Information Security: Despite Reported Progress, Federal Agencies
Need to Address Persistent Weaknesses (27-JUL-07, GAO-07-837).
For many years, GAO has reported that weaknesses in information
security are a widespread problem with potentially devastating
consequences--such as intrusions by malicious users, compromised
networks, and the theft of personally identifiable
information--and has identified information security as a
governmentwide high-risk issue. Concerned by reports of
significant vulnerabilities in federal computer systems, Congress
passed the Federal Information Security Management Act of 2002
(FISMA), which permanently authorized and strengthened the
information security program, evaluation, and reporting
requirements for federal agencies. As required by FISMA to report
periodically to Congress, in this report GAO discusses the
adequacy and effectiveness of agencies' information security
policies and practices and agencies' implementation of FISMA
requirements. To address these objectives, GAO analyzed agency,
inspectors general (IG), Office of Management and Budget (OMB),
congressional, and GAO reports on information security.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-837
ACCNO: A73544
TITLE: Information Security: Despite Reported Progress, Federal
Agencies Need to Address Persistent Weaknesses
DATE: 07/27/2007
SUBJECT: Access control
Accountability
Agency evaluation
Computer security
Data integrity
Federal agencies
Information security
Internal controls
Requirements definition
Risk assessment
Risk management
Systems integrity
Policies and procedures
Program implementation
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-837
* [1]Results in Brief
* [2]Background
* [3]Agency Responsibilities
* [4]Responsibilities of the IG
* [5]Responsibilities of NIST
* [6]Responsibilities of OMB
* [7]Persistent Weaknesses Place Sensitive Data at Significant Ri
* [8]Incidents Place Sensitive Information at Risk
* [9]Weaknesses Persist at Federal Agencies in Implementing Secur
* [10]Access Controls Were Not Adequate
* [11]User Identification and Authentication
* [12]Authorization
* [13]Boundary Protection
* [14]Cryptography
* [15]Audit and Monitoring
* [16]Physical Security
* [17]Configuration Management Controls Were Not Implemented
* [18]Segregation of Duties Was Not Appropriately Enforced
* [19]Shortcomings Exist in Continuity of Operations Planning
* [20]Agencywide Security Programs Were Not Fully Implemented
* [21]Risk Assessments
* [22]Policies and Procedures
* [23]Security Plans
* [24]Specialized Training
* [25]System Tests and Evaluations
* [26]Remedial Action Processes and Plans
* [27]Examples Illustrate Weaknesses at Agencies
* [28]Agencies Report Progress, but More Work Is Needed in Impleme
* [29]Agencies Cite Increases in Performance, but Weaknesses Exist
* [30]Security Training and Awareness
* [31]Periodic Testing and Evaluation of the Effectiveness of Info
* [32]Continuity of Operations
* [33]Inventory of Systems
* [34]Certification and Accreditation
* [35]Configuration Standards
* [36]Security Incident Procedures
* [37]Remedial Actions to Address Deficiencies in Information
Secu
* [38]NIST Fulfills FISMA Requirements and Expands Activities
* [39]FISMA Implementation Project
* [40]Other NIST Security Activities
* [41]Office of Inspector General Evaluations Varied across Agenci
* [42]OMB Increases Guidance, but Improvements Needed in Reporting
* [43]OMB Increases Oversight Efforts
* [44]Opportunities Exist to Improve FISMA Reporting
* [45]Conclusions
* [46]Recommendations for Executive Action
* [47]Agency Comments
* [48]GAO Contact
* [49]Staff Acknowledgments
* [50]Order by Mail or Phone
* [51]report.pdf
* [52]Results in Brief
* [53]Background
* [54]Agency Responsibilities
* [55]Responsibilities of the IG
* [56]Responsibilities of NIST
* [57]Responsibilities of OMB
* [58]Persistent Weaknesses Place Sensitive Data at Significant Ri
* [59]Incidents Place Sensitive Information at Risk
* [60]Weaknesses Persist at Federal Agencies in Implementing
Secur
* [61]Access Controls Were Not Adequate
* [62]User Identification and Authentication
* [63]Authorization
* [64]Boundary Protection
* [65]Cryptography
* [66]Audit and Monitoring
* [67]Physical Security
* [68]Configuration Management Controls Were Not
Implemented
* [69]Segregation of Duties Was Not Appropriately
Enforced
* [70]Shortcomings Exist in Continuity of Operations
Planning
* [71]Agencywide Security Programs Were Not Fully
Implemented
* [72]Risk Assessments
* [73]Policies and Procedures
* [74]Security Plans
* [75]Specialized Training
* [76]System Tests and Evaluations
* [77]Remedial Action Processes and Plans
* [78]Examples Illustrate Weaknesses at Agencies
* [79]Agencies Report Progress, but More Work Is Needed in Impleme
* [80]Agencies Cite Increases in Performance, but Weaknesses
Exist
* [81]Security Training and Awareness
* [82]Periodic Testing and Evaluation of the Effectiveness of
Info
* [83]Continuity of Operations
* [84]Inventory of Systems
* [85]Certification and Accreditation
* [86]Configuration Standards
* [87]Security Incident Procedures
* [88]Remedial Actions to Address Deficiencies in
Information Secu
* [89]NIST Fulfills FISMA Requirements and Expands Activities
* [90]FISMA Implementation Project
* [91]Other NIST Security Activities
* [92]Office of Inspector General Evaluations Varied across
Agenci
* [93]OMB Increases Guidance, but Improvements Needed in
Reporting
* [94]OMB Increases Oversight Efforts
* [95]Opportunities Exist to Improve FISMA Reporting
* [96]Conclusions
* [97]Recommendations for Executive Action
* [98]Agency Comments
* [99]GAO Contact
* [100]Staff Acknowledgments
* [101]Order by Mail or Phone
Report to Congressional Committees
United States Government Accountability Office
GAO
July 2007
INFORMATION SECURITY
Despite Reported Progress, Federal Agencies Need to Address Persistent
Weaknesses
GAO-07-837
Contents
Letter 1
Results in Brief 2
Background 4
Persistent Weaknesses Place Sensitive Data at Significant Risk 10
Agencies Report Progress, but More Work Is Needed in Implementing
Requirements 29
Conclusions 47
Recommendations for Executive Action 48
Agency Comments 48
Appendix I Objectives, Scope, and Methodology 50
Appendix II Comments from the Office of Management and Budget 51
Appendix III GAO Contact and Staff Acknowledgments 53
Related GAO Products 54
Figures
Figure 1: Division of FISMA Responsibilities 6
Figure 2: Agencies Reporting of Information Security Controls in Fiscal
Year 2006 Financial Statement Audits 14
Figure 3: Information Security Weaknesses at 24 Major Agencies for Fiscal
Year 2006 15
Figure 4: Control Weaknesses Identified in GAO Reports From July 2005 to
June 2007 16
Figure 5: Reported Data for Selected Performance Metrics for 24 Major
Agencies 30
Figure 6: Percentage of Employees Receiving Security Awareness Training As
Reported by Agencies and IGs 32
Figure 7: OIG Assessment of C&A Process for Fiscal Year 2006 36
Figure 8: Incidents Reported to US-CERT in Fiscal Years 2005 and 2006 39
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
Abbreviations
BPD Bureau of the Public Debt
CIO chief information officer
DHS Department of Homeland Security
FAA Federal Aviation Administration
FISMA Federal Information Security Management Act
FBI Federal Bureau of Investigation
FRB Federal Reserve Bank
HHS Department of Health and Human Services
IG inspector(s) general
IRS Internal Revenue Service
IT information technology
NIST National Institute of Standards and Technology
OMB Office of Management and Budget
TSA Transportation Security Administration
US-CERT United States Computer Emergency Readiness Team
USDA United States Department of Agriculture
VA Department of Veterans Affairs
United States Government Accountability Office
Washington, DC 20548
July 27, 2007
The Honorable Joseph I. Lieberman
Chairman
The Honorable Susan M. Collins
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate
The Honorable Henry A. Waxman
Chairman
The Honorable Tom Davis
Ranking Member
Committee on Oversight and Government Reform
House of Representatives
Federal agencies rely extensively on computerized information systems and
electronic data to carry out their missions. The security of these systems
and data is essential to prevent data tampering, disruptions in critical
operations, fraud, and the inappropriate disclosure of sensitive
information. In reports to Congress since 1997, we have designated
information security as a governmentwide high-risk issue--a designation
that remains in force today.1
Concerned with accounts of attacks on systems through the Internet and
reports of significant weaknesses in federal computer systems that make
them vulnerable to attack, Congress passed the Federal Information
Security Management Act (FISMA) in 2002.2 To address information security
weaknesses, FISMA sets forth a comprehensive framework for ensuring the
effectiveness of information security controls over information resources
that support federal operations and assets. In addition, it provides a
mechanism for improved oversight of federal agency information security
programs. This mechanism includes mandated annual reporting by the
agencies, the Office of Management and Budget (OMB), and the National
Institute of Standards and Technology (NIST). FISMA also includes a
requirement for independent annual evaluations by the agencies' inspectors
general (IG) or independent external auditors.
1GAO, High-Risk Series: Information Management and Technology,
[102]GAO/HR-97-9 (Washington, D.C.: February 1997) and GAO, High-Risk
Series: An Update, [103]GAO-07-310 (Washington, D.C.: January 2007).
2Federal Information Security Management Act of 2002, Title III,
E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec.
17, 2002).
In accordance with the FISMA requirement that we report periodically to
Congress, our objectives were to evaluate (1) the adequacy and
effectiveness of agencies' information security policies and practices and
(2) their implementation of FISMA requirements. To address these
objectives, we analyzed agency, IG, OMB, congressional, and our reports on
information security. We conducted our evaluation from October 2006
through May 2007 in accordance with generally accepted government auditing
standards. Our objectives, scope, and methodology, are further explained
in appendix I.
Results in Brief
Significant weaknesses in information security policies and practices
threaten the confidentiality, integrity, and availability of critical
information and information systems used to support the operations,
assets, and personnel of most federal agencies. Recently reported
information security incidents at federal agencies have placed sensitive
data at risk, including the theft, loss, or improper disclosure of
personally identifiable information on millions of Americans, thereby
exposing them to loss of privacy and potential harm associated with
identity theft. Almost all of the 24 major federal agencies3 had
weaknesses in one or more areas of information security controls. Most
agencies did not implement controls to sufficiently prevent, limit, or
detect access to computer networks, systems, or information. For example,
agencies did not consistently (1) identify and authenticate users to
prevent unauthorized access; (2) enforce the principle of least privilege
to ensure that authorized access was necessary and appropriate; (3)
establish sufficient boundary protection mechanisms; (4) apply encryption
to protect sensitive data on networks and portable devices; (5) log,
audit, and monitor security-relevant events; and (6) restrict physical
access to information assets. In addition, agencies did not always
configure network devices and services to prevent unauthorized access and
ensure system integrity, such as patching key servers and workstations in
a timely manner; assign incompatible duties to different individuals or
groups so that one individual does not control all aspects of a process or
transaction; and maintain or test continuity of operations plans for key
information systems. An underlying cause for these weaknesses is that
agencies have not fully or effectively implemented agencywide information
security programs. As a result, agencies may not have assurance that
controls are in place and operating as intended to protect their
information and information systems, thereby leaving them vulnerable to
attack or compromise.
