions; develop additional metrics that measure control effectiveness; request inspectors general to assess the quality of additional information security processes such as system test and evaluation, risk categorization, security awareness training, and incident reporting; and require agencies to report on additional key security activities such as patch management. Although OMB has taken some actions to enhance its reporting instructions, it has not implemented most of the recommendations, and thus further actions need to be taken to fully address them. In addition to the previously reported shortcomings, OMB's reporting instructions for fiscal year 2008 did not sufficiently address several processes key to implementing an agencywide security program and were sometimes unclear. For example, the reporting instructions did not request inspectors general to provide information on the quality or effectiveness of agencies' processes for developing and maintaining inventories, providing specialized security training, and monitoring contractors. For these activities, inspectors general were requested to report only on the extent to which agencies had implemented the activity but not on the effectiveness of those activities. Providing information on the effectiveness of the processes used to implement the activities could further enhance the usefulness of the data for management and oversight purposes. OMB's guidance to inspectors general for rating agencies' certification and accreditation processes was not clear. In its reporting instructions, OMB requests inspectors general to rate their agency's certification and accreditation process using the terms "excellent," "good," "satisfactory," "poor," or "failing." However, the reporting instructions do not define or identify criteria for determining the level of performance for each rating. OMB also requests inspectors general to identify the aspect(s) of the certification and accreditation process they included or considered in rating the quality of their agency's process. Examples OMB included were security plan, system impact level, system test and evaluation, security control testing, incident handling, security awareness training, and security configurations (including patch management). While this information is helpful and provides insight on the scope of the rating, inspectors general were not requested to comment on the quality or effectiveness of these items. Additionally, not all inspectors general considered the same aspects in reviewing the certification and accreditation process, yet all were allowed to provide the same rating. Without clear guidelines for rating these processes, OMB and Congress may not have a consistent basis for comparing the progress of an agency over time or against other agencies. In its report to Congress for fiscal year 2008, OMB did not fully summarize the findings from the inspectors general independent evaluations or identify significant deficiencies in agencies' information security practices. FISMA requires OMB to provide a summary of the findings of agencies' independent evaluations and significant deficiencies in agencies' information security practices. Inspectors general often document their findings and significant information security control deficiencies in reports that support their evaluations. However, OMB did not summarize and present this information in its annual report to Congress. Most of the inspectors general information summarized in the annual report was taken from the "yes" or "no" responses or from questions having a predetermined range of percentages as stipulated by OMB's reporting template. Thus, important information about the implementation of agency information security programs and the vulnerabilities and risks associated with federal information systems was not provided to Congress in OMB's annual report. This information could be useful in determining whether agencies are effectively implementing information security policies, procedures, and practices. As a result, Congress may not be fully informed about the state of federal information security. OMB also did not approve or disapprove agencies' information security programs. FISMA requires OMB to review agencies' information security programs at least annually and approve or disapprove them. OMB representatives informed us that they review agencies' FISMA reports and interact with agencies whenever an issue arises that requires their oversight. However, representatives stated that they do not explicitly or publicly declare that an agency's information security program has been approved or disapproved. As a result, a mechanism for establishing accountability and holding agencies accountable for implementing effective programs was not used. Conclusions: Weaknesses in information security controls continue to threaten the confidentiality, integrity, and availability of the sensitive data maintained by federal agencies. These weaknesses, including those for access controls, configuration management, and segregation of duties, leave federal agency systems and information vulnerable to external as well as internal threats. The White House, OMB, and federal agencies have initiated actions intended to enhance information security at federal agencies. However, until agencies fully and effectively implement information security programs and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at an increased and unnecessary risk of attack or compromise. Despite these weaknesses, federal agencies have continued to report progress in implementing key information security requirements. While