Information Security: Federal Agencies Show Mixed Progress in	 
Implementing Statutory Requirements (16-MAR-06, GAO-06-527T).	 
                                                                 
For many years, GAO has reported that ineffective information	 
security is a widespread problem that has potentially devastating
consequences. In its reports to Congress since 1997, GAO has	 
identified information security as a governmentwide high-risk	 
issue--most recently in January 2005. Concerned with accounts of 
attacks on commercial systems via the Internet and reports of	 
significant weaknesses in federal computer systems that make them
vulnerable to attack, Congress passed the Federal Information	 
Security Management Act of 2002 (FISMA), which permanently	 
authorized and strengthened the federal information security	 
program, evaluation, and reporting requirements established for  
federal agencies. This testimony discusses the federal		 
government's progress and challenges in implementing FISMA, as	 
reported by the Office of Management and Budget (OMB), the	 
agencies, and the Inspectors General (IGs), and actions needed to
improve FISMA reporting and address underlying information	 
security weaknesses.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-527T					        
    ACCNO:   A49317						        
  TITLE:     Information Security: Federal Agencies Show Mixed	      
Progress in Implementing Statutory Requirements 		 
     DATE:   03/16/2006 
  SUBJECT:   Access control					 
	     Baseline security controls 			 
	     Computer security					 
	     Federal agencies					 
	     Information security				 
	     Internal controls					 
	     IT training					 
	     Performance measures				 
	     Program evaluation 				 
	     Program management 				 
	     Reporting requirements				 
	     Risk assessment					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-527T

     

     * PDF6-Ordering Information.pdf
          * Order by Mail or Phone

Mr. Chairman and Members of the Committee:

I am pleased to be here today to discuss the state of federal information
security and the efforts by federal agencies to implement requirements of
the Federal Information Security Management Act of 2002 (FISMA).1 For many
years, we have reported that poor information security is a widespread
problem that has potentially devastating consequences.2 Since 1997, we
have identified information security as a governmentwide high-risk issue
in reports to Congress.3 Concerned with accounts of attacks on commercial
systems via the Internet and reports of significant weaknesses in federal
computer systems that made them vulnerable to attack, Congress passed
FISMA, which permanently authorized and strengthened the federal
information security program, evaluation, and reporting requirements
established for federal agencies.

In my testimony today, I will summarize our analysis of the reported
status of the federal government's implementation of FISMA. I will note
areas where the agencies have made progress in implementing the
requirements of the Act and those areas where weaknesses remain. I will
also touch on additional actions that federal entities can take to help
fully implement the mandated information security programs and to improve
the effectiveness of information security controls.

In conducting this work, we reviewed and summarized OMB's fiscal year 2005
report to Congress on FISMA implementation, dated March 1, 2006. We also
analyzed and summarized the fiscal year 2005 FISMA reports from 24 major
federal agencies4 and their inspectors general (IGs). In addition, we
reviewed standards and guidance issued by OMB and the National Institute
of Standards and Technology (NIST) pursuant to their responsibilities
under the Act. We did not validate the accuracy of the data reported by
the agencies or OMB, but we did analyze the IGs' fiscal year 2005 FISMA
reports to identify any issues related to the accuracy of agency-reported
information. Finally, we examined and summarized key findings of related
GAO products. We performed our work from October 2005 to March 2006 in
accordance with generally accepted government auditing standards.

1 Federal Information Security Management Act of 2002, Title III,
E-Government Act of 2002, Pub. L. No. 107-347, Dec. 17, 2002

2 GAO, Information Security: Opportunities for Improved OMB Oversight of
Agency Practices, GAO/AIMD-96-110 (Washington, D.C.: Sept. 24, 1996)

3 GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: Jan.,
2005).

                                Results in Brief

In its fiscal year 2005 report to Congress, OMB noted that the federal
government has made progress in meeting key performance measures for
information security; however, uneven implementation of security efforts
has left weaknesses in several areas. OMB identified weaknesses with the
extent of agencies' oversight of contractor systems, testing of security
controls, and reporting of security incidents, as well as the quality of
agencies' plans of action and milestones and certification and
accreditation processes. The report presented a plan of action that OMB is
pursuing with federal agencies to improve their management of information
security.

The fiscal year 2005 reports submitted by the agencies present a mixed
picture of FISMA implementation in the federal government. In their fiscal
year 2005 reports, 24 major federal agencies generally reported an
increasing number of systems meeting key information security performance
measures, such as percentage of systems certified and accredited and
percentage of contingency plans tested. Nevertheless, progress was uneven.
For example, the percentage of agency systems reviewed declined from 96
percent in 2004 to 84 percent in 2005, and the percentage of employees and
contractors receiving security awareness training also declined, from 88
percent in 2004 to 81 percent in 2005.

4 These 24 departments and agencies are the Departments of Agriculture,
Commerce, Defense, Education, Energy, Health and Human Services, Homeland
Security, Housing and Urban Development, Interior, Justice, Labor, State,
Transportation, Treasury, and, Veterans Affairs, the Environmental
Protection Agency, General Services Administration, Office of Personnel
Management, National Aeronautics and Space Administration, National
Science Foundation, Nuclear Regulatory Commission, Small Business
Administration, Social Security Administration, and U.S. Agency for
International Development.