3The 24 major departments and agencies are the Departments of Agriculture,
Commerce, Defense, Education, Energy, Health and Human Services, Homeland
Security, Housing and Urban Development, the Interior, Justice, Labor,
State, Transportation, the Treasury, and Veterans Affairs; the
Environmental Protection Agency, General Services Administration, National
Aeronautics and Space Administration, National Science Foundation, Nuclear
Regulatory Commission, Office of Personnel Management, Small Business
Administration, Social Security Administration, and U.S. Agency for
International Development.
Nevertheless, federal agencies have continued to report steady progress in
implementing certain information security requirements. For fiscal year
2006, agencies generally reported performing various required control
activities for an increasing percentage of their systems and personnel.
However, agency IGs at several agencies sometimes disagreed with the
information the agency reported and identified weaknesses in the processes
used to implement these activities. Pursuant to its FISMA
responsibilities, NIST has issued federal standards and guidance on
information security. Agency IGs have performed their annual independent
evaluations of agencies' information security programs although the scope
and methodologies of their evaluations varied across the agencies.
Further, although OMB enhanced its reporting instructions to agencies for
preparing their FISMA reports, the metrics specified in the instructions
do not measure how effectively agencies are performing key activities, and
there are no requirements to report on patch management--another key
activity. As a result, reporting may not adequately reflect the status of
agency implementation of required information security policies and
procedures.
In prior reports, we have made hundreds of recommendations to agencies to
address specific information security weaknesses. We are making
recommendations to the Director of OMB to update its reporting
instructions and to request that IGs evaluate certain FISMA implementation
efforts. In commenting on a draft of this report, OMB agreed to take our
recommendations under advisement when modifying its FISMA reporting
instructions. OMB also noted that its current instructions provide the
flexibility for IGs to tailor evaluations based on agency's documented
weaknesses and plans for improvement.
Background
Federal agencies increasingly rely on computerized information systems and
electronic data to conduct operations and carry out their missions.
Protecting federal computer systems has never been more important due to
advances in the sophistication and effectiveness of attack technology and
methods, the rapid growth of zero-day exploits4 and attacks, and the
increasing number of security incidents occurring at organizations and
federal agencies.
Information security is especially important for federal agencies, which
increasingly use information systems to deliver services to the public and
to ensure the confidentiality, integrity, and availability of information
and information systems. Without proper safeguards, there is risk of data
theft, compromise, or loss by individuals and groups due to negligence or
malicious intent within or outside of the organization.
To fully understand the potential significance of information security
weaknesses, it is necessary to link them to the risks they present to
federal operations and assets. Virtually all federal operations are
supported by automated systems and electronic data, and agencies would
find it difficult, if not impossible, to carry out their missions and
account for their resources without these information assets. The
weaknesses place a broad array of federal operations and assets at risk.
For example,
o Resources, such as federal payments and collections, could be
lost or stolen.
o Computer resources could be used for unauthorized purposes or to
launch attacks on other computer systems.
o Sensitive information, such as taxpayer data, social security
records, medical records, and proprietary business information
could be inappropriately disclosed, browsed, or copied for
purposes of industrial espionage or other types of crime.
o Critical operations, such as those supporting national defense
and emergency services, could be disrupted.
o Data could be modified or destroyed for purposes of fraud,
identity theft, or disruption.
o Agency missions could be undermined by embarrassing incidents
that result in diminished confidence in the ability of federal
organizations to conduct operations and fulfill their
responsibilities.
Recognizing the importance of securing federal systems and data,
Congress passed FISMA in 2002, which set forth a comprehensive
framework for ensuring the effectiveness of information security
controls over information resources that support federal
operations and assets. FISMA's framework creates a cycle of risk
management activities necessary for an effective security program,
and these activities are similar to the principles noted in our
study of the risk management activities of leading private sector
organizations5--assessing risk, establishing a central management
focal point, implementing appropriate policies and procedures,
promoting awareness, and monitoring and evaluating policy and
control effectiveness. In order to ensure the implementation of
this framework, the act assigns specific responsibilities to
agency heads, chief information officers (CIO), IGs, and NIST
(depicted in fig. 1). It also assigns responsibilities to OMB,
which include developing and overseeing the implementation of
policies, principles, standards, and guidelines on information
security and reviewing agency information security programs, at
least annually, and approving or disapproving them.
4A zero-day exploit takes advantage of a security vulnerability on the
same day that the vulnerability becomes known to the general public.
5GAO, Executive Guide: Information Security Management: Learning From
Leading Organizations, [104]GAO/AIMD-98-68 (Washington, D.C.: May 1998).
Figure 1: Division of FISMA Responsibilities
Agency Responsibilities
FISMA requires each agency, including agencies with national security
systems, to develop, document, and implement an agencywide information
security program to provide security for the information and information
systems that support the operations and assets of the agency, including
those provided or managed by another agency, contractor, or other source.
Specifically, it requires information security programs that, among other
things, include
o periodic assessments of the risk and magnitude of harm that
could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of information or
information systems;
o risk-based policies and procedures that cost effectively reduce
information security risks to an acceptable level and ensure that
information security is addressed throughout the life cycle of
each information system;
o subordinate plans, for providing adequate information security
for networks, facilities, and systems or groups of information
systems, as appropriate;
o security awareness training for agency personnel, including
contractors and other users of information systems that support
the operations and assets of the agency;
o periodic testing and evaluation of the effectiveness of
information security policies, procedures, and practices,
performed with a frequency depending on risk, but no less than
annually, and that includes testing of management, operational,
and technical controls for every system identified in the agency's
required inventory of major information systems;
o a process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies in the
information security policies, procedures, and practices of the
agency;
o procedures for detecting, reporting, and responding to security
incidents; and
o plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
In addition, agencies must produce an annually updated inventory
of major information systems (including major national security
systems) operated by the agency or under its control, which
includes an identification of the interfaces between each system
and all other systems or networks, including those not operated by
or under the control of the agency.
FISMA also requires each agency to report annually to OMB,
selected congressional committees, and the Comptroller General on
the adequacy of its information security policies, procedures,
practices, and compliance with requirements. In addition, agency
heads are required to report annually the results of their
independent evaluations to OMB, except to the extent that an
evaluation pertains to a national security system; then only a
summary and assessment of that portion of the evaluation needs to
be reported to OMB.
Responsibilities of the IG
Under FISMA, the IG for each agency must perform an independent
annual evaluation of the agency's information security program and
practices. The evaluation should include testing of the
effectiveness of information security policies, procedures, and
practices of a representative subset of agency systems. In
addition, the evaluation must include an assessment of the
compliance with the act and any related information security
policies, procedures, standards, and guidelines. For agencies
without an IG, evaluations of nonnational security systems must be
performed by an independent external auditor. Evaluations related
to national security systems are to be performed by an entity
designated by the agency head.
Responsibilities of NIST
Under FISMA, NIST is tasked with developing, for systems other
than national security systems, standards and guidelines that must
include, at a minimum (1) standards to be used by all agencies to
categorize all their information and information systems based on
the objectives of providing appropriate levels of information
security, according to a range of risk levels; (2) guidelines
recommending the types of information and information systems to
be included in each category; and (3) minimum information security
requirements for information and information systems in each
category. NIST must also develop a definition of and guidelines
for detection and handling of information security incidents as
well as guidelines, developed in conjunction with the Department
of Defense and the National Security Agency, for identifying an
information system as a national security system.
The law also assigns other information security functions to NIST,
including
o providing technical assistance to agencies on such elements as
compliance with the standards and guidelines and the detection and
handling of information security incidents;
o evaluating private-sector information security policies and
practices and commercially available information technologies to
assess potential application by agencies;
o evaluating security policies and practices developed for
national security systems to assess their potential application by
agencies; and
o conducting research, as needed, to determine the nature and
extent of information security vulnerabilities and techniques for
providing cost-effective information security.
NIST is also required to prepare an annual public report on
activities undertaken in the previous year and planned for the
coming year.
Responsibilities of OMB
FISMA states that the Director of OMB shall oversee agency
information security policies and practices, including
o developing and overseeing the implementation of policies,
principles, standards, and guidelines on information security;
o requiring agencies to identify and provide information security
protections commensurate with risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of information collected
or maintained by or on behalf of an agency, or information systems
used or operated by an agency, or by a contractor of an agency, or
other organization on behalf of an agency;
o coordinating information security policies and procedures with
related information resource management policies and procedures;
o overseeing agency compliance with FISMA to enforce
accountability; and
o reviewing at least annually, and approving or disapproving,
agency information security programs. In addition, the act
requires that OMB report to Congress no later than March 1 of each
year on agency compliance with FISMA.
Persistent Weaknesses Place Sensitive Data at Significant Risk
Significant control weaknesses in information security policies
and practices threaten the confidentiality, integrity, and
availability of critical information and information systems used
to support the operations, assets, and personnel of most federal
agencies. These persistent weaknesses expose sensitive data to
significant risk, as illustrated by recent reported incidents at
various agencies. Further, our work and reviews by IGs note
significant information security control deficiencies that place a
broad array of federal operations and assets at risk.
Incidents Place Sensitive Information at Risk
Since January 2006, federal agencies have reported a spate of
security incidents that have put sensitive data at risk, including
the theft, loss, or improper disclosure of personally identifiable
information on millions of Americans, thereby exposing them to
loss of privacy and potential harm associated with identity theft.
Agencies have experienced a wide range of incidents involving data
loss or theft, computer intrusions, and privacy breaches,
underscoring the need for improved security practices. The
following reported examples illustrate that a broad array of
federal information and assets are at risk.
o The Department of Veterans Affairs (VA) announced that computer
equipment containing personally identifiable information on
approximately 26.5 million veterans and active duty members of the
military was stolen from the home of a VA employee. Until the
equipment was recovered, veterans did not know whether their
information was likely to be misused. In June, VA sent notices to
the affected individuals that explained the breach and offered
advice on steps to take to reduce the risk of identity theft. The
equipment was eventually recovered, and forensic analysts
concluded that it was unlikely that the personal information
contained therein was compromised.
o A Centers for Medicare and Medicaid Services contractor reported
the theft of a contractor employee's laptop computer from his
office. The computer contained personal information including
names, telephone numbers, medical record numbers, and dates of
birth of 49,572 Medicare beneficiaries.
o The Department of Agriculture (USDA) was notified that it had
posted personal information on a Web site. Analysis by USDA later
determined that the posting had affected approximately 38,700
individuals, who had been awarded funds through the Farm Service
Agency or USDA Rural Development program. That same day, all
identification numbers associated with USDA funding were removed
from the Web site. USDA is continuing its effort to identify and
contact all persons who may have been affected.
o A contractor for USDA's Farm Services Agency inadvertently
released informational compact discs that contained Social
Security numbers and tax identification data on approximately
350,000 tobacco producers/contract holders under the agency's
Tobacco Transition Payment Program.
o The Transportation Security Administration (TSA) announced a
data security incident involving approximately 100,000 archived
employment records of individuals employed by the agency from
January 2002 until August 2005. An external hard drive containing
personnel data, such as Social Security number, date of birth,
payroll information, and bank account and routing information, was
discovered missing from a controlled area at the TSA Headquarters
Office of Human Capital.
o The Census Bureau reported 672 missing laptops, of which 246
contained some degree of personal data. Of the missing laptops
containing personal information, almost half (104) were stolen,
often from employees' vehicles, and another 113 were not returned
by former employees. Commerce reported that employees were not
held accountable for not returning their laptops, but the
department did not report on the disposition of the remaining 29.
o Officials at the Department of Commerce's Bureau of Industry and
Security discovered a security breach in July 2006. In
investigating this incident, officials were able to review
firewall logs for an 8-month period prior to the initial detection
of the incident, but they were unable to clearly define the amount
of time that perpetrators were inside the department's computers,
or find any evidence to show that data was lost as a result.
o The Department of Defense (Navy) Marine Corps reported the loss
of a thumb drive containing personally identifiable
information--names, Social Security numbers, and other
information--of 207,570 enlisted Marines serving on active duty
from 2001 through 2005. The information was being used for a
research project on retention of service personnel. Navy officials
considered the risk from the breach to be greatly diminished since
the thumb drive was lost on a government installation and the
drive's data were readable only through software that was password
protected and considered in limited distribution.
o The Treasury Inspector General For Tax Administration reported
that approximately 490 computers at the Internal Revenue Service
(IRS) were lost or stolen between January 2003, and June 2006.