NIST, inspectors general, and OMB have all made progress toward fulfilling their statutory requirements, the current reporting process does not produce information to accurately gauge the effectiveness of federal information security activities. OMB's annual reporting instructions did not cover key security activities and were not always clear. Finally, OMB did not include key information about findings and significant deficiencies identified by inspectors general in its governmentwide report to Congress and did not approve or disapprove agency information security programs. Shortcomings in reporting and oversight can result in insufficient information being provided to Congress and diminish its ability to monitor and assist federal agencies in improving the state of federal information security. Recommendations for Executive Action: We recommend that the Director of the Office of Management and Budget take the following four actions: * Update annual reporting instructions to request inspectors general to report on the effectiveness of agencies' processes for developing inventories, monitoring contractor operations, and providing specialized security training. * Clarify and enhance reporting instructions to inspectors general for certification and accreditation evaluations by providing them with guidance on the requirements for each rating category. * Include in OMB's report to Congress, a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices. * Approve or disapprove agency information security programs after review. Agency Comments and Our Evaluation: In written comments on a draft of this report, the Federal Chief Information Officer (CIO)[Footnote 26] generally agreed with our overall assessment of information security at the agencies. He also identified actions that OMB is taking to clarify its reporting guidance and to consider more effective security performance metrics. These actions are consistent with the intent of two of our recommendations, that OMB clarify and enhance reporting instructions and request inspectors general to report on additional measures of effectiveness. The Federal CIO did not address our recommendation to include a summary of the findings and significant security deficiencies in its report to Congress and did not concur with GAO's conclusion that OMB does not approve or disapprove agencies' information security management programs on an annual basis. He indicated that OMB reviews all agency and IG FISMA reports annually; reviews quarterly information on the major agencies' security programs; and uses this information, and other reporting, to evaluate agencies security programs. The Federal CIO advised that concerns are communicated directly to the agencies. We acknowledge that these are important oversight activities. However, as we reported, OMB did not demonstrate that it approved or disapproved agency information security programs, as required by FISMA. Consequently, a mechanism for holding agencies accountable for implementing effective programs is not being effectively used. We are sending copies of this report to the Office of Management and Budget and other interested parties. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions regarding this report, please contact me at (202) 512-6244 or by e-mail at wilshuseng@gao.gov. Contact points for our Office of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IV. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: In accordance with the Federal Information Security Management Act of 2002 (FISMA) requirement that the Comptroller General report periodically to Congress, our objectives were to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) federal agency implementation of FISMA requirements. To assess the adequacy and effectiveness of agency information security policies and practices, we analyzed our related reports issued from May 2007 through April 2009. We also reviewed and analyzed the information security work and products of agency inspectors general. Further, we reviewed and summarized weaknesses identified in our reports and that of inspectors general using five major categories of information security controls: (1) access controls, (2) configuration management controls, (3) segregation of duties, (4) continuity of operations planning, and (5) agencywide information security programs. Our reports generally used the methodology contained in the Federal Information System Controls Audit Manual.[Footnote 27] We also examined information provided by the U.S. Computer Emergency Readiness Team (US-CERT) on reported security incidents. To assess the implementation of FISMA requirements, we reviewed and analyzed the provisions of the act[Footnote 28] and the mandated annual FISMA reports from the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and the CIOs and IGs of 24 major federal agencies for fiscal years 2007 and 2008. We also examined OMB's FISMA reporting instructions and other OMB and NIST guidance. We also held discussions with OMB representatives and agency officials from the National Institute of Standards and Technology and the Department of Homeland Security's US-CERT to further assess the implementation of FISMA requirements. We did not verify the accuracy of the agencies' responses; however, we reviewed supporting documentation that agencies provided to corroborate information provided in their responses. We did not include systems categorized as national security systems in our review, nor did we review the adequacy or effectiveness of the security policies and practices for those systems. We conducted this performance audit from