Federal entities can act to improve the usefulness of the annual FISMA
reporting process and to mitigate underlying information security
weaknesses. OMB has taken several actions to improve FISMA reporting -
such as requiring agencies to indicate the relative importance or risk
level of their systems - and can further enhance the reliability and
quality of reported information. Agencies can also take actions to fully
implement their FISMA-mandated programs and address the weaknesses in
their information security controls. Such actions include completing and
maintaining accurate inventories of major systems, prioritizing
information security efforts based on system risk levels, and
strengthening controls that are designed to prevent, limit, and detect
access to the agencies' information and information systems.

                                   Background

Increasing computer interconnectivity-most notably growth in the use of
the Internet-has revolutionized the way that our government, our nation,
and much of the world communicate and conduct business. While this
interconnectivity offers us huge benefits, without proper safeguards it
also poses significant risks to the government's computer systems and,
more importantly, to the critical operations and infrastructures they
support. We reported in 2005 that while federal agencies showed
improvement in addressing information security, they also continued to
have significant control weaknesses in federal computer systems that put
federal operations and assets at risk of inadvertent or deliberate misuse,
financial information at risk of unauthorized modification or destruction,
sensitive information at risk of inappropriate disclosure, and critical
operations at the risk of disruption.5

The significance of these weaknesses led us to conclude in the audit of
the federal government's fiscal year 2005 financial statements6 that
information security was a material weakness.7 Our audits also identified
instances of similar types of weaknesses in non-financial systems.

To fully understand the significance of the weaknesses we identified, it
is necessary to link them to the risks they present to federal operations
and assets. Virtually all federal operations are supported by automated
systems and electronic data, and agencies would find it difficult, if not
impossible, to carry out their missions and account for their resources
without these information assets. Hence, the degree of risk caused by
security weaknesses is high. The weaknesses we identified place a broad
array of federal operations and assets at risk. For example,

           0M Resources, such as federal payments and collections, could be
           lost or stolen.
           0M Computer resources could be used for unauthorized purposes or
           to launch attacks on other computer systems.
           0M Sensitive information, such as taxpayer data, social security
           records, medical records, and proprietary business information
           could be inappropriately disclosed, browsed, or copied for
           purposes of industrial espionage or other types of crime.
           0M Data could be modified or destroyed for purposes of fraud,
           identity theft, or disruption.
           0M Agency missions could be undermined by embarrassing incithat
           result in diminished con
           abilities to conduct operations and fulfill their fiduciary
           responsibilities. ngress and the administration have established
           specific ormation security

5GAO, Information Security: Weaknesses Persist at Federal Agencies Despite
Progress Made in Implementing Related Statutory Requirements, GAO-05-552
(Washington, D.C.: July 15, 2005).

6GAO, Fiscal Year 2005 U.S. Government Financial Statements: Sustained
Improvement and Financial Management is Crucial to Addressing our Nation's
Financial Conditions and Long-term Fiscal Imbalance, GAO-06-406T
(Washington, D.C.: March 1, 2006).

7A material weakness is a condition that precludes the entity's internal
control from providing reasonable assurance that misstatements, losses, or
noncompliance material in relation to the financial statements or to
stewardship information would be prevented or detected on a timely basis.

protect the information and information systems that suppocritical
operations and assets. thened Information Security Requirements

Government Act of 2002, FISMA authorized and stre

information security program, evaluation, and reporting requirements. The
Act assigns specific responsibilities to agencheads, chief information
officers, and IGs. It also assigns responsibilities to OMB, which include
developing and overseeingthe implementation of policies, principles,
standards, and guidelinon information security and reviewing at least
annually, and approving or disapproving, agency information security
programs. Overall, FISMA requires each agency (including agencies with
national security systems) to develop, document, and implement an

agencywide information security program. This program shouldprovide
security for the information and information systems that support the
operations and assets of the agency, including those provided or managed
by another agency, contractor, or other source. Specifically, this program
is to include 0M periodic assessments of the risk and magnitude of harm
thacould result from the unauthorized access, u

           disruption, modification, or destruction of information or
           information systems; risk-based policies and procedures that
           cost-effectively redinformation security r
           information security is addressed throughout the life cycle of
           each information system, including minimally acceptable system
           configuration requirements; subordinate plans for providing
           adequate information security fornetworks, facilities, and syste
           systems; security awareness training for agency personnel,
           includingcontracto
           the operations and assets of the agency; periodic evaluation of
           the effectiveness of information security policies, procedures,
           and practices, perfo
           depending on risk, but no less than annually, and that includes
           testing of management, operational, and technical controls for
           every system identified in the agency's required inventory of
           major information systems; a process for planning, implementing,
           evaluating, and documenting remedial action
           information security policies, procedures, and practiceagency;
           procedures for detecting, reporting, and responding to security
           incidents
           0M plans and procedures to ensure continuity of operations for
           information systems that support the operations and assets of th
           agency.