Additionally, 111 incidents occurred within IRS facilities,
suggesting that employees were not storing their laptop computers
in a secured area while they were away from the office. The IG
concluded that it was very likely that a large number of the lost
or stolen computers contained unencrypted data and also found
other computer devices, such as flash drives, CDs, and DVDs, on
which sensitive data were not always encrypted.
o The Department of State experienced a security breach on its
unclassified network, which daily processes about 750,000 e-mails
and instant messages from more than 40,000 employees and
contractors at 100 domestic and 260 overseas locations. The breach
involved an e-mail containing what was thought to be an innocuous
attachment. However, the e-mail contained code to exploit
vulnerabilities in a well-known application for which no security
patch existed at that time. Because the vendor was unable to
expedite testing and deploy a new patch, the department developed
its own temporary fix to protect systems from being exploited
further. In addition, the department sanitized the infected
computers and servers, rebuilt them, changed passwords, installed
critical patches, and updated their antivirus software.
Based on the experience of VA and other federal agencies in
responding to data breaches, we identified numerous lessons
learned regarding how and when to notify government officials,
affected individuals, and the public.6 As discussed later in this
report, OMB has issued guidance that largely addresses these
lessons.
Weaknesses Persist at Federal Agencies in Implementing Security
Policies and Practices
As illustrated by recent security incidents, significant
weaknesses continue to threaten the confidentiality, integrity,
and availability of critical information and information systems
used to support the operations, assets, and personnel of federal
agencies. In their fiscal year 2006 financial statement audit
reports, 21 of 24 major agencies indicated that deficient
information security controls were either a reportable
condition7 or a material weakness (see fig. 2).8 Our audits
continue to identify similar weaknesses in nonfinancial systems.
Similarly, in their annual reporting under 31 U.S.C. S 3512
(commonly referred to as the Federal Managers' Financial Integrity
Act of 1982),9 17 of 24 agencies reported shortcomings in
information security, including 7 that considered it a material
weakness. IGs have also noted the seriousness of information
security, with 21 of 24 including it as a "major management
challenge."10
6GAO, Privacy: Lessons Learned About Data Breach Notification,
[123]GAO-07-657 , (Washington, D.C.: Apr. 30, 2007).
7Reportable conditions are significant deficiencies in the design or
operation of internal controls that could adversely affect the entity's
ability to record, process, summarize, and report financial data
consistent with the assertions of management in the financial statements.
8A material weakness is a reportable condition that precludes the entity's
internal controls from providing reasonable assurance that misstatements,
losses, or noncompliance material in relation to the financial statements
or to stewardship information would be prevented or detected on a timely
basis.
9FMFIA, 31 U.S.C. S 3512, requires agencies to report annually, to the
President and Congress, on the effectiveness of internal controls and any
identified material weaknesses in those controls. Per OMB, for the
purposes of FMFIA reporting, a material weakness also encompasses
weaknesses found in program operations and compliance with applicable laws
and regulations. Material weaknesses for FMFIA reporting are determined by
management, whereas material weaknesses reported as part of a financial
statement audit are determined by independent auditors.
10The Reports Consolidation Act of 2000 (31 U.S.C. S 3516(d)) requires
Inspectors General to include in their agencies' performance and
accountability report, a statement that summarizes what they consider to
be the most serious management and performance challenges facing their
agency and briefly assesses their agencies' progress in addressing those
challenges.
Figure 2: Agencies Reporting of Information Security Controls in
Fiscal Year 2006 Financial Statement Audits
According to our reports and those of IGs, persistent weaknesses
appear in the five major categories of information system
controls: (1) access controls, which ensure that only authorized
individuals can read, alter, or delete data; (2) configuration
management controls, which provide assurance that only authorized
software programs are implemented; (3) segregation of duties,
which reduces the risk that one individual can independently
perform inappropriate actions without detection; (4) continuity of
operations planning, which provides for the prevention of
significant disruptions of computer-dependent operations; and (5)
an agencywide information security program, which provides the
framework for ensuring that risks are understood and that
effective controls are selected and properly implemented. Most
agencies continue to have weaknesses in each of these categories,
as shown in figure 3.
Figure 3: Information Security Weaknesses at 24 Major Agencies for
Fiscal Year 2006
In our prior reports,11 we have made hundreds of specific
recommendations to the agencies to mitigate the weaknesses
identified. Similarly, the IGs have issued specific
recommendations as part of their information security review work.
Access Controls Were Not Adequate
A basic management control objective for any organization is to
protect data supporting its critical operations from unauthorized
access, which could lead to improper modification, disclosure, or
deletion of the data. Organizations accomplish this task by
designing and implementing controls that are intended to prevent,
limit, and detect access to computing resources (computers,
networks, programs, and data), thereby protecting these resources
from unauthorized use, modification, loss, and disclosure. Access
controls can be both electronic and physical. Electronic access
controls include those related to user identification and
authentication, authorization, boundary protection, cryptography,
and audit and monitoring. Physical security controls are important
for protecting computer facilities and resources from espionage,
sabotage, damage, and theft. These controls involve restricting
physical access to computer resources, usually by limiting access
to the buildings and rooms in which they are housed and enforcing
usage restrictions and implementation guidance for portable and
mobile devices.
11See the Related GAO Products section for a list of our recent reports on
information security.
Twenty-two major agencies had access control weaknesses. Analysis
of our recent reports have identified that the majority of
information security control weaknesses pertained to access
controls (see fig. 4). For example, agencies did not consistently
(1) identify and authenticate users to prevent unauthorized
access; (2) enforce the principle of least privilege to ensure
that authorized access was necessary and appropriate; (3)
establish sufficient boundary protection mechanisms; (4) apply
encryption to protect sensitive data on networks and portable
devices; and (5) log, audit, and monitor security-relevant events.
Agencies also lacked effective controls to restrict physical
access to information assets.
Figure 4: Control Weaknesses Identified in GAO Reports From July
2005 to June 2007
User Identification and Authentication
A computer system must be able to identify and authenticate
different users so that activities on the system can be linked to
specific individuals. When an organization assigns unique user
accounts to specific users, the system is able to distinguish one
user from another--a process called identification. The system
also must establish the validity of a user's claimed identity by
requesting some kind of information, such as a password, that is
known only by the user--a process known as authentication.
Several agencies have not adequately controlled user accounts and
passwords to ensure that only authorized individuals are granted
access to its systems and data. For example, several agencies did
not always implement strong passwords--using vendor-default or
easy-to-guess passwords, or having the minimum password length set
to zero. One agency's staff shared logon accounts and passwords
when accessing a database production server for the procurement
system. By allowing users to share accounts and passwords,
individual accountability for authorized system activity as well
as unauthorized system activity could be lost. Consequently, users
could create short passwords, which tend to be easier to guess or
crack than longer passwords. Without appropriate controls over
identification and authentication, agencies are at increased risk
of unauthorized access.
Authorization
Authorization is the process of granting or denying access rights
and permissions to a protected resource, such as a network, a
system, an application, a function, or a file. A key component of
granting or denying access rights is the concept of "least
privilege." Least privilege is a basic principle for securing
computer resources and information. This principle means that
users are granted only those access rights and permissions that
they need to perform their official duties. To restrict legitimate
users' access to only those programs and files that they need to
do their work, organizations establish access rights and
permissions. "User rights" are allowable actions that can be
assigned to users or to groups of users. File and directory
permissions are rules that regulate which users can access a
particular file or directory and the extent of that access. To
avoid unintentionally authorizing users access to sensitive files
and directories, an organization must give careful consideration
to its assignment of rights and permissions.
Several agencies continued to imprudently grant rights and
permissions that allowed more access than users needed to perform
their jobs. For example, one agency had granted users of a
database system the access rights to create or change sensitive
system files--even though they did not have a legitimate business
need for this access. Further, the permissions for sensitive
system files also inappropriately allowed all users to read,
update, or execute them. These types of excessive privileges
provide opportunities for individuals to circumvent security
controls. In another instance, each user on one organization's
network was permitted to have access to sensitive Privacy
Act-protected information including names, addresses, and Social
Security numbers of individuals. Once a Social Security number is
obtained fraudulently, it can then be used to create a false
identity for financial misuse, assume another individual's
identity, or to fraudulently obtain credit. As a result, there is
increased risk that sensitive data and personally identifiable
information may be compromised.
Boundary Protection
Boundary protection pertains to the protection of a logical or
physical boundary around a set of information resources and
implementing measures to prevent unauthorized information exchange
across the boundary in either direction. Organizations physically
allocate publicly accessible information system components to
separate subnetworks with separate physical network interfaces,
and they prevent public access into their internal networks.
Unnecessary connectivity to an organization's network increases
not only the number of access paths that must be managed and the
complexity of the task, but the risk of unauthorized access in a
shared environment.
Several agencies continue to demonstrate vulnerabilities in
establishing required boundary protection mechanisms. For example,
one agency did not configure a remote access application properly,
which permitted simultaneous access to the Internet and the
internal network. This could allow an attacker who compromised a
remote user's computer to remotely control the user's secure
session from the Internet. Another agency failed to ensure that
its contractor adequately implemented controls used to protect its
external and key internal boundaries. Specifically, certain
network devices did not adequately restrict external communication
traffic. As a result, an unauthorized individual could exploit
these vulnerabilities to launch attacks against other sensitive
network devices.
Cryptography
Cryptography12 underlies many of the mechanisms used to enforce
the confidentiality and integrity of critical and sensitive
information. A basic element of cryptography is encryption.
Encryption can be used to provide basic data confidentiality and
integrity, by transforming plain text into cipher text using a
special value known as a key and a mathematical process known as
an algorithm. The National Security Agency also recommends
disabling protocols that do not encrypt information transmitted
across the network, such as user identification and password
combinations.
Many agencies did not encrypt certain information traversing its
networks, but instead used clear text protocols that make network
traffic susceptible to eavesdropping. For example, at one agency's
field site, all information, including user identification and
password information, was being sent across the network in clear
text. At another agency, the contractor did not consistently apply
encryption to protect network configuration data stored on network
devices. These weaknesses could allow an attacker, or malicious
user, to view information and use that knowledge to obtain
sensitive financial and system data being transmitted over the
network.
Audit and Monitoring
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is
crucial to determine what, when, and by whom specific actions have
been taken on a system. Organizations accomplish this by
implementing system or security software that provides an audit
trail, or logs of system activity, that they can use to determine
the source of a transaction or attempted transaction and to
monitor users' activities. The way in which organizations
configure system or security software determines the nature and
extent of information that can be provided by the audit trail. To
be effective, organizations should configure their software to
collect and maintain audit trails that are sufficient to track
security-relevant events.