December 2008 to May 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Office of Management and Budget: Executive Office Of The President: Office Of Management And Budget: Washington, D.C. 20503: June 23, 2009: Gregory Wilshusen: Director: The Government Accountability Office: 441 G Street, Northwest: Washington, D.C. 20548: Dear Mr. Wilshusen: Thank you for the opportunity to comment on your draft report, "Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses" (GAO-09-546). We agree that agencies have shown progress in compliance with the Federal Information Security Management Act (FISMA) and that they need to continue to work to improve their information security postures. FISMA is the foundation of Federal information security activities, and we appreciate GAO's thoughtful analysis. We also agree that improved consistency in the reporting of the Inspectors General would contribute to a clearer picture of information security in the Federal government. OMB is committed to the vision of a secure Federal government, and we are taking steps to make that vision a reality. We have initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. We are in discussions with both the Information Security and Identity Management Committee of the CIO Council and the Council of Inspectors General on Integrity and Efficiency (CIGIE). Both entities have provided comments and participated in discussions about the forthcoming FY 2009 guidance to agencies. As part of this initiative, OMB has requested that the CIGIE provide definitions for the categories used in the annual reporting guidance or suggest alternatives. In addition to clarifying of the current guidance, OMB is also undertaking a thorough review of the current reporting metrics. While these metrics may have made sense when FISMA was enacted, they are largely focused on compliance and as such are trailing, rather than leading, indicators. Instead, we need metrics that give insight into agencies' security postures and possible vulnerabilities on an on-going basis. To evaluate new metrics, we are taking a collaborative approach. We are working with the community of Federal agency Chief Information Officers and Chief Information Security Officers, as well as the Inspectors General and the National Institute of Standards and Technology, to consider more effective security performance metrics--ones that show current status and are predictive in nature. In addition, we are reaching out to a broad array of organizations, across the public and private sectors and academia. In addition, the current annual reporting process is both manual and cumbersome. Currently, the more than 160 agencies that report under FISMA send in more than 200 spreadsheets. OMB is planning to move FISMA reporting to an internet-enabled database for FY 2009 reporting. This automation will allow the collection of more evaluative metrics, such as performance metrics. While OMB is fully agrees with GAO on the need for agencies to continue to improve their information security and comply with FISMA, we do not concur with GAO's conclusion that OMB does not review and approve or disapprove agencies' information security management programs on an annual basis. OMB reviews all agency and IG FISMA reports annually. For the major agencies, OMB also receives and reviews quarterly information on their security programs. OMB uses this information, and other reporting, to evaluate agencies' security management programs. Concerns are communicated directly to the agencies. Our nation's security and economic prosperity depend on the stability and integrity of Federal communications and information infrastructure. Safeguarding these important interests will require balanced decision- making that integrates and harmonizes our national and economic security objectives with our privacy rights, civil liberties, and open government. As a first step, the President directed a 60-day review of cybersecurity policies and efforts throughout the government. OMB worked closely with other White House offices on this review. The President has accepted the recommendations of the review, including the appointment of a presidential advisor for cybersecurity and the update of the National Plan to Secure Cyberspace. OMB will continue to be involved in and support these efforts. Thank you again for the opportunity to comment on this draft report and to discuss our work on the implementation of FISMA. Sincerely, Signed by: Vivek Kundra: Chief Information Officer: [End of section] Appendix III: Cybersecurity Experts Highlighted Key Improvements for Strengthening the Nation's Cyber Security: In March 2009, we convened a panel of experts to discuss how to improve key aspects of the national cyber security strategy and its implementation as well as other critical aspects of the strategy, including areas for improvement. The experts, who included former federal officials, academics, and private-sector executives, highlighted 12 key improvements that are, in their view, essential to improving the strategy and our national cyber security posture. These improvements are in large part consistent with our previously mentioned reports and extensive research and experience in this area. Table 2: Key Improvements Needed to Strengthen the Nation's Cybersecurity Posture: Cyber security improvement: 1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities; Description: The strategy should, among other things, (1) include well- defined strategic objectives, (2) provide understandable goals for the government and the private sector (end game), (3) articulate cyber priorities among the