systems (including major national security systems) that are operated by
the agency or under its control. This inventory is to include an
identification of the interfaces between each system anall other systems
or networks, including those not operated by ounder the control of the
agency. Each agency is also required to have an annual independent
evaluation of its information secu

including control testing and compliance assessment. Evaluations of
non-national security systems are to be performed by the agenor by an
independent external auditor, while evaluations related to national
security systems are to be performed only by an entity designated by the
agency head. The agencies are to report annually to OMB, selected
congressional committees, and the Comptroller General on the adequacy of
information security policies, procedures, practices, and compliance with
FISMA requirements. Inaddition, agency heads are required to make annual
reports of the results of their independent evaluations to OMB. OMB musa
report to Congress no later than March 1 of each year on agency
compliance, including a summary of the findings of agencies' independent
evaluations. Other major provisions direct that the National Institute of
Standards and Technology

categorize all their information and information systems basthe objectives
of providing appropriate levels of information security according to a
range of risk levels; (2) guidelines recommending the types of information
and information systems tobe included in each category; and (3) minimum
information srequirements for information and information systems in
ecategory. NIST must also develop a definition of and guidelines
concerning detection and handling of information security incidents and
guidelines. nd Guidance Emphasize Performance Measures OMB provides in

annual FISMA reporting requirements. OMB's fiscal year 2reporting instructions,
similar to the 2004 instructions, ha

focus on performance measures. OMB has developed performanmeasures in the
following areas: certification and accreditation,8 testing of security
controls,

           0M agency systems and contractor systems reviewed annually,
           0Mtesting of contingency plans,
           0M incident reporting,
           0M annual security awareness training for employees and contra
           0M annual specialized training for
           responsibilities, and
           0M minimally acceptable configuration requirements.
           Further, OMB has provided instructions for continued agency
           reporting on the statu
           action and milestones. Required for all programs ana

           weaknesses and show estimated resource needs or other challeto
           resolving them, key milestones and completion dates, and thstatus
           of corrective actions. The plans are to be submitted twice a year
           to OMB. In addition, agencies are to submit quarterly upthat
           indicate the number of weaknesses for which corrective action has
           been completed as originally scheduled, or has been delayed, well
           as the number of new weaknesses discovered since the last update.
           The annual IGs' reports requested by OMB are to be based on the
           results of their independent evaluations, including work
           performethrougho

           IGs to respond to some of the same questions as the agencies, it
           alasked them to assess whether their agency had developed,
           implemented, and was managing an agencywide plan of actions and
           milestones. Further, OMB asked the IGs to assess the quality of
           thecertification and accreditation process at their agencies, as
           well as the status of their agency's inventory of major
           information sOMB did not request that the IGs validate agency
           responses to the performance measures. Instead, as part of their
           independent evaluations of a subset of agency systems, IGs were
           asked to assessthe reliability of the data for those systems that
           they evaluated.

8Agency management officials are required to formally authorize their
information systems to process information and, thereby accept the risk
associated with their operation. This management authorization
(accreditation) is to be supported by a formal technical evaluation
(certification) of the management, operational, and technical controls
established in an information system's security plan.

           OMB's Report to Congress Noted Improvements and Weaknesses

In its March 2006 report to Congress on fiscal year 2005 FISMA
implementation,9 OMB emphasized that the federal government has made
progress in meeting key performance measures for IT security; however,
uneven implementation of security efforts leaves weaknesses in several
areas. OMB determined through its assessment of FISMA reports that
advances have occurred at a governmentwide level in the following areas of
IT security:

           0M Systems certification and accreditation. Agencies recorded a 19
           percent increase in the total number of IT systems and reported
           that the percentage of certified and accredited systems rose from
           77 percent in fiscal year 2004 to 85 percent in 2005. Moreover,
           OMB noted that 88 percent of systems assessed as high-risk have
           been certified and accredited.
           0M Assessed quality of the certification and accreditation
           process. OMB's analysis of reports from the IGs revealed an
           increase in agencies with a certification process rated as
           "satisfactory" or higher, from 15 in 2004 to 17 in 2005.
           0M Plans of action and milestone process. OMB noted that out of 25
           agencies that it reviewed in detail,10 19 IGs report that their
           agencies have effective remediation processes, compared to 18 in
           2004.

           In addition to these areas of improvement, OMB detected areas with
           continuing weaknesses:

           0M Contractor systems oversight. IGs for 6 of 24 agencies (one
           agency IG did not respond) rated agency oversight of contractor
           systems in the "rarely" range, while 3 others rated this oversight
           in the next lowest range, "sometimes."
           0M Security controls testing. Agencies tested the security
           controls on a lower percentage of systems, dropping from 76
           percent in fiscal year 2004 to 72 percent in 2005. OMB noted a
           better rate of testing for high-risk systems, with a
           governmentwide total of 83 percent.
           0M Incident reporting. OMB stated that some agencies continue to
           report security incidents to the Department of Homeland Security
           only sporadically and that others report notably low levels of
           incidents.
           0M Agencywide plans of action and milestones. While IGs for 19
           agencies reported effective POA&M processes, 6 others reported
           ineffective processes.
           0M Certification and accreditation process. OMB commented that
           while no IG rated the certification and accreditation process for
           its agency as failing, eight rated the process as "poor."

           The OMB report also discusses a plan of action to improve
           performance, assist agencies in their information security
           activities, and promote compliance with statutory and policy
           requirements. OMB has set a goal for agencies to have 90 percent
           of their systems certified and accredited and their certification
           and accreditation process rated as "satisfactory" or better by
           their IGs.