12Cryptography is used to secure transactions by providing ways to ensure
data confidentiality, data integrity, authentication of the message's
originator, electronic certification of data, and nonrepudiation (proof of
the integrity and origin of data that can be verified by a third party).
Agencies did not sufficiently log and monitor key security- and
audit-related events. For instance, agencies did not prepare key
security reports such as failed login attempt reports. In other
cases, logging either was disabled or configured to overwrite, or
procedures for classifying and investigating security-related
events had not been documented. As a result, unauthorized access
could go undetected, and the ability to trace or recreate events
in the event of a system modification or disruption could be
diminished.
Physical Security
Physical security controls are important for protecting computer
facilities and resources from espionage, sabotage, damage, and
theft. These controls restrict physical access to computer
resources, usually by limiting access to the buildings and rooms
in which the resources are housed and by periodically reviewing
the access granted, in order to ensure that access continues to be
appropriate. Examples of physical security controls include
perimeter fencing, surveillance cameras, security guards, and
locks.
Several agencies also lacked effective physical security controls.
Consequently, critical information held by the federal government,
such as Social Security numbers or other personal data, can be at
acute risk of unnecessary or unauthorized access by individuals
intent on perpetrating identity theft and committing financial
crimes. For example, one agency granted over 400 individuals
unrestricted access to an entire data center--including a
sensitive area within the data center--although their job
functions did not require them to have such access. In another
case, one agency did not adequately protect the entrances to its
facilities, as visitor screening procedures were inconsistently
implemented and available tools were not being used properly or to
their fullest capability. Many of the data losses that occurred at
federal agencies over the past few years, discussed earlier in
this report, were a result of physical thefts or improper
safeguarding of systems, including laptops and other portable
devices.
Configuration Management Controls Were Not Implemented
Configuration management controls ensure that only authorized and
fully tested software is placed in operation. These controls,
which also limit and monitor access to powerful programs and
sensitive files associated with computer operations, are important
in providing reasonable assurance that access controls are not
compromised and that the system will not be impaired. These
policies, procedures, and techniques help ensure that all programs
and program modifications are properly authorized, tested, and
approved. Further, patch management is an important element in
mitigating the risks associated with software vulnerabilities.
Up-to-date patch installation could help mitigate vulnerabilities
associated with flaws in software code that could be exploited to
cause significant damage--including the loss of control of entire
systems--thereby enabling malicious individuals to read, modify,
or delete sensitive information or disrupt operations.
At least 20 major agencies demonstrated weaknesses in
configuration management controls. For example, many agencies did
not consistently configure network devices and services to prevent
unauthorized access and ensure system integrity, such as
installing critical software patches in a timely manner. As a
result, systems and devices were not updated and were left
susceptible to denial-of-service attacks or to malicious users
exploiting software vulnerabilities. In light of the recent surge
in zero-day exploits, it is imperative for agencies to be prepared
for the challenge of testing and deploying patches under a very
compressed time frame. Additionally, certain agencies did not
implement effective controls to ensure that system software
changes were properly authorized, documented, tested, and
monitored. Instances also existed where agencies did not maintain
current documentation of major modifications to systems or
significant changes in processing. Inadequate configuration
management controls increases the risk that unauthorized programs
or changes could be inadvertently or deliberately placed into
operation.
Segregation of Duties Was Not Appropriately Enforced
Segregation of duties refers to the policies, procedures, and
organizational structure that helps ensure that one individual
cannot independently control all key aspects of a process or
computer-related operation and, thereby, conduct unauthorized
actions or gain unauthorized access to assets or records. Proper
segregation of duties is achieved by dividing responsibilities
among two or more individuals or organizational groups. Dividing
duties among individuals or groups diminishes the likelihood that
errors and wrongful acts will go undetected because the activities
of one individual or group will serve as a check on the activities
of the other.
At least 13 agencies did not appropriately segregate information
technology duties. These agencies generally did not assign
employee duties and responsibilities in a manner that segregated
incompatible functions among individuals or groups of individuals.
For instance, at one agency, users were allowed to both initiate
and authorize the same transaction. At another agency, financial
management staff members were permitted to perform both security
and systems administration duties for the application, potentially
allowing these staff members to conduct fraudulent activity
without being detected. Without adequate segregation of duties,
there is an increased risk that erroneous or fraudulent actions
can occur, improper program changes implemented, and computer
resources damaged or destroyed.
Shortcomings Exist in Continuity of Operations Planning
An organization must take steps to ensure that it is adequately
prepared to cope with the loss of operational capabilities due to
an act of nature, fire, accident, sabotage, or any other
disruption. An essential element in preparing for such
catastrophes is an up-to-date, detailed, and fully tested
continuity of operations plan. Such a plan should cover all key
computer operations and should include planning for business
continuity. This plan is essential for helping to ensure that
critical information systems, operations, and data such as
financial processing and related records can be properly restored
if a disaster occurs. To ensure that the plan is complete and
fully understood by all key staff, it should be tested-- including
surprise tests--and test plans and results documented to provide a
basis for improvement. If continuity of operations controls are
inadequate, even relatively minor interruptions can result in lost
or incorrectly processed data, which can cause financial losses,
expensive recovery efforts, and inaccurate or incomplete
mission-critical information.
Although agencies have reported advances in the number of systems
for which contingency plans have been tested, at least 21 agencies
still demonstrated shortcomings in their continuity of operations
planning. For example, one agency did not have a plan that
reflected its current operating environment. Another agency had 17
individual disaster recovery plans covering various segments of
the organization, but it did not have an overall document that
integrated the 17 separate plans and defined the roles and
responsibilities for the disaster recovery teams. In another
example, the agency had not established an alternate processing
site for a key application, or tested the plan. Until agencies
complete actions to address these weaknesses, they are at risk of
not being able to appropriately recover in a timely manner from
certain service disruptions.
Agencywide Security Programs Were Not Fully Implemented
An underlying cause for information security weaknesses identified
at federal agencies is that they have not yet fully or effectively
implemented agencywide information security programs. An
agencywide security program, required by FISMA, provides a
framework and continuing cycle of activity for assessing and
managing risk, developing and implementing security policies and
procedures, promoting security awareness and training, monitoring
the adequacy of the entity's computer-related controls through
security tests and evaluations, and implementing remedial actions
as appropriate. Without a well-designed program, security controls
may be inadequate; responsibilities may be unclear, misunderstood,
and improperly implemented; and controls may be inconsistently
applied. Such conditions may lead to insufficient protection of
sensitive or critical resources.
At least 18 of the 24 major federal agencies had not fully or
effectively implemented agencywide information security programs.
Results of our recent work illustrate that agencies often did not
adequately design or effectively implement policies for elements
key to an information security program. We identified weaknesses
in information security program activities, such as agencies' risk
assessments, information security policies and procedures,
security planning, security training, system tests and
evaluations, and remedial action plans.
Risk Assessments
Identifying and assessing information security risks are essential
to determining what controls are required. Moreover, by increasing
awareness of risks, these assessments can generate support for the
adopted policies and controls in order to help ensure their
intended operation.
Our evaluations at agencies show that they have not fully
implemented risk assessment processes. Furthermore, they did not
always effectively evaluate potential risks for the systems we
reviewed. For example, one agency had no documented process for
conducting risk assessments, while another agency had outdated
risk assessments. In another agency, we determined that they had
assessed the risk levels for their systems, categorized them on
the basis of risk, and had current risk assessments that
documented residual risk assessed and potential threats, and
recommended corrective actions for reducing or eliminating the
vulnerabilities they identified. However, that agency did not
identify many of the vulnerabilities we found and had not
subsequently assessed the risks associated with them. As a result
of these weaknesses, inadequate or inappropriate security controls
may be implemented that do not address the systems' true risk, and
potential risks to these systems may remain unknown.
Policies and Procedures
Although agencies have developed and documented information
security policies, standards, and guidelines for information
security, they did not always provide specific guidance on how to
guard against significant security weaknesses. For example,
policies lacked guidance on how to correctly configure certain
identifications used by operating systems and the powerful
programs used to control processing. We also found weaknesses in
policies regarding physical access, Privacy Act-protected data,
wireless configurations, and business impact analyses. As a
result, agencies have reduced assurance that their systems and the
information they contain are sufficiently protected.
Security Plans
Instances exist where security plans were incomplete or not
up-to-date. For example, one agency had systems security plans
that were missing required information, such as rules of behavior
and controls for public access. At that same agency, one security
plan did not identify its system owner. In another instance,
requirements for applications were not integrated into the
security plan for the general support system, and the
interconnectivity of the current system environment was not
completely addressed. As a result, agencies' cannot ensure that
appropriate controls are in place to protect key systems and
critical information.
Specialized Training
People are one of the weakest links in attempts to secure systems
and networks. Therefore, an important component of an information
security program is providing required training so that users
understand system security risks and their own role in
implementing related policies and controls to mitigate those
risks. However, we identified instances where agencies did not
ensure all information security employees and contractors,
including those who have significant information security
responsibilities, received sufficient training.
System Tests and Evaluations
Agencies' policies and procedures for performing periodic testing
and evaluation of information security controls were not always
adequate. Our report13 on testing and evaluating security controls
revealed that agencies had not adequately designed and effectively
implemented policies for testing their security controls in
accordance with OMB and NIST guidance. Agencies did not have
policies that addressed how to determine the depth and breadth of
testing according to risk. Further, agencies did not always
address other important elements, such as the definition of roles
and responsibilities of personnel performing tests, identification
and testing of security controls common to multiple systems, and
the frequency of periodic testing. In other cases, agencies had
not tested controls for all of their systems. Without appropriate
tests and evaluations, agencies have limited assurance that
policies and controls are appropriate and working as intended.
Additionally, increased risk exists that undetected
vulnerabilities could be exploited to allow unauthorized access to
sensitive information.
13GAO, Information Security: Agencies Need to Develop and Implement
Adequate Policies for Periodic Testing, [124]GAO-07-65 (Washington, D.C.:
Oct. 20, 2006).
Remedial Action Processes and Plans
Our work uncovered weaknesses in agencies' remediation processes
and plans used to document remedial actions. For example, our
report14 on security controls testing revealed that seven agencies
did not have policies to describe a process for incorporating
weaknesses identified during periodic security control testing
into remedial actions. In our other reviews, agencies indicated
that they had corrected or mitigated weaknesses; however, we found
that those weaknesses still existed. In addition, we reviewed
agencies' system self-assessments and identified weaknesses not
documented in their remedial action plans. These weaknesses
pertained to system audit trails, approval and distribution of
continuity of operations plans, and documenting emergency
procedures. We also found that some deficiencies had not been
corrected in a timely manner. Without a mature process and
effective remediation plans, risk increases that vulnerabilities
in agencies' systems will not be mitigated in an effective and
timely manner.
Until agencies effectively and fully implement agencywide
information security programs, federal data and systems will not
be adequately safeguarded to prevent disruption, unauthorized use,
disclosure, and modification. Further, until agencies implement
our recommendations to correct specific information security
control weaknesses, they remain at increased risk of attack or
compromise.
14 [125]GAO-07-65 .