objectives, (4) provide a vision of what a secure cyber space should be in the future, (5) seek to integrate federal government capabilities, (6) establish metrics to gauge whether progress is being made against the strategy, and (7) provide an effective means for enforcing action and accountability when there are progress shortfalls. According to expert panel members, the CNCI provides a good set of tactical initiatives focused on improving primarily federal cyber security; however, it does not provide strategic objectives, goals, and priorities for the nation as a whole. Cyber security improvement: 2. Establish White House responsibility and accountability for leading and overseeing national cyber security policy; Description: The strategy makes the Department of Homeland Security (DHS) the focal point for cyber security; however, according to expert panel members, DHS has not met expectations and has not provided the high-level leadership needed to raise cyber security to a national focus. Accordingly, panelists stated that to be successful and to send the message to the nation and cyber critical infrastructure owners that cyber security is a priority, this leadership role needs to be elevated to the White House. In addition, to be effective, the office must have, among other things, commensurate authority--for example, over budgets and resources--to implement and employ incentives that will encourage action. Cyber security improvement: 3. Establish a governance structure for strategy implementation; Description: The strategy establishes a public/private partnership governance structure that includes 18 critical infrastructure sectors, corresponding government and sector coordinating councils, and cross- sector councils. However, according to panelists, this structure is government-centric and largely relies on personal relationships to instill trust to share information and take action. In addition, although all sectors are not of equal importance in regard to their cyber assets and functions, the structure treats all sectors and all critical cyber assets and functions equally. To ensure effective strategy implementation, experts stated that the partnership structure should include a committee of senior government representatives (for example, the Departments of Defense, Homeland Security, Justice, State, and the Treasury and the White House) and private-sector leaders representing the most critical cyber assets and functions. Expert panel members also suggested that this committee's responsibilities should include measuring and periodically reporting on progress in achieving the goals, objectives, and strategic priorities established in the national strategy and building consensus to hold involved parties accountable when there are progress shortfalls. Cyber security improvement: 4. Publicize and raise awareness about the seriousness of the cyber security problem; Description: Although the strategy establishes cyberspace security awareness as a priority, experts stated that many national leaders in business and government, including in Congress, who can invest resources to address cyber security problems are generally not aware of the severity of the risks to national and economic security posed by the inadequacy of our nation's cyber security posture and the associated intrusions made more likely by that posture. Expert panel members suggested that an aggressive awareness campaign is needed to raise the level of knowledge of leaders and the general populace that protecting our information and systems from cyber attack is ongoing. Cyber security improvement: 5. Create an accountable, operational cyber security organization; Description: DHS established the National Cyber Security Division (within the Office of Cybersecurity and Communications) to be responsible for leading national day-to-day cyber security efforts; however, according to panelists, this has not enabled DHS to become the national focal point as envisioned. Panel members stated that currently the Department of Defense and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. They told us that there also needs to be an independent cyber security organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions. However, there was not a consensus among our expert panel members regarding where this organization should reside. Cyber security improvement: 6. Focus more actions on prioritizing assets and functions, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans; Description: The strategy recommends actions to identify critical cyber assets and functions, but panelists stated that efforts to identify which cyber assets and functions are most critical to the nation have been insufficient. According to panel members, inclusion in cyber critical infrastructure protection efforts and lists of critical assets are currently based on the willingness of the person or entity responsible for the asset or function to participate and not on substantiated technical evidence. In addition, the current strategy establishes vulnerability reduction as a key priority; however, according to panelists, efforts to identify and mitigate known vulnerabilities have been insufficient. They stated that greater efforts should be taken to identify and eliminate common vulnerabilities and that there are techniques available that should be used to assess vulnerabilities in the most critical, prioritized cyber assets and functions. Cyber security improvement: 7. Bolster public/private partnerships through an improved value proposition and use of incentives; Description: While the strategy encourages action by owners