9Office of Management and Budget, FY2005 Report to Congress on the
Implementation of the Federal Information Security Management Act of 2002
(Washington, D.C.: March, 2006).

10OMB includes the Smithsonian Institution in its list of major agencies.
Our analysis in this testimony does not include the Smithsonian
Institution.

                  Agency 2005 FISMA Reports Show Mixed Results

In their FISMA-mandated reports for fiscal year 2005, the 24 major
agencies reported both improvements and weaknesses in major performance
indicators. The following key measures showed increased performance and/or
continuing challenges:

           0M percentage of systems certified and accredited;
           0M percentage of agencies with an agencywide minimally acceptable
           configuration requirements policy;
           0M percentage of agency systems reviewed annually;
           0M percentage of contractor systems reviewed annually;
           0M percentage of employees and contractors receiving annual
           security awareness training; percentage of employees with
           significant security respo
           0M percentage of contingency plans tested.
           Figure 1 illustrates that the major agenci

           p

           although they have made mixed progress in meeting other
           keyperformance measures compared with the previous two fiscal
           years. Summaries of the results for specific measures follow.
           Figure 1: Reported Data for Selected Performance Measures for 24 M

           In

acc

authorization (accreditation) is to be supported by a formal technical
evaluation (certification) of the management, operationaand technical
controls established in an information system's security plan. For FISMA
reporting, OMB requires agencies to repothe number of systems authorized
for processing after completing certification and accreditation. Data
reported for this measure showed continued overall increfor most agencies
over the last three years. For example, 15 agencies reported an increase
in the percentage of their systems that had completed certification

percent of agencies' systems governmentwide were reported as certified and
accredited in 2005, compared to 77 percent in 2004 and62 percent in 2003.
In addition, 20 agencies reported that 90 perceor more of their systems
had successfully completed the process,illustrated in figure 2. Figure 2:
Percentage of Agencies Reporting the Percentage of Their Systems that are
Certified and Accredited for Processing in Fiscal Year 2005

accredited a higher percentage of their high-risk systems (88 percent)
than their moderate-risk systems.

requirements, as determined by the agency. In fiscal year 2004, for the
first time, agencies reported on the degree to which they had security
configurations for specific operating systems and softwareapplications.
Our analysis of the 2005 agency FISMA reports founthat all 24 major
agencies reported that they had agencywide policies containing system
configurations, an increase from the 20 agencies who reported having them
in 2004. However, implementation of these requirements at the system level
continuesto be uneven. Specifically, 14 agencies reported having
configuration policies, but they did not always implement them on their
systems. tems

FISMA periodi

security policies, procedures, and practices to be performed with a
frequency that depends on risk, but no less than annually. This effois to
include testing of management, operational, and technical controls of
every information system identified in the FISMA-required inventory of
major systems. Periodically evaluating theeffectiveness of security
policies and controls and acting to adany identified weaknesses are
fundamental activities that allow aorganization to manage its information
security risks cost-effectively, rather than reacting to individual
problems ad hoc only after a violation has been detected or an audit
finding has breported. In order to measure the performance of security
programsOMB requires that agencies report the number and percentage
osystems that they have reviewed during the year. Agencies reported a
decrease in the percentage of

this performance measure in 2004. In the 2005 reports, agencies stated
that 84 percent of their systems had been reviewed in the lastyear, as
compared to 96 percent in 2004. While 23 agencies reporthat they had
reviewed 90 percent or more of their systems in 2004, 19 agencies reported
this achievement in 2005, as shown in figure 3. Figure 3: Percentage of
Agencies Reporting the Percentage of Their Systems that

Under FISMinformation security p

maintained by or on behalf of the agency and information sused or operated
by an agency or by a contractor. As OMB emphasized in its fiscal year 2005
FISMA reporting guidance, agencIT security programs apply to all
organizations that possessfederal information or that operate, use, or
have access to federal information systems on behalf of a federal agency.
Such other organizations may include contractors, grantees, state and
local governments, and industry partners. According to longstandingOMB
policy concerning sharing government information and interconnecting
systems, federal security requirements continueapply, and the agency is
responsible for ensuring appropriate security controls. The key
performance measure of annual review of contractor systems by agencie

2003 levels. However, the number of agencies that reported reviewing over
90 percent of their contractor systems has incrfrom 10 in 2004 to 17 in
2005. A breakdown of the percentages for fiscal year 2005 is provided in
figure 4. Figure 4: Percentage of Agencies Reporting the Percentage of
Their Contractor Systems that have been Reviewed in Fiscal Year

s

of moderate-risk systems and 84 percent of low-risk systems. Without
adequate contractor review, agencies cannot be assured that federal
information held and processed by contractors is secure. FISMA requires
agencies to provid

assets of an agency, of information security risks associated with their
activities and of the agency's responsibilities in complying wpolicies and
procedures designed to reduce these risks. Our studieof best practices at
leading organizations11 have shown that such organizations took steps to
ensure that personnel involved in various aspects of information security
programs had the skills and knowledge they needed. In their FISMA
submissions for fiscal year 2005, agencies reported that they provided
securit

reported that they had trained more than 90 percent of their employees and
contractors in basic security awareness (see fig. 5the overall percentage
of employees trained among the 24 majofederal agencies reviewed dropped
from 88 percent in 2004 topercent in 2005, a level almost equal to that
reported in 2003. Figure 5: Percentage of Agencies Reporting the Level of
Their Employees and Contractors that have Received IT Security Awareness
Training in Fiscal Ye

11GAO, Executive Guide: Information Security Management: Learning From
Leading Organizations, GAO/AIMD-98-68 (May, 1998).