Examples Illustrate Weaknesses at Agencies
Persistent weaknesses are evident in numerous reports. Recent
reports by GAO and IGs show that while agencies have made some
progress, persistent weaknesses continue to place critical federal
operations and assets at risk. In our reports, we have made
hundreds of recommendations to agencies to correct specific
information security weaknesses. The following examples illustrate
the effect of these weaknesses at various agencies and for
critical systems.
o Independent external auditors identified over 130 information
technology control weaknesses affecting the Department of Homeland
Security's (DHS) financial systems during the audit of the
department's fiscal year 2006 financial statements. Weaknesses
existed in all key general controls and application controls. For
example, systems were not certified and accredited in accordance
with departmental policy; policies and procedures for incident
response were inadequate; background investigations were not
properly conducted; and security awareness training did not always
comply with departmental requirements. Additionally, users had
weak passwords on key servers that process and house DHS financial
data, and workstations, servers, and network devices were
configured without necessary security patches. Further, changes to
sensitive operating system settings were not always documented;
individuals were able to perform incompatible duties such as
changing, testing, and implementing software; and service
continuity plans were not consistently or adequately tested. As a
result, material errors in DHS' financial data may not be detected
in a timely manner.
o The Department of Health and Human Services (HHS) had not
consistently implemented effective electronic access controls
designed to prevent, limit, and detect unauthorized access to
sensitive financial and medical information at its operating
divisions and contractor-owned facilities.15 Numerous electronic
access control vulnerabilities related to network management, user
accounts and passwords, user rights and file permissions, and
auditing and monitoring of security-related events existed in its
computer networks and systems. In addition, weaknesses existed in
controls designed to physically secure computer resources, conduct
suitable background investigations, segregate duties
appropriately, and prevent unauthorized changes to application
software. These weaknesses increase the risk that unauthorized
individuals can gain access to HHS information systems and
inadvertently or deliberately disclose, modify, or destroy the
sensitive medical and financial data that the department relies on
to deliver its services.
15GAO, Information Security: Department of Health and Human Services Needs
to Fully Implement Its Program, [126]GAO-06-267 (Washington, D.C.: Feb.
24, 2006).
o The Securities and Exchange Commission had made important
progress addressing previously reported information security
control weaknesses.16 However, we identified 15 new information
security weaknesses pertaining to the access controls and
configuration management existed in addition to 13 previously
identified weaknesses that remain unresolved. For example, the
Securities and Exchange Commission did not have current
documentation on the privileges granted to users of a major
application, did not securely configure certain system settings,
or did not consistently install all patches to its systems. In
addition, the commission did not sufficiently test and evaluate
the effectiveness of controls for a major system as required by
its certification and accreditation process.
o IRS had made limited progress toward correcting previously
reported information security weaknesses at two data processing
sites.17 IRS had not consistently implemented effective access
controls to prevent, limit, or detect unauthorized access to
computing resources from within its internal network. Those access
controls included those related to user identification and
authentication, authorization, cryptography, audit and monitoring,
and physical security. In addition, IRS faces risks to its
financial and sensitive taxpayer information due to weaknesses in
configuration management, segregation of duties, media destruction
and disposal, and personnel security controls.
o The Federal Aviation Administration (FAA) had significant
weaknesses in controls that are designed to prevent, limit, and
detect access to those systems.18 For example, for the systems
reviewed, the agency was not adequately managing its networks,
system patches, user accounts and passwords, or user privileges,
and it was not always logging and auditing security-relevant
events. In addition, FAA faces risks to its air traffic control
systems due to weaknesses in physical security, background
investigations, segregation of duties, and application change
controls. As a result, it was at increased risk of unauthorized
system access, possibly disrupting aviation operations. While
acknowledging these weaknesses, agency officials stated that
because portions of their systems are custom built and use older
equipment with special-purpose operating systems, proprietary
communication interfaces, and custom-built software, the
possibilities for unauthorized access are limited. Nevertheless,
the proprietary features of these systems do not protect them from
attack by disgruntled current or former employees, who understand
these features, or from more sophisticated hackers.
16GAO, Information Security: Sustained Progress Needed to Strengthen
Controls at the Securities and Exchange Commission, [127]GAO-06-256
(Washington, D.C.: Mar. 27, 2007).
17GAO, Information Security: Further Efforts Needed to Address Significant
Weaknesses at the Internal Revenue Service, [128]GAO-07-364 (Washington,
D.C.: Mar. 30, 2007).
18GAO, Information Security: Progress Made, but Federal Aviation
Administration Needs to Improve Controls over Air Traffic Control Systems,
[129]GAO-05-712 (Washington, D.C.: Aug. 26, 2005).
o The Federal Reserve Board (FRB) had not effectively implemented
information system controls to protect sensitive data and
computing resources for the distributed-based systems and the
supporting network environment relevant to Treasury auctions.19
Specifically, the FRB did not consistently (1) identify and
authenticate users to prevent unauthorized access; (2) enforce the
principle of least privilege to ensure that authorized access was
necessary and appropriate; (3) implement adequate boundary
protections to limit connectivity to systems that process Bureau
of the Public Debt (BPD) business; (4) apply strong encryption
technologies to protect sensitive data in storage and on its
networks; (5) log, audit, or monitor security-related events; and
(6) maintain secure configurations on servers and workstations. As
a result, auction information and computing resources for key
distributed-based auction systems that the FRB maintain and
operate on behalf of BPD are at an increased risk of unauthorized
and possibly undetected use, modification, destruction, and
disclosure. Furthermore, other FRB applications that share common
network resources with the distributed-based systems may face
similar risks.
o Although the Centers for Medicare and Medicaid Services had many
information security controls in place that had been designed to
safeguard the communication network, key information security
controls were either missing or had not always been effectively
implemented.20 For example, the network had control weaknesses in
areas such as user identification and authentication, user
authorization, system boundary protection, cryptography, and audit
and monitoring of security-related events. Taken collectively,
these weaknesses place financial and personally identifiable
medical information transmitted on the network at increased risk
of unauthorized disclosure and could result in a disruption in
service.
19GAO, Information Security: Federal Reserve Needs to Address Treasury
Auction Systems, [130]GAO-06-659 (Washington, D.C.: Aug. 30, 2006).
20GAO, Information Security: The Centers for Medicare and Medicaid
Services Needs to Improve Controls over Key Communication Network,
[131]GAO-06-750 (Washington, D.C.: Aug. 30, 2006).
o Certain information security controls over a critical internal
Federal Bureau of Investigation (FBI) network reviewed were
ineffective in protecting the confidentiality, integrity, and
availability of information and information resources.21
Specifically, FBI did not consistently (1) configure network
devices and services to prevent unauthorized insider access and
ensure system integrity; (2) identify and authenticate users to
prevent unauthorized access; (3) enforce the principle of least
privilege to ensure that authorized access was necessary and
appropriate; (4) apply strong encryption techniques to protect
sensitive data on its networks; (5) log, audit, or monitor
security-related events; (6) protect the physical security of its
network; and (7) patch key servers and workstations in a timely
manner. Collectively, these weaknesses place sensitive information
transmitted on the network at risk of unauthorized disclosure or
modification, and could result in a disruption of service,
increasing the bureau's vulnerability to insider threats.
Agencies Report Progress, but More Work Is Needed in Implementing\
Requirements
Federal agencies continue to report steady progress in
implementing key information security requirements. Although
agencies reported increases in OMB's performance metrics, IGs
identified various weaknesses in agencies' implementation of FISMA
requirements. Pursuant to its FISMA responsibilities, NIST has
continued to issue standards and guidance. Also, agency IGs
completed their annual evaluations, although scope and
methodologies varied across agencies. Further, OMB expanded its
guidance to agencies, with specific emphasis on personally
identifiable information and reported to Congress as required.
However, opportunities exist to improve reporting.
Agencies Cite Increases in Performance, but Weaknesses Exist in
FISMA Implementation
For fiscal year 2006 reporting, governmentwide percentages
increased for employees and contractors receiving security
awareness training and employees with significant security
responsibilities receiving specialized training. Percentages also
increased for systems that had been tested and evaluated at least
annually, systems with tested contingency plans, and systems that
had been certified and accredited (see fig. 5). However, IGs at
several agencies sometimes disagreed with the information reported
by the agency and have identified weaknesses in the processes used
to implement these and other security program activities.
21GAO, Information Security: FBI Needs to Address Weaknesses in Critical
Network, [132]GAO-07-368 (Washington, D.C.: Apr. 30, 2007).
Figure 5: Reported Data for Selected Performance Metrics for 24
Major Agencies
Security Training and Awareness
Federal agencies rely on their employees to protect the
confidentiality, integrity, and availability of the information in
their systems. It is critical for each system user to understand
their security roles and responsibilities and be adequately
trained to perform them. FISMA requires agencies to provide
security awareness training to inform personnel--including
contractors and other users of information systems that support
the operations and assets of the agency--of information security
risks associated with their activities and their responsibilities
in complying with agency policies and procedures designed to
reduce these risks. In addition, agencies are required to provide
appropriate training on information security to personnel who have
significant security responsibilities. OMB requires agencies to
report on the following measures: (1) the number and percentage of
employees and contractors who receive information security
awareness training, (2) the number and percentage of employees who
have significant security responsibilities and received
specialized training, (3) whether peer-to-peer file sharing is
addressed in security awareness training, and (4) the total amount
of money spent on all security training for the fiscal year.
Agencies reported improvements in the governmentwide percentage of
employees and contractors receiving security awareness training.
According to agency reporting, more than 90 percent of total
employees and contractors governmentwide received security
awareness training in fiscal year 2006. This is an increase from
our 2005 report,22 in which approximately 81 percent of employees
governmentwide received security awareness training. In addition,
all agencies reported that they explained policies regarding
peer-to-peer file sharing in security awareness training, ethics
training, or other agencywide training, all addressed specifically
in OMB guidance.
Agencies also reported improvements in the number of employees who
had significant security responsibilities and received specialized
training. There has been a slight increase in the number of
employees who have security responsibilities and received
specialized security training since our last report--almost 86
percent of the selected employees had received specialized
training in fiscal year 2006, compared with about 82 percent in
fiscal year 2005.
To achieve the goal of providing appropriate training to all
employees, agencies reported spending an average of $19.28 per
employee on security training. The amount of money spent by
agencies on security training ranged from about $20,000 to more
than $38 million.23
Although agencies have reported improvements in both the number of
employees receiving security awareness training and the number of
employees who have significant security responsibilities and
received specialized training, several agencies exhibit training
weaknesses. For example, according to agency IGs, five major
agencies reported challenges in ensuring that contractors had
received security awareness training. In addition, reports from
IGs at two major agencies indicated that security training across
components was inconsistent. Five agencies also noted that
weaknesses still exist in ensuring that all employees who have
specialized responsibilities receive specialized training, as
policies and procedures for this type of training are not always
clear. Further, the majority of agency IGs disagree with their
agencies' reporting of individuals who have received security
awareness training. Figure 6 shows a comparison between agency and
IG reporting of the percentage of employees receiving security
awareness training. If all agency employees and contractors do not
receive security awareness training, agencies risk security
breaches resulting from user error or deliberate attack.
22GAO, Information Security: Weaknesses Persist at Federal Agencies
Despite Progress Made in Implementing Related Statutory Requirements,
[133]GAO-05-552 (Washington, D.C.: July 15, 2005).
23One agency did not report the amount of money spent on training.