and operators of critical cyber assets and functions, panel members stated that there are not adequate economic and other incentives (i.e., a value proposition) for greater investment and partnering in cyber security. Accordingly, panelists stated that the federal government should provide valued services (such as offering useful threat or analysis and warning information) or incentives (such as grants or tax reductions) to encourage action by and effective partnerships with the private sector. They also suggested that public and private sector entities use means such as cost-benefit analyses to ensure the efficient use of limited cyber security-related resources. Cyber security improvement: 8. Focus greater attention on addressing the global aspects of cyberspace; Description: The strategy includes recommendations to address the international aspects of cyber space but, according to panelists, the United States is not addressing global issues impacting how cyber space is governed and controlled. They added that, while other nations are actively involved in developing treaties, establishing standards, and pursuing international agreements (such as on privacy), the United States is not aggressively working in a coordinated manner to ensure that international agreements are consistent with U.S. practice and that they address cyber security and cyber crime considerations. Panel members stated that the United States should pursue a more coordinated, aggressive approach so that there is a level playing field globally for U.S. corporations and enhanced cooperation among government agencies, including law enforcement. In addition, a panelist stated that the United States should work towards building consensus on a global cyber strategy. Cyber security improvement: 9. Improve law enforcement efforts to address malicious activities in cyberspace; Description: The strategy calls for improving investigative coordination domestically and internationally and promoting a common agreement among nations on addressing cyber crime. According to one panelist, some improvements in domestic law have been made (e.g., enactment of the PROTECT Our Children Act of 2008), but implementation of this act is a work-in-process due to its recent passage. Panel members also stated that current domestic and international law enforcement efforts, including activities, procedures, methods, and laws are too outdated and outmoded to adequately address the speed, sophistication, and techniques of individuals and groups, such as criminals, terrorists, and others who have malicious intent. Improved law enforcement is essential to more effectively catch and prosecute malicious individuals and groups and, with stricter penalties, deter malicious behavior. Cyber security improvement: 10. Place greater emphasis on cyber security research and development, including consideration of how to better coordinate government and private-sector efforts; Description: While the strategy recommends actions to develop a research and development agenda and coordinate efforts between the government and private sector, experts stated that the United States is not adequately focusing and funding research and development efforts to address cyber security or to develop the next generation of cyber space to include effective security capabilities. In addition, the research and development efforts currently under way are not being well coordinated between government and the private sector. Cyber security improvement: 11. Increase the cadre of cyber security professionals; Description: The strategy includes efforts to increase the number and skills of cyber security professionals but, according to panelists, the results have not created sufficient numbers of professionals, including information security specialists and cyber crime investigators. Expert panel members stated that actions to increase the number of professionals with adequate cyber security skills should include (1) enhancing existing scholarship programs (e.g., Scholarship for Service) and (2) making the cyber security discipline a profession through testing and licensing. Cyber security improvement: 12. Make the federal government a model for cyber security, including using its acquisition function to enhance cyber security aspects of products and services; Description: The strategy establishes securing the government's cyber space as a key priority and advocates using federal acquisition to accomplish this goal. Although the federal government has taken steps to improve the cyber security of agencies (e.g., beginning to implement the CNCI initiatives), panelists stated that it still is not a model for cyber security. Further, they said the federal government has not made changes in its acquisition function and the training of government officials in a manner that effectively improves the cyber security capabilities of products and services purchased and used by federal agencies. Source: GAO. [End of table] [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen (202) 512-6244 or wilshuseng@gao.gov: Staff Acknowledgments: In addition to the individual named above, Charles Vrabel (Assistant Director); Debra Conner; Larry Crosland; Sharhonda Deloach; Neil Doherty; Kristi Dorsey; Rosanna Guererro; Nancy Glover; Rebecca Eyler; Mary Marshall; and Jayne Wilson made key contributions to this report. [End of section] Related GAO Products: Cybersecurity: Continued Federal Efforts Are Needed to Protect Critical Systems and Information. [hyperlink, http://www.gao.gov/products/GAO-09-835T]. Washington, D.C.: June 25, 2009. Privacy and Security: Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System. [hyperlink, http://www.gao.gov/products/GAO-09-355]. Washington, D.C.: June 1, 2009. Aviation Security: TSA Has Completed Key Activities Associated with Implementing Secure Flight, but Additional Actions Are Needed to Mitigate Risks. [hyperlink, http://www.gao.gov/products/GAO-09-292]. Washington, D.C.: May 13, 2009. Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk. [hyperlink, http://www.gao.gov/products/GAO-09-661T]. Washington, D.C.: May 5, 2009. Freedom of Information Act: DHS Has Taken Steps to Enhance Its Program, but Opportunities Exist to Improve Efficiency and Cost-Effectiveness. [hyperlink, http://www.gao.gov/products/GAO-09-260]. Washington, D.C.: March 20, 2009. Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls. [hyperlink, http://www.gao.gov/products/GAO-09-203]. Washington, D.C.: March 16, 2009. National Cyber Security Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture. [hyperlink, http://www.gao.gov/products/GAO-09-432T]. Washington, D.C.: March 10, 2009. Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data. [hyperlink, http://www.gao.gov/products/GAO-09-195]. Washington, D.C.: January 30, 2009. Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS. [hyperlink, http://www.gao.gov/products/GAO-09-136]. Washington, D.C.: January 9, 2009. Nuclear Security: Los Alamos National Laboratory Faces Challenges in Sustaining Physical and Cyber Security Improvements. [hyperlink, http://www.gao.gov/products/GAO-08-1180T]. Washington, D.C.: September 25, 2008. Critical Infrastructure Protection: DHS Needs to Better Address Its Cyber Security Responsibilities. [hyperlink, http://www.gao.gov/products/GAO-08-1157T]. Washington, D.C.: September 16, 2008. Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise. [hyperlink, http://www.gao.gov/products/GAO-08-825]. Washington, D.C.: September 9, 2008. Information Security: Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network. [hyperlink, http://www.gao.gov/products/GAO-08-1001]. Washington, D.C.: September 9, 2008. Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability. [hyperlink, http://www.gao.gov/products/GAO-08-588]. Washington, D.C.: July 31, 2008. Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains. [hyperlink, http://www.gao.gov/products/GAO-08-525]. Washington, D.C.: June 27, 2008. Information Security: FDIC Sustains Progress but Needs to Improve Configuration Management of Key Financial Systems. [hyperlink, http://www.gao.gov/products/GAO-08-564]. Washington, D.C.: May 30, 2008. Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks. [hyperlink, http://www.gao.gov/products/GAO-08-526]. Washington, D.C.: May 21, 2008. Information Security: TVA Needs to Enhance Security of Critical Infrastructure Control Systems and Networks. [hyperlink, http://www.gao.gov/products/GAO-08-775T]. Washington, D.C.: May 21, 2008. Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist. [hyperlink, http://www.gao.gov/products/GAO-08-571T]. Washington, D.C.: March 12, 2008. Information Security: Securities and Exchange Commission Needs to Continue to Improve Its Program. [hyperlink, http://www.gao.gov/products/GAO-08-280]. Washington, D.C.: February 29, 2008. Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies. [hyperlink, http://www.gao.gov/products/GAO-08-496T]. Washington, D.C.: February 14, 2008. Information Security: Protecting Personally Identifiable Information. [hyperlink, http://www.gao.gov/products/GAO-08-343]. Washington, D.C.: January 25, 2008. Information Security: IRS Needs to Address Pervasive Weaknesses. [hyperlink, http://www.gao.gov/products/GAO-08-211]. Washington, D.C.: January 8, 2008. Veterans Affairs: Sustained Management Commitment and Oversight Are Essential to Completing Information Technology Realignment and Strengthening Information Security. [hyperlink, http://www.gao.gov/products/GAO-07-1264T]. Washington, D.C.: September 26, 2007. Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-07-1036]. Washington, D.C.: September 10, 2007. Information Security: Sustained Management Commitment and Oversight Are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs. [hyperlink, http://www.gao.gov/products/GAO-07-1019]. Washington, D.C.: September 7, 2007. Information Security: Selected Departments Need to Address Challenges in Implementing Statutory Requirements. [hyperlink, http://www.gao.gov/products/GAO-07-528]. Washington, D.C.: August 31, 2007. Information Security: Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses. [hyperlink, http://www.gao.gov/products/GAO-07-837]. Washington, D.C.: July 27, 2007. Information Security: Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program. [hyperlink, http://www.gao.gov/products/GAO-07-870]. Washington, D.C.: July 13, 2007. Information Security: Homeland Security Needs to Enhance Effectiveness of Its Program. [hyperlink, http://www.gao.gov/products/GAO-07-1003T]. Washington, D.C.: June 20, 2007. Information Security: Agencies Report Progress, but Sensitive Data Remain at Risk. [hyperlink, http://www.gao.gov/products/GAO-07-935T]. Washington, D.C.: June 7, 2007. Information Security: Federal Deposit Insurance Corporation Needs to Sustain Progress Improving Its Program. [hyperlink, http://www.gao.gov/products/GAO-07-351]. Washington, D.C.: May 18, 2007. [End of section] Footnotes: [1] The 24 major departments and agencies (agencies) are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. [2] Most recently, GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [3] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). [4] GAO, Federal Information System Controls