Specialized Security Training

Under FISMA, agencies are required to provide training in information
security to personnel with significant security responsibilities. As
previously noted, our study of best practices at leading organizations has
shown that such organizations recognized that staff expertise needed to be
updated frequently to keep security employees current on changes in
threats, vulnerabilities, software, technologies, security techniques, and
security monitoring tools. OMB directs agencies to report on the
percentage of their employees with significant security responsibilities
who have received specialized training.

Agencies reported varying levels of compliance in providing specialized
training to employees with significant security responsibilities. Of the
24 agencies that we reviewed, 12 reported that they had provided
specialized security training for 90 percent or more of these employees.
(see fig. 6).

Figure 6: Percentage of Agencies Reporting the Level of Their Employees
with Significant Security Responsibilities that have Received Specialized
Security Training in Fiscal Year 2005

Although there was a gain of one point in the percentage of employees who
received specialized security training for fiscal year 2005 (82 percent)
over 2004 (81 percent), both of these years show a decrease from the level
reported in 2003 (85 percent). Given the rapidly changing threats in
information security, agencies need to keep their IT security employees up
to date on changes in technology. Otherwise, agencies may face increased
risk of security breaches.

Testing of Contingency Plans

Contingency plans provide specific instructions for restoring critical
systems, including such elements as arrangements for alternative
processing facilities in case the usual facilities are significantly
damaged or cannot be accessed due to unexpected events such as a temporary
power failure, the accidental loss of files, or a major disaster. It is
important that these plans be clearly documented, communicated to
potentially affected staff, and updated to reflect current operations. The
testing of contingency plans is essential to determining whether the plans
will function as intended in an emergency, and the frequency of plan
testing will vary depending on the criticality of the entity's operations.
The most useful tests involve simulating a disaster to test overall
service continuity. Such a test includes testing whether the alternative
data processing site will function as intended and whether critical
computer data and programs to be recovered from off-site storage will be
accessible and current. In executing the plan, managers are able to
identify weaknesses and make changes accordingly. Moreover, such tests
assess how well employees have been trained to carry out their roles and
responsibilities during a disaster. To show the status of implementing
this requirement, OMB specifies that agencies report the number of systems
with tested contingency plans.

Overall, agencies continued to report that they have not tested a
significant number of their contingency plans with only 61 percent of
systems with tested plans. Although this number continues to show small
increases each year since 2003, figure 7 illustrates that 5 agencies
reported less than 50 percent of their systems had tested contingency
plans.

Figure 7: Percentage of Agencies Reporting the Level of Their Systems that
have Tested Contingency Plans in Fiscal Year 2005

In addition, agencies do not appear to be appropriately prioritizing
testing of contingency plans by system risk level, with high-risk systems
having the lowest rate of systems with tested plans of the three risk
levels. Without testing, agencies can have limited assurance that they
will be able to recover mission critical applications, business processes,
and information in the event of an unexpected interruption.

Inventory of Major Systems

FISMA requires that agencies develop, maintain, and annually update an
inventory of major information systems operated by the agency, or under
its control. The total number of agency systems is a key element in OMB's
performance measures, in that agency progress is indicated by the
percentage of total systems that meet specific information security
requirements. For the 2005 reports, OMB required agencies to report the
number of major systems and asked the IGs about the status and accuracy of
their agencies' inventories.

In 2005, agencies reported 10,261 systems, composed of 9,175 agency
systems and 1,094 contractor systems. However, only 13 IGs reported that
their agencies' inventories were substantially complete. A complete
inventory of major information systems is a key element of managing the
agency's IT resources, including the security of those resources. Without
reliable information on agencies' inventories, the agencies, the
administration, and Congress cannot be fully assured of agencies' progress
in implementing FISMA.

Risk Assessments

FISMA mandates that agencies assess the risk and magnitude of harm that
could result from the unauthorized access, use, disclosure disruption,
modification, or destruction of their information and information systems.
The Federal Information Processing Standard (FIPS) 199, Standards for
Security Categorization of Federal Information and Information Systems,
and related NIST guidance provide a common framework for categorizing
systems according to risk. The framework establishes three levels of
potential impact on organizational operation, assets, or individuals
should a breach of security occur-high (severe or catastrophic), moderate
(serious), and low (limited)-and is used to determine the impact for each
of the FISMA-specified security objectives of confidentiality, integrity,
and availability. Once determined, security categories are to be used in
conjunction with vulnerability and threat information in assessing the
risk to an organization. OMB's fiscal year 2005 reporting instructions
included the new requirement that agencies report their systems and
certain performance measures using FIPS 199 risk levels. If agencies did
not categorize systems, or used a method other than FIPS 199 to determine
risk level, they were required to explain why in their FISMA reports.