Figure 6: Percentage of Employees Receiving Security Awareness
Training As Reported by Agencies and IGs
Periodic Testing and Evaluation of the Effectiveness of Information
Security Policies, Procedures, and Practices
Periodically evaluating the effectiveness of security policies and
controls and acting to address any identified weaknesses are
fundamental activities that allow an organization to manage its
information security risks proactively, rather than reacting to
individual problems ad hoc after a violation has been detected or
an audit finding has been reported. Management control testing and
evaluation as part of a program review is an additional source of
information that can be considered along with controls testing and
evaluation in IG and other independent audits to help provide a
more complete picture of an agency's security posture. FISMA
requires that federal agencies periodically test and evaluate the
effectiveness of their information security policies, procedures,
and practices as part of implementing an agencywide security
program. This testing is to be performed with a frequency
depending on risk, but no less than annually, and consists of
testing management, operational, and technical controls for every
system identified in the agency's required inventory of major
information systems. For annual FISMA reporting, OMB requires that
agencies report the number of agency and contractor systems for
which security controls have been tested.
In 2006, federal agencies reported testing and evaluating security
controls for 88 percent of their systems, up from 73 percent in
2005, including increases in testing high-risk systems. However,
shortcomings exist in agencies' testing and evaluation of security
controls. For example, the number of agencies testing and
evaluating 90 percent or more of their systems decreased from 18
in 2005 to 16 in 2006 reporting. IGs also reported that not all
systems had been tested and evaluated at least annually, including
some high impact systems, and that weaknesses existed in agencies'
monitoring of contractor systems or facilities. As a result,
agencies may not have reasonable assurance that controls are
implemented correctly, are operating as intended, and are
producing the desired outcome with respect to meeting the security
requirements of the agency. In addition, agencies may not be fully
aware of the security control weaknesses in their systems, thereby
leaving the agencies' information and systems vulnerable to attack
or compromise.
Continuity of Operations
Continuity of operations planning ensures that agencies will be
able to perform essential functions during any emergency or
situation that disrupts normal operations. It is important that
these plans be clearly documented, communicated to potentially
affected staff, and updated to reflect current operations. In
addition, testing contingency plans is essential to determining
whether the plans will function as intended in an emergency
situation. FISMA requires that agencywide information security
programs include plans and procedures to ensure continuity of
operations for information systems that support the operations and
assets of the agency. To show the status of implementing
contingency plans testing, OMB requires that agencies report the
percentage of systems that have contingency plans that have been
tested in accordance with policy and guidance.
Federal agencies reported that 77 percent of total systems had
contingency plans that had been tested, an increase from 61
percent. However, on average, high-risk systems had the smallest
percentage of tested contingency plans--only 64 percent of
high-risk systems had tested contingency plans. In contrast,
agencies had tested contingency plans for 79 percent of
moderate-risk systems, 80 percent of low-risk systems, and 70
percent of uncategorized systems.
Several agencies had specific weaknesses in developing and testing
contingency plans. For example, the IG of a major agency noted
that contingency planning had not been completed for certain
critical systems. Another major agency IG noted that the agency
had weaknesses in three out of four tested contingency plans--the
plans were inaccurate, incomplete, or outdated, did not meet
department and federal requirements, and were not tested in
accordance with department and federal government requirements.
Without developing contingency plans and ensuring that they are
tested, the agency increases its risk that it will not be able to
effectively recover and continue operations when an emergency
occurs.
Inventory of Systems
A complete and accurate inventory of major information systems is
essential for managing information technology resources, including
the security of those resources. The total number of agency
systems is a key element in OMB's performance measures, in that
agency progress is indicated by the percentage of total systems
that meet specific information security requirements such as
testing systems annually, certifying and accrediting, and testing
contingency plans. Thus, inaccurate or incomplete data on the
total number of agency systems affects the percentage of systems
shown as meeting the requirements. FISMA requires that agencies
develop, maintain, and annually update an inventory of major
information systems operated by the agency or under its control.
Beginning with 2005 reporting, OMB no longer required agencies to
report the status of their inventories, but required them to
report the number of major systems and asked IGs to report on the
status and accuracy of their agencies' inventories.
IGs reported that 18 agencies had completed approximately 96-100
percent of their inventories, an increase from 13 agencies in
2005. However, the total number of systems in some agencies'
inventories varied widely from 2005 to 2006. In one case, an
agency had approximately a 300 percent increase in the number of
systems, while another had approximately a 50 percent reduction in
the number of its systems. IGs identified problems with agencies'
inventories. For example, IGs at two large agencies reported that
their agencies still did not have complete inventories, while
another questioned the reliability of its agency's inventory since
that agency relied on its components to report the number of
systems and did not validate the numbers. Without complete,
accurate inventories, agencies cannot effectively maintain and
secure their systems. In addition, the performance measures used
to assess agencies' progress may not accurately reflect the extent
to which these security practices have been implemented.
Certification and Accreditation
As a key element of agencies' implementation of FISMA
requirements, OMB has continued to emphasize its long-standing
policy of requiring a management official to formally authorize
(or accredit) an information system to process information and
accept the risk associated with its operation based on a formal
evaluation (or certification) of the system's security controls.
For annual reporting, OMB requires agencies to report the number
of systems, including impact levels, authorized for processing
after completing certification and accreditation. OMB's FISMA
reporting instructions also requested IGs to assess and report on
their agencies' certification and accreditation process.
Federal agencies continue to report increasing certification and
accreditation from fiscal year 2005 reporting. For fiscal year
2006, 88 percent of agencies' systems governmentwide were reported
as certified and accredited, as compared with 85 percent in 2005.
In addition, 23 agencies reported certifying and accrediting more
than 75 percent of their systems, an increase from 21 agencies in
2005. However, the certification and accreditation percentage for
uncategorized systems exceeded the percentages for all other
impact categories and indicates that agencies may not be focusing
their efforts properly.
Although agencies reported increases in the overall percentage of
systems certified and accredited, results of work by their IGs
showed that agencies continue to experience weaknesses in the
quality of this metric. As figure 7 depicts, 10 IGs rated their
agencies' certification and accreditation process as poor or
failing, while in 2005, 7 IGs rated their agencies' process as
poor, and none rated it as failing. In at least three instances of
agencies reporting certification and accreditation percentages
over 90 percent, their IG reported that the process was poor.
Moreover, IGs continue to identify specific weaknesses with key
documents in the certification and accreditation process such as
risk assessments and security plans not being completed consistent
with NIST guidance or finding those items missing from
certification and accreditation packages. In other cases, systems
were certified and accredited, but controls or contingency plans
were not properly tested. For example, IG reports highlighted
weaknesses in security plans such as agencies not using NIST
guidance, not identifying controls that were in place, not
including minimum controls, and not updating plans to reflect
current conditions. Because of these discrepancies and weaknesses,
reported certification and accreditation progress may not be
providing an accurate reflection of the actual status of agencies'
implementation of this requirement. Furthermore, agencies may not
have assurance that accredited systems have controls in place that
properly protect those systems.
Figure 7: OIG Assessment of C&A Process for Fiscal Year 2006
Configuration Standards
Risk-based policies and procedures cost-effectively reduce
information security risks to an acceptable level and ensure that
information security is addressed throughout the life cycle of
each information system in their information security program; a
key aspect of these policies and procedures is minimally
acceptable configuration standards. Configuration standards
minimize the security risks associated with specific software
applications widely used in an agency or across agencies. Because
IT products are often intended for a wide variety of audiences,
restrictive security controls are usually not enabled by default,
making the many products vulnerable before they are used.
FISMA requires each agency to have policies and procedures that
ensure compliance with minimally acceptable system configuration
requirements, as determined by the agency. In fiscal year 2004,
for the first time, agencies reported on the degree to which they
had implemented security configurations for specific operating
systems and software applications. For annual FISMA reporting, OMB
requires agencies to report whether they have an agencywide
security configuration policy; what products, running on agency
systems, are covered by that policy; and to what extent the agency
has implemented policies for those products. OMB also requested
IGs to report this performance for their agencies.
Agencies had not always implemented security configuration
policies. Twenty-three of the major federal agencies reported that
they currently had an agencywide security configuration policy.
Although 21 IGs agreed that their agency had such a policy, they
did not agree that the implementation was always as high as
agencies reported. To illustrate, one agency reported implementing
configuration policy for a particular platform 96 to 100 percent
of the time, while their IG reported that the agency implemented
that policy only 0 to 50 percent of the time. One IG noted that
three of the agency's components did not have overall
configuration policies and that other components that did have the
policies did not take into account applicable platforms. If
minimally acceptable configuration requirements policies are not
properly implemented and applied to systems, agencies will not
have assurance that products are configured adequately to protect
those systems, which could increase their vulnerability and make
them easier to compromise.
Security Incident Procedures
Although strong controls may not block all intrusions and misuse,
organizations can reduce the risks associated with such events if
they take steps to detect and respond to them before significant
damage occurs. Accounting for and analyzing security problems and
incidents are also effective ways for an organization to improve
its understanding of threats and potential cost of security
incidents, as well as pinpointing vulnerabilities that need to be
addressed so that they are not exploited again. When incidents
occur, agencies are to notify the federal information security
incident center--U. S. Computer Emergency Readiness Team
(US-CERT). US-CERT uses NIST's definition of an incident (a
"violation or imminent threat of violation of computer security
policies, acceptable use policies, or standard computer security
practices)." The categories defined by NIST and US-CERT are:
o Unauthorized access: In this category, an individual gains
logical or physical access without permission to a federal
agency's network, system, application, data, or other resource.
o Denial of service: An attack that successfully prevents or
impairs the normal authorized functionality of networks, systems,
or applications by exhausting resources. This activity includes
being the victim or participating in a denial of service attack.
o Malicious code: Successful installation of malicious software
(e.g., virus, worm, Trojan horse, or other code-based malicious
entity) that infects an operating system or application. Agencies
are not required to report malicious logic that has been
successfully quarantined by antivirus software.
o Improper usage: A person violates acceptable computing use
policies.
o Scans/probes/attempted access: This category includes any
activity that seeks to access or identify a federal agency
computer, open ports, protocols, service, or any combination of
these for later exploit. This activity does not directly result in
a compromise or denial of service.
o Investigation: Unconfirmed incidents that are potentially
malicious or anomalous activity deemed by the reporting entity to
warrant further review.
FISMA requires that agencies' security programs include procedures
for detecting, reporting, and responding to security incidents.
NIST states that agencies are responsible for determining specific
ways to meet these requirements. For FISMA reporting, OMB requires
agencies to report numbers of incidents for the past fiscal year
in addition to the number of incidents the agency reported to
US-CERT and the number reported to law enforcement.
According to the US-CERT annual report for fiscal year 2006,
federal agencies reported a record number of incidents, with a
notable increase in incidents reported in the second half of the
year. As figure 8 shows, since 2005, the number of incidents
reported to US-CERT increased in every category except for
malicious code.
Figure 8: Incidents Reported to US-CERT in Fiscal Years 2005 and
2006
Although agencies reported a record number of incidents,
shortcomings exist in agencies' security incident reporting
procedures. The number of incidents reported is likely to be
inaccurate because of inconsistencies in reporting at various
levels. For example, one agency reported no incidents to US-CERT,
although it reported more than 800 unsuccessful incidents
internally and to law enforcement authorities. In addition,
analysis of reports from three agencies indicated that procedures
for reporting incidents locally were not followed--two where
procedures for reporting incidents to law enforcement authorities
were not followed, and one where procedures for reporting
incidents to US-CERT were not followed. Several IGs also noted
specific weaknesses in incident procedures such as components not
reporting incidents reliably, information being omitted from
incident reports, and reporting time requirements not being met.
Without properly accounting for and analyzing security problems
and incidents, agencies risk losing valuable information needed to
prevent future exploits and understand the nature and cost of
threats directed at the agency.