Audit Manual (FISCAM), [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: February 2009). [5] GAO, Executive Guide: Information Security Management: Learning from Leading Organizations, [hyperlink, http://www.gao.gov/products/GAO/AIMD-98-68] (Washington, D.C.: May 1998). [6] A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. [7] FMFIA, Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982), now codified at 31 U.S.C. § 3512, requires agencies to report annually to the President and Congress on the effectiveness of internal controls and any identified material weaknesses in those controls. Per OMB, for the purposes of FMFIA reporting, a material weakness also encompasses weaknesses found in program operations and compliance with applicable laws and regulations. Material weaknesses for FMFIA reporting are determined by management, whereas material weaknesses reported as part of a financial statement audit are determined by independent auditors. [8] The Reports Consolidation Act of 2000, Pub. L. No. 106-531, 114 Stat. 2537 (Nov. 22, 2000), requires inspectors general to include in their agencies' performance and accountability reports a statement that summarizes what they consider to be the most serious management and performance challenges facing their agencies and briefly assesses their agencies' progress in addressing those challenges. 31 U.S.C. § 3516(d). [9] GAO, Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls, [hyperlink, http://www.gao.gov/products/GAO-09-203] (Washington, D.C.: Mar. 16, 2009). [10] GAO, Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS, [hyperlink, http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 2009). [11] GAO, Information Security: Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network, [hyperlink, http://www.gao.gov/products/GAO-08-1001] (Washington, D.C.: Sept. 9, 2008). [12] GAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks, [hyperlink, http://www.gao.gov/products/GAO-08-526] (Washington, D.C.: May 21, 2008) and Information Security: TVA Needs to Enhance Security of Critical Infrastructure Controls Systems and Networks, [hyperlink, http://www.gao.gov/products/GAO-08-755T] (Washington, D.C.: May 21, 2008). [13] GAO, Information Security: Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program, [hyperlink, http://www.gao.gov/products/GAO-07-870] (Washington, D.C.: July 13, 2007). [14] GAO, Information Security: Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-07-837] (Washington, D.C.: July 27, 2007). [15] Cryptography is used to secure transactions by providing ways to ensure data confidentiality, data integrity, authentication of the message's originator, electronic certification of data, and nonrepudiation (proof of the integrity and origin of data that can be verified by a third party). [16] See related GAO products for a list of our recent reports on information security. [17] GAO, National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture, [hyperlink, http://www.gao.gov/products/GAO-09-432T] (Washington, D.C.: Mar. 10, 2009). [18] The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (Washington, D.C.: May 29, 2009). [19] The White House, National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8, 2008). [20] Statement of the Director of National Intelligence before the Senate Select Committee on Intelligence, Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence (Feb. 12, 2009). [21] Certification is a comprehensive assessment of management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision to authorize operation of an information system and to explicitly accept the risk to agency operations based on implementation of controls. [22] OMB, Memorandum M-08-22, Guidance on the Federal Desktop Core Configuration (Washington, D.C.: August 2008). [23] [hyperlink, http://www.gao.gov/products/GAO-07-837] and GAO, Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist, [hyperlink, http://www.gao.gov/products/GAO-08-571T] (Washington, D.C.: Mar. 12, 2008). [24] The President's Council on Integrity and Efficiency was established by executive order to address integrity, economy, and effectiveness issues that transcend individual government agencies and increase the professionalism and effectiveness of inspector general personnel throughout government. The Inspector General Reform Act of 2008 combined the council with the Executive Council on Integrity and Efficiency to create the Council of Inspectors General on Integrity and Efficiency. [25] GAO, Information Security: Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Statutory Requirements, [hyperlink, http://www.gao.gov/products/GAO-05-552] (Washington, D.C.: July 15, 2005); [hyperlink, http://www.gao.gov/products/GAO-07-837]; and [hyperlink, http://www.gao.gov/products/GAO-08-571T]. [26] On March 5, 2009, the President named a Federal Chief Information Officer at the White House to direct the policy and strategic planning of federal information technology investments and be responsible for oversight of federal technology spending. The Federal CIO also establishes and oversees enterprise architecture to ensure system interoperability and information sharing and ensure information security and privacy across the federal government. [27] GAO, Federal Information System Controls Audit Manual, [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: February 2009). [28] Pub. L. No. 107-347, title III, 116 Stat. 2899, 2946 (Dec. 17, 2002). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO‘s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO‘s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.