For the first time, in the 2005 reporting, agencies reported the risk
levels for their agency and contractor systems, as illustrated in table 1.

Table 1: Systems Reported by Risk Level in Fiscal year 2005

                                                                   Overall    
                   Agency             Contractor                              
Risk Level      Systems Percentage Systems           Percentage Percentage 
High-risk       1,646   18         293               27         19         
Moderate-risk   2,493   27         249               23         27         
Low-risk        4,446   49         164               15         45         
Not categorized 580     6          390               35         9          
Totals          9,165   100        1,096             100        100        

Source: GAO analysis.

Agencies reported that 9 percent of their systems were not categorized by
risk level. The majority of systems without risk levels assigned were
found at 4 agencies. One agency did not categorize 77 percent of its
systems. Without assigned risk levels, agencies cannot make risk-based
decisions on the security needs of their information and information
systems.

    Actions are Needed to Improve FISMA Reporting and Underlying Information
                              Security Weaknesses

There are actions that OMB and the agencies can take to improve FISMA
reporting and compliance and to address underlying weaknesses in
information security controls. In our July 2005 report,12 we evaluated the
adequacy and effectiveness of agencies' information security policies and
practices and the federal government's implementation of FISMA
requirements. We recommended that the Director of OMB take actions in
revising future FISMA reporting instructions to increase the usefulness of
the agencies' annual reports to oversight bodies by:

           0M requiring agencies to report FISMA data by risk category;
           0M reviewing guidance to ensure the clarity of instructions;
           0M requesting the IGs report on the quality of additional agency
           processes, such as the annual system reviews.

           These recommendations were designed to strengthen reporting under
           FISMA by encouraging more complete information on the
           implementation of agencies' information security programs.

           Consistent with our recommendation, OMB required agencies to
           report certain performance measures by system risk level for the
           first time in fiscal year 2005. As a result, we were able to
           identify potential areas of concern in the agencies'
           implementation of FISMA. For example, agencies do not appear to be
           prioritizing certain information security control activities, such
           as annual review of contractor systems or testing of contingency
           plans, based on system risk levels. For both of these activities,
           federal implementation of the control is lower for high-risk
           systems than it is for moderate or low-risk systems.

           OMB has also taken steps to increase the clarity of instructions
           in their annual guidance. It has removed several questions from
           prior years that could have been subject to differing
           interpretations by the IGs and the agencies. Those questions
           related to agency inventories and to plans of actions and
           milestones. In addition, OMB clarified reporting instructions for
           minimally acceptable configuration requirements. The resulting
           reports are more consistent and, therefore, easier to analyze and
           compare.

           However, opportunities still exist to enhance reporting on the
           quality of the agencies' information security-related processes.
           The qualitative assessments of the certification and accreditation
           process and the plans of actions and milestones have greatly
           enhanced Congress', OMB's, and our understanding of the
           implementation of these requirements at the agencies. Additional
           information on the quality of agencies' processes for annually
           reviewing or testing systems, for example, could improve
           understanding of these processes by examining whether federal
           guidance is applied correctly, or whether weaknesses discovered
           during the review or test are tracked for remediation. Extending
           qualitative assessments to additional agency processes could
           improve the information available on agency implementation of
           information security requirements.

12GAO-05-552

Federal Agencies Need to Take Actions to Increase FISMA Compliance and Address
Already Identified Information Security Weaknesses

Agencies need to take action to implement the information security
management program mandated by FISMA and use that program to address their
outstanding information security weaknesses. An agencywide security
program provides a framework and continuing cycle of activities for
managing risk, developing security policies, assigning responsibilities,
and monitoring the adequacy of the entity's computer-related controls.
Without a well-designed program, security controls may be inadequate;
responsibilities may be unclear, misunderstood, or improperly implemented;
and controls may be inconsistently applied. Such conditions may lead to
insufficient protection of sensitive or critical resources and
disproportionately high expenditures for controls over low-risk resources.

As we have previously reported,13 none of the 24 major agencies has fully
implemented agencywide information security programs as required by FISMA.
Agencies often did not adequately assess risks, develop sufficient
risk-based policies or procedures for information security, ensure that
existing policies and procedures were implemented effectively, or monitor
operations to ensure compliance and determine the effectiveness of
existing controls. Moreover, as demonstrated by the 2005 FISMA reports,
many agencies still do not have complete and accurate inventories of their
major systems. Until agencies effectively and fully implement agencywide
information security programs, federal data and systems will not be
adequately safeguarded against unauthorized use, disclosure, and
modification.

Agencies need to take action to implement and strengthen their information
security management programs. Such actions should include completing and
maintaining an accurate, complete inventory of major systems, and
prioritizing information security efforts based on system risk levels.
Strong incident procedures are necessary to detect, report, and respond to
security incidents effectively. Agencies also should implement strong
remediation processes that include processes for planning, implementing,
evaluating, and documenting remedial actions to address any identified
information security weaknesses. Finally, agencies need to implement
risk-based policies and procedures that efficiently and effectively reduce
information security risks to an acceptable level.

13GAO-05-552.