Remedial Actions to Address Deficiencies in Information Security
Policies, Procedures, and Practices
Developing remedial action plans is key to ensuring that remedial
actions are taken to address significant deficiencies and reduce
or eliminate known vulnerabilities. These plans should list the
weaknesses and show the estimated resource needs and the status of
corrective actions. The plans are intended to assist agencies in
identifying, assessing, prioritizing, and monitoring the progress
of corrective efforts for security weaknesses found in programs
and systems. FISMA requires that agency information security
programs include a process for planning, implementing, evaluating,
and documenting remedial actions to address any deficiencies in
information security policies, procedures, and practices. For
annual FISMA reporting, OMB requires agencies to report quarterly
performance regarding their remediation efforts for all programs
and systems where a security weakness has been identified. It also
requested that IGs assess and report on whether their agency has
developed, implemented, and managed an agencywide process for
these plans.
IGs reported weaknesses in their agency's remediation process.
According to IG assessments, 16 of the 24 major agencies did not
almost always incorporate information security weaknesses for all
systems into their remediation plans. They found that
vulnerabilities from reviews were not always being included in
remedial actions. They also highlighted other weaknesses that
included one agency having an unreliable process for prioritizing
weaknesses and another using inconsistent criteria for defining
weaknesses to include in those plans. Without a sound remediation
process, agencies cannot be assured that information security
weaknesses are efficiently and effectively corrected.
NIST Fulfills FISMA Requirements and Expands Activities
NIST plays a key role under FISMA in providing important standards
and guidance. It is required, among other things, to develop and
issue minimum information security standards. NIST has issued
guidance through its FISMA Implementation Project and has also
expanded its work through other security activities.
FISMA Implementation Project
After FISMA was enacted, NIST developed the FISMA Implementation
Project to enable it to fulfill its statutory requirements in a
timely manner. This project is divided into three phases. Phase I
focuses on the development of a suite of required security
standards and guidelines as well as other FISMA-related
publications necessary to create a robust information security
program and effectively manage risk to agency operations and
assets. Standards and guidance issued during Phase I included
standards for security categorization of federal information and
information systems, minimum security requirements for federal
information and information systems, and guidance for the
recommended security controls for federal information systems.
Phase I is nearly complete, with only one publication--a guide to
assessing information security controls--remaining to be
finalized.
NIST has also developed many other documents to assist information
security professionals. For example, NIST issued Special
Publication 800-80 to assist agencies in developing and
implementing information security metrics.24 The processes and
methodologies described link information security performance to
agency performance by leveraging agency-level strategic planning
processes. Additionally, in October 2006, NIST published Special
Publication 800-100, which provides a broad overview of
information security program elements to assist managers in
understanding how to establish and implement an information
security program.25
Phase II focuses on the development of a program for accrediting
public and private sector organizations to conduct security
certification services for federal agencies as part of agencies'
certification and accreditation requirements. Organizations that
participate in the organizational accreditation program26 can
demonstrate competency in the application of NIST security
standards and guidelines. NIST conducted a workshop on Phase II
implementation in April of 2006. It is scheduled to be completed
in 2008.
24NIST, Guide for Developing Performance Metrics for Information Security
, SP 800-80 (Washington, D.C.: May 2006)
25NIST, Information Security Handbook: A Guide for Managers, SP 800-100
(Washington, D.C.: October 2006)
26The term accreditation is used in two different contexts in the FISMA
Implementation Project: security accreditation is the official management
decision to authorize the operation of an information system (as in the
certification and accreditation process) and organizational accreditation
involves comprehensive proficiency testing and the demonstration of
specialized skills in a particular area of interest.
Phase III is the development of a program for validating security
tools. The program is to rely on private sector, accredited
testing laboratories to conduct evaluations of the security tools.
NIST is to provide validation services and laboratory oversight.
Implementation of this phase is planned for 2007 and 2008.
Other NIST Security Activities
In addition to the specific responsibilities to develop standards
and guidance, other information security activities undertaken by
NIST include:
o conducting workshops on the credentialing program for security
assessment service providers,
o conducting a presentation on automated security tools,
o providing a tutorial on security certification and accreditation
of federal information systems,
o developing and maintaining a checklist repository of security
configurations for specific IT products,
o developing, along with other federal agencies, the National
Vulnerability Database, which includes a repository of standards
based vulnerability management data as well as the security
controls, control enhancements, and supplemental guidance from
NIST Special Publication 800-53,27 and
o issuance of the Computer Security Division's 2006 Annual Report
as mandated by FISMA.
Through NIST's efforts in standards and guidance development and
other activities, agencies have access to additional tools that
can be applied to improve their information security programs.
Additionally, NIST's activities will provide federal agencies with
opportunities to utilize private-sector resources in improving
information security.
27NIST, Recommended Security Controls for Federal Information Systems,
NIST SP 800-53 rev.1 (Washington, D.C.: December 2006)
Office of Inspector General Evaluations Varied across Agencies
FISMA requires agency IGs to perform an independent evaluation of
the information security programs and practices of the agency to
determine the effectiveness of such programs and practices. Each
evaluation is to include (1) testing of the effectiveness of
information security policies, procedures, and practices of a
representative subset of the agency's information systems and (2)
assessing compliance (based on the results of the testing) with
FISMA requirements and related information security policies,
procedures, standards, and guidelines. These required evaluations
are then submitted by each agency to OMB in the form of a
template. In addition to the template submission, OMB encourages
the IGs to provide any additional narrative in an appendix to the
report to the extent they provide meaningful insight into the
status of the agency's security or privacy program.
Although the IGs conducted annual evaluations, the scope and
methodology of IGs' evaluations varied across agencies. For
example,
o According to their FISMA reports, certain IGs reported
interviewing officials and reviewing agency documentation, while
others indicated conducting tests of implementation plans (e.g.
security plans).
o Mutiple IGs indicated in their scope and methodology sections of
their reports that their reviews were focused on selected
components, whereas others did not make any reference to the
breadth of their review.
o Several reports were solely comprised of a summary of relevant
information security audits conducted during the fiscal year,
while others included additional evaluation that addressed
specific FISMA-required elements, such as risk assessments and
remedial actions.
o The percentage of systems reviewed varied; 22 of 24 IGs tested
the information security program effectiveness on a subset of
systems; two IGs did not review any systems.
o One IG noted missing Web applications and concluded that the
agency's inventory of major systems was only 0 to 50 percent
complete, although it noted that, due to time constraints, it was
unable to determine whether other items were missing.
o One IG office noted that although it had evaluated the agency's
configuration policy and certain aspects of the policy's
implementation, it did not corroborate the use of systems under
configuration management. The IG did not independently corroborate
whether agency systems ran the software, but instead reflected the
agency's response.
o Some reviews were limited due to difficulties in verifying
information provided to them by agencies. Specifically, certain
IGs stated that they were unable to conduct evaluations of their
respective agency's inventory because the information provided to
them by the agency at that time was insufficient (i.e., incomplete
or unavailable).
The lack of a common methodology, or framework, has culminated in
disparities in audit scope, methodology, and content.
The President's Council on Integrity and Efficiency (PCIE)28 has
recognized the importance of having a framework and in September
2006 developed a tool to assist the IG community with conducting
its FISMA evaluations. The framework consists of program and
system control areas that map directly to the control areas
identified in NIST Special Publication 800-10029 and NIST Special
Publication 800-53,30 respectively. According to PCIE members, the
framework includes broad recommendations rather than a specific
methodology due to the varying levels of resources available to
each agency IG. This framework could provide a common approach to
completing the required evaluations, and PCIE has encouraged IGs
to use it.
OMB Increases Guidance, but Improvements Needed in Reporting
Although OMB has continued to expand its guidance provided to
agencies to help improve information security at agencies,
shortcomings exist in its reporting instructions.
OMB Increases Oversight Efforts
FISMA specifies that, among other responsibilities, OMB is to
develop policies, principles, standards and guidelines on
information security. Each year, OMB provides instructions to
federal agencies and their IGs for FISMA annual reporting. OMB's
reporting instructions focus on performance measures such as
certification and accreditation, testing of security controls, and
security training.
28The President's Council on Integrity and Efficiency was established by
executive order to address integrity, economy, and effectiveness issues
that transcend individual government agencies and increase the
professionalism and effectiveness of IG personnel throughout government.
29SP 800-100.
30SP 800-53 rev. 1.
In its March 2007 report to Congress on fiscal year 2006 FISMA
implementation, OMB noted the federal government's modest progress
in meeting key performance measures for IT security. In its
report, OMB stressed that there are still areas requiring
strategic and continued management attention.
OMB identified progress in the following areas:
o system certification and accreditation,
o testing of security controls and contingency plans,
o assigning risk levels to systems,
o training employees in security, and
o reporting incidents.
OMB indicated the following areas require continued management
attention:
o the quality of certification and accreditations,
o inventory of systems,
o oversight of contractor systems, and
o agencywide plan of action and milestones process.
The OMB report also discusses a plan of action to improve
performance, assist agencies in their information security
activities, and promote compliance with statutory and policy
requirements.
To help agencies protect sensitive data from security incidents,
OMB has issued several policy memorandums over the past 13 months.
For example, OMB has sent memorandums to agencies to reemphasize
their responsibilities under law and policy to (1) appropriately
safeguard sensitive and personally identifiable information, (2)
train employees on their responsibilities to protect sensitive
information, and (3) report security incidents. In May 2007, OMB
issued additional detailed guidelines to agencies on safeguarding
against and responding to the breach of personally identifiable
information, including developing and implementing a risk-based
breach notification policy, reviewing and reducing current
holdings of personal information, protecting federal information
accessed remotely, and developing and implementing a policy
outlining the rules of behavior, as well as identifying
consequences and potential corrective actions for failure to
follow these rules.
OMB also issued a memorandum to agencies concerning adherence to
specific configuration standards for Windows Vista and XP
operating systems. This memorandum requires agencies, with these
operating systems and/or plans of upgrading to these operating
systems, to adopt the standard security configurations (developed
through consensus among DHS, NIST, and the Department of Defense)
by February 1, 2008. Agencies were also required to provide OMB
with their implementation plans for these platforms by May 1,
2007.
Opportunities Exist to Improve FISMA Reporting
Periodic reporting of performance measures for FISMA requirements
and related analysis provides valuable information on the status
and progress of agency efforts to implement effective security
management programs; however, opportunities exist to enhance
reporting under FISMA and the independent evaluations completed by
IGs.
In previous reports, we have recommended that OMB improve FISMA
reporting by clarifying reporting instructions and requesting IGs
to report on the quality of additional performance metrics. In
response, OMB has taken steps to enhance its reporting
instructions. For example, OMB added questions regarding incident
detection and assessments of system inventory. OMB has also
recognized the need for assurance of quality for agency processes.
For example, OMB specifically requested that the IGs evaluate the
certification and accreditation process. The qualitative
assessments of the process allow the IG to rate its agency's
certification and accreditation process using the terms
"excellent," "good," "satisfactory," "poor," or "failing."
Despite these enhancements, the current metrics do not measure how
effectively agencies are performing various activities. Current
performance measures offer limited assurance of the quality of
agency processes that implement key security policies, controls,
and practices. For example, agencies are required to test and
evaluate the effectiveness of the controls over their systems at
least once a year and to report on the number of systems
undergoing such tests. However, there is no measure of the quality
of agencies' test and evaluation processes. Similarly, OMB's
reporting instructions do not address the quality of other
activities such as risk categorization, security awareness
training, or incident reporting. Providing information on the
quality of the processes used to implement key control activities
would further enhance the usefulness of the annually reported data
for management and oversight purposes.