Even as federal agencies are working to implement information security
management programs, they continue to have significant control weaknesses
in their computer systems that threaten the integrity, reliability, and
availability of federal information and systems. In addition, these
weaknesses place financial information at risk of unauthorized
modification or destruction, sensitive information at risk of
inappropriate disclosure, and critical operations at risk of disruption.

The weaknesses appear in both access controls and other information
security controls defined in our audit methodology for performing
information security evaluations and audits.14 These areas are (1) access
controls, which ensure that only authorized individuals can read, alter,
or delete data; (2) software change controls, which provide assurance that
only authorized software programs are implemented; (3) segregation of
duties, which reduces the risk that one individual can independently
perform inappropriate actions without detection; (4) continuity of
operations planning, which provides for the prevention of significant
disruptions of computer-dependent operations, and (5) an agencywide
security program, which provides the framework for ensuring that risks are
understood and that effective controls are selected and properly
implemented.

In the 24 major agencies' fiscal year 2005 reporting regarding their
financial systems, 6 reported information security as a material weakness
and 14 reported it as a reportable condition.15 Our audits also identified
similar weaknesses in nonfinancial systems. In our prior reports, we have
made specific recommendations to the agencies to mitigate identified
information security weaknesses. The IGs have also made specific
recommendations as part of their information security review work.

14GAO, Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6
(Washington, D.C.: January 1999). This methodology is used for our
information security controls evaluations and audits, as well as by the
IGs for the information security control work done as part of financial
audits at the agencies.

  Agencies Should Address Weaknesses in Access Controls

Agencies would benefit from addressing common weaknesses in access
controls. As we have previously reported, the majority of the 24 major
agencies had access control weaknesses.16 A basic management control
objective for any organization is to protect data supporting its critical
operations from unauthorized access, which could lead to improper
modification, disclosure, or deletion of the data. Based on our previous
work performing information security audits, agencies can take steps to
enhance the four basic areas of access controls:

           0M User identification and authentication. To enable a computer
           system to identify and differentiate users so that activities on
           the system can be linked to specific individuals, agencies assign
           unique user accounts to specific users, a process called
           identification. Authentication is the method or methods by which a
           system establishes the validity of a user's claimed identity.
           Agencies need to implement strong user identification and
           authentication controls.
           0M User access rights and file permissions. The concept of "least
           privileged" is a basic underlying principle for security computer
           systems and data. It means that users are only granted those
           access rights and file permissions that they need to do their
           work. Agencies would benefit from establishing the concept of
           least privilege as the basis for all user rights and permissions.
           0M Network services and devices. Sensitive programs and
           information are stored on networks, which are collections of
           interconnected computer systems and devices that allow users to
           share resources. Organizations secure their networks, in part, by
           installing and configuring networks devices that permit authorized
           requests and limit services that are available.17 Agencies need to
           put in place strong controls that ensure only authorized access to
           their networks.
           0M Audit and monitoring of security-related events. To establish
           individual accountability, monitor compliance with security
           policies, and investigate security violations, it is crucial that
           agencies implement system or security software that provides an
           audit trail that they can use to determine the source of a
           transaction, or to monitor the activities of users on the
           agencies' systems. To detect and prevent unauthorized activity,
           agencies should have strong monitoring and auditing capabilities.

15Reportable conditions are significant deficiencies in the design or
operation of internal control that could adversely affect the entity's
ability to record, process, summarize, and report financial data
consistent with the assertions of management in the financial statements.

16GAO-05-552.

  Agencies Need to Act to Implement Other Information Security Controls

In addition to electronic access controls, other important controls should
be in place to ensure the security and reliability of an agency's data.

           0M Software change controls. Counteracting identified weaknesses
           in software change controls would help agencies ensure that
           software was updated correctly and that changes to computer
           systems were properly approved. Software change controls ensure
           that only authorized and fully tested software is placed in
           operation. These controls -- which also limit and monitor access
           to powerful programs and sensitive files associated with computer
           operations --are important in providing reasonable assurance that
           access controls are not compromised and that the system will not
           be impaired. These policies, procedures, and techniques help to
           ensure that all programs and program modifications are properly
           authorized, tested, and approved. Failure to implement these
           controls increases the risk that unauthorized programs or changes
           could be -- inadvertently or deliberately -- placed into
           operation.
           0M Segregation of duties. Agencies have opportunities to implement
           effective segregation of duties to address the weaknesses
           identified in this area. Segregation of duties refers to the
           policies, procedures, and organizational structure that help to
           ensure that one individual cannot independently control all key
           aspects of a process or computer-related operation and thereby
           conduct unauthorized actions or gain unauthorized access to assets
           or records. Proper segregation of duties is achieved by dividing
           responsibilities among two or more individuals or organizational
           groups. For example, agencies need to segregate duties to ensure
           that individuals cannot add fictitious users to a system, assign
           them elevated access privileges, and perform unauthorized
           activities without detection. Without adequate segregation of
           duties, there is an increased risk that erroneous or fraudulent
           transactions can be processed, improper program changes
           implemented, and computer resources damaged or destroyed.
           0M Continuity of operations. The majority of agencies could
           benefit from having adequate continuity of operations planning. An
           organization must take steps to ensure that it is adequately
           prepared to cope with the loss of operational capabilities due to
           earthquake, fire, accident, sabotage, or any other disruption. An
           essential element in preparing for such catastrophes is an
           up-to-date, detailed, and fully tested continuity of operations
           plan. To ensure that the plan is complete and fully understood by
           all key staff, it should be tested, including surprise tests, and
           test plans and results documented to provide a basis for
           improvement. Among the aspects of continuity planning that
           agencies need to address should be: (1) ensuring that plans
           contain adequate contact information for emergency communications;
           (2) documenting the location of all vital records for the agencies
           and methods of updating those records in an emergency; (3)
           conducting tests, training, or exercises frequently enough to have
           assurance that the plan would work in an emergency. Losing the
           capability to process, retrieve, and protect information that is
           maintained electronically can significantly affect an agency's
           ability to accomplish its mission.
           0M Physical security. Physical security controls are important for
           protecting computer facilities and resources from espionage,
           sabotage, damage, and theft. These controls restrict physical
           access to computer resources, usually by limiting access to the
           buildings and rooms in which the resources are housed. With
           inadequate physical security, there is increased risk that
           unauthorized individuals could gain access to sensitive computing
           resources and data and inadvertently or deliberately misuse or
           destroy them.

           In summary, through the continued emphasis of information security
           by Congress, the administration, agency management, and the
           accountability community, the federal government has seen
           improvements in its information security. However, despite the
           advances shown by increases in key performance measures, progress
           remains mixed. If information security is to continue to improve,
           agency management must remain committed to the implementation of
           FISMA and the information security management program it mandates.
           Only through the development of strong IT security management can
           the agencies address the persistent, long-standing weaknesses they
           face in information security controls.

           Mr. Chairman, this concludes my statement. I would be happy to
           answer any questions that you or members of the Committee may have
           at this time. Should you have any questions about this testimony,
           please contact me at (202) 512-6244. I can also be reached by
           e-mail at [email protected]. Individuals making key contributions
           to this testimony include Suzanne Lightman, Assistant Director,
           Larry Crosland, Joanne Fiorino, and Mary Marshall.

17Devices used to secure networks include (1) firewalls that prevent
unauthorized access to the network; (2) routers that filter and forward
data; (3) switches that forward information through segments of a network;
and, (4) servers that host applications and data.

(310572)

www.gao.gov/cgi-bin/getrpt? GAO-06-527T .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or
[email protected].

Highlights of GAO-06-527T , a testimony to the House Committee on
Government Reform

March 16, 2006

INFORMATION SECURITY

Federal Agencies Show Mixed Progress in Implementing Statutory
Requirements

For many years, GAO has reported that ineffective information security is
a widespread problem that has potentially devastating consequences. In its
reports to Congress since 1997, GAO has identified information security as
a governmentwide high-risk issue-most recently in January 2005.

Concerned with accounts of attacks on commercial systems via the Internet
and reports of significant weaknesses in federal computer systems that
make them vulnerable to attack, Congress passed the Federal Information
Security Management Act of 2002 (FISMA), which permanently authorized and
strengthened the federal information security program, evaluation, and
reporting requirements established for federal agencies.

This testimony discusses:

           o  The federal government's progress and challenges in
           implementing FISMA, as reported by the Office of Management and
           Budget (OMB), the agencies, and the Inspectors General (IGs).

           o  Actions needed to improve FISMA reporting and address
           underlying information security weaknesses.

In its fiscal year 2005 report to Congress, OMB discusses progress in
implementing key information security requirements, but at the same time
cites challenging weaknesses that remain. The report notes several
governmentwide findings, such as the varying effectiveness of agencies'
security remediation processes and the inconsistent quality of agencies'
certification and accreditation (the process of authorizing operation of a
system, including the development and implementation of risk assessments
and security controls). Nevertheless, fiscal year 2005 data reported by 24
major agencies, compared with data reported for the previous 2 fiscal
years (see fig.), show that these agencies have made steady progress in
certifying and accrediting systems, although they reported mixed progress
in meeting other key statutory information security requirements. For
example, agencies reported that only 61 percent of their systems had
tested contingency plans, thereby reducing assurance that agencies will be
able to recover from the disruption of those systems with untested plans.

Federal entities can act to improve the usefulness of the annual FISMA
reporting process and to mitigate underlying information security
weaknesses. OMB has taken several actions to improve FISMA reporting-such
as requiring agencies to provide performance information based on the
relative importance or risk of the systems-and can further enhance the
reliability and quality of reported information. Agencies also can take
actions to fully implement their FISMA-mandated programs and address the
weaknesses in their information security controls. Such actions include
completing and maintaining accurate inventories of major systems,
prioritizing information security efforts based on system risk levels, and
strengthening controls that are to prevent, limit, and detect access to
the agencies' information and information systems.

Reported Data for Selected Performance Measures for 24 Major Agencies

United States Government Accountability Office

GAO

Testimony

Before the House Committee on Government Reform

For Release on Delivery

Expected at 10:00 a.m. EST Thursday, March 16, 2006

INFORMATION SECURITY

Federal Agencies Show Mixed Progress in Implementing Statutory
Requirements

Statement of Gregory C. Wilshusen Director, Information Security Issues

GAO-06-527T

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
*** End of document. ***