Further, OMB reporting guidance and performance measures do not
include complete reporting on a key FISMA-related activity. FISMA
requires each agency to include policies and procedures in its
security program that ensure compliance with minimally acceptable
system configuration requirements, as determined by the agency. As
we previously reported, maintaining up-to-date patches is key to
complying with this requirement. As such, we recommended that OMB
address patch management in its FISMA reporting instructions.
Although OMB addressed patch management in its 2004 FISMA
reporting instructions, it no longer requests this information.
Our recent reports have identified weaknesses in agencies' patch
management processes, leaving federal information systems exposed
to vulnerabilities associated with flaws in software code that
could be exploited to cause significant damage--including the loss
of control of entire systems--thereby enabling malicious
individuals to read, modify, or delete sensitive information or
disrupt operations. Without information on agencies' patch
management processes, OMB and the Congress lack information that
could demonstrate whether or not agencies are taking appropriate
steps for protecting their systems.
Conclusions
Persistent governmentwide weaknesses in information security
controls threaten the confidentiality, integrity, and availability
of the sensitive data maintained by federal agencies. Weaknesses
exist predominantly in access controls, including authentication
and identification, authorization, cryptography, audit and
monitoring, boundary protection, and physical security. Weaknesses
also exist in configuration management, segregation of duties and
continuity of operations. Until agencies ensure that their
information security programs are fully and effectively
implemented, there is limited assurance that sensitive data will
be adequately protected against unauthorized disclosure or
modification or that services will not be interrupted. These
weaknesses leave federal agencies vulnerable to external as well
as internal threats. Until agencies fully and effectively
implement their information security programs, including
addressing the hundreds of recommendations that we and IGs have
made, federal systems will remain at increased risk of attack or
compromise.
Despite federal agencies' reported progress and increased
activities, weaknesses remain in the processes agencies use for
implementing FISMA performance measures such as those related to
agency risk management. In addition, NIST, the IGs, and OMB have
all made progress toward fulfilling their requirements. However,
the metrics specified in current reporting guidance do not measure
how effectively agencies are performing various activities and the
guidance does not address a key activity. The absence of this
information could result in reporting that does not adequately
reflect the status of agency implementation of required
information security policies and procedures. Subsequently,
oversight entities may not be receiving information critical for
monitoring agency compliance with FISMA's statutory requirements
for an information security program.
Recommendations for Executive Action
Because annual reporting is critical to monitoring agencies'
implementation of information security requirements, we recommend
that the Director of OMB take the following three actions in
revising future FISMA reporting guidance:
o Develop additional performance metrics that measure the
effectiveness of FISMA activities.
o Request inspectors general to report on the quality of
additional agency information security processes, such as system
test and evaluation, risk categorization, security awareness
training, and incident reporting.
o Require agencies to report on a key activity--patch management.
Agency Comments
We received written comments on a draft of this report from the
Administrator, Office of E-Government and Information Technology,
OMB (see app. II). The Administrator agreed to take our
recommendations under advisement when the Office modifies its
FISMA reporting instructions. In addition, the Administrator
pointed out that the certification and accreditation process
provides a systemic approach for determining whether appropriate
security controls are in place, functioning properly, and
producing the desired outcome. She further noted that OMB's
current instructions for IGs to evaluate the quality of agencies'
certification and accreditation process provide the flexibility
for IGs to tailor their evaluations based on documented weaknesses
and plans for improvement.
We are sending copies of this report to the Chairmen and Ranking
Members of the Senate Committee on Homeland Security and
Governmental Affairs and the House Committee on Oversight and
Government Reform and to the Office of Management and Budget. We
will also make copies available to others on request. In addition,
this report will be available at no charge on the GAO Web site at
http://www.gao.gov.
If you have any questions regarding this report, please contact me
at (202) 512-6244 or by e-mail at [email protected]. Contact
points for our Office of Congressional Relations and Public
Affairs may be found on the last page of this report. Key
contributors to this report are listed in appendix III.
Gregory C. Wilshusen
Director, Information Security Issues
Appendix I: Objectives, Scope, and Methodology
In accordance with the Federal Information Security Management Act
of 2002 (FISMA) requirement that the Comptroller General report
periodically to Congress, our objectives were to evaluate (1) the
adequacy and effectiveness of agencies' information security
policies and practices and (2) federal agency implementation of
FISMA requirements.
To assess the adequacy and effectiveness of agency information
security policies and practices, we analyzed our related reports
issued from May 2005 through May 2007. We also reviewed and
analyzed the information security work and products of the agency
inspectors general. Both our reports and the Inspector(s) General
products generally used the methodology contained in The Federal
Information System Controls Audit Manual. Further, we reviewed and
analyzed data on information security in federal agencies'
performance and accountability reports.
To assess implementation of FISMA requirements, we reviewed and
analyzed the act (Title III, Pub. L. No. 107-347) and the 24 major
federal agencies' chief information officer and IG FISMA reports
for fiscal years 2004 to 2006, as well as the performance and
accountability reports for those agencies; the Office of
Management and Budget's FISMA reporting instructions, mandated
annual reports to Congress, and other guidance; and the National
Institute of Standards and Technology's standards, guidance, and
annual reports. We also held discussions with agency officials and
the agency inspectors general to further assess the implementation
of FISMA requirements. We did not include systems categorized as
national security systems in our review, nor did we review the
adequacy or effectiveness of the security policies and practices
for those systems.
Our work was conducted in Washington, D.C. from February 2007
through June 2007 in accordance with generally accepted government
auditing standards.
Appendix II: Comments from the Office of Management and Budget
Appendix III: GAO Contact and Staff Acknowledgments
GAO Contact
Gregory C. Wilshusen, (202) 512-6244 Director, Information
Security Issues
Staff Acknowledgments
In addition to the individual named above, Jeffrey Knott
(Assistant Director); Eric Costello; Larry Crosland; Nancy Glover;
Min Hyun; and Jayne Wilson made key contributions to this report.
Related GAO Products
Information Security: FBI Needs to Address Weaknesses in Critical
Network. [105]GAO-07-368 . Washington, D.C.: April 30, 2007.
Information Security: Persistent Weaknesses Highlight Need for
Further Improvement. [106]GAO-07-751T . Washington, D.C.: April
19, 2007.
Information Security: Further Efforts Needed to Address
Significant Weaknesses at the Internal Revenue Service.
[107]GAO-07-364 . Washington, D.C.: March 30, 2007.
Information Security: Sustained Progress Needed to Strengthen
Controls at the Securities and Exchange Commission.
[108]GAO-07-256 . Washington, D.C.: March 27, 2007.
Information Security: Veterans Affairs Needs to Address
Long-Standing Weaknesses. [109]GAO-07-532T . Washington, D.C.:
February 28, 2007.
Information Security: Agencies Need to Develop and Implement
Adequate Policies for Periodic Testing. [110]GAO-07-65 .
Washington, D.C.: October 20, 2006.
Information Security: Coordination of Federal Cyber Security
Research and Development. [111]GAO-06-811 . Washington, D.C.:
September 29, 2006.
Information Security: Federal Deposit Insurance Corporation Needs
to Improve Its Program. [112]GAO-06-620 . Washington, D.C.: August
31, 2006.
Information Security: Federal Reserve Needs to Address Treasury
Auction Systems. [113]GAO-06-659 . Washington, D.C.: August 30,
2006.
Information Security: The Centers for Medicare & Medicaid Services
Needs to Improve Controls over Key Communication Network.
[114]GAO-06-750 . Washington, D.C.: August 30, 2006.
Information Security: Leadership Needed to Address Weaknesses and
Privacy Issues at Veterans Affairs. [115]GAO-06-897T . Washington,
D.C.: June 20, 2006.
Veterans Affairs: Leadership Needed to Address Information
Security Weaknesses and Privacy Issues. [116]GAO-06-866T .
Washington, D.C.: June 14, 2006.
Information Security: Securities and Exchange Commission Needs to
Continue to Improve Its Program. [137]GAO-06-408 . Washington,
D.C.: March 31, 2006.
Information Assurance: National Partnership Offers Benefits, but
Faces Considerable Challenges. [138]GAO-06-392 . Washington, D.C.:
March 24, 2006.
Information Security: Continued Progress Needed to Strengthen
Controls at the Internal Revenue Service. [139]GAO-06-328 .
Washington, D.C.: March 23, 2006.
Bureau of the Public Debt: Areas for Improvement in Information
Security Controls. [140]GAO-06-522R . Washington, D.C.: March 16,
2006.
Information Security: Federal Agencies Show Mixed Progress in
Implementing Statutory Requirements. [141]GAO-06-527T .
Washington, D.C.: March 16, 2006.
Information Security: Department of Health and Human Services
Needs to Fully Implement Its Program. [142]GAO-06-267 .
Washington, D.C.: February 24, 2006.
Information Security: The Defense Logistics Agency Needs to Fully
Implement Its Security Program. [143]GAO-06-31 . Washington, D.C.:
October 7, 2005.
Information Security: Progress Made, but Federal Aviation
Administration Needs to Improve Controls over Air Traffic Control
Systems. [144]GAO-05-712 . Washington, D.C.: August 26, 2005.
Information Security: Weaknesses Persist at Federal Agencies
Despite Progress Made in Implementing Related Statutory
Requirements. [145]GAO-05-552 . Washington, D.C.: July 15, 2005.
Information Security: Key Considerations Related to Federal
Implementation of Radio Frequency Identification Technology.
[146]GAO-05-849T . Washington, D.C.: June 22, 2005.
Information Security: Department of Homeland Security Needs to
Fully Implement Its Security Program. [147]GAO-05-700 .
Washington, D.C.: June 17, 2005.
Information Security: Radio Frequency Identification Technology in
the Federal Government. [148]GAO-05-551 . Washington, D.C.: May
27, 2005.
IRS Modernization: Continued Progress Requires Addressing Resource
Management Challenges. [149]GAO-05-707T . Washington, D.C.: May
19, 2005.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Order by Mail or Phone
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( [117]www.gao.gov ). Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of
newly posted products every afternoon, go to [118]www.gao.gov and
select "Subscribe to Updates."
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [119]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [120][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [121][email protected] (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW,
Room 7125 Washington, D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [122][email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW,
Room 7149 Washington, D.C. 20548
[134]www.gao.gov/cgi-bin/getrpt?GAO-07-837 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or
[email protected].
Highlights of [135]GAO-07-837 , a report to congressional committees
July 2007
INFORMATION SECURITY
Despite Reported Progress, Federal Agencies Need to Address Persistent
Weaknesses
For many years, GAO has reported that weaknesses in information security
are a widespread problem with potentially devastating consequences--such
as intrusions by malicious users, compromised networks, and the theft of
personally identifiable information--and has identified information
security as a governmentwide high-risk issue.
Concerned by reports of significant vulnerabilities in federal computer
systems, Congress passed the Federal Information Security Management Act
of 2002 (FISMA), which permanently authorized and strengthened the
information security program, evaluation, and reporting requirements for
federal agencies.
As required by FISMA to report periodically to Congress, in this report
GAO discusses the adequacy and effectiveness of agencies' information
security policies and practices and agencies' implementation of FISMA
requirements. To address these objectives, GAO analyzed agency, inspectors
general (IG), Office of Management and Budget (OMB), congressional, and
GAO reports on information security.
[136]What GAO Recommends
GAO is recommending that OMB strengthen FISMA reporting metrics. OMB
agreed to take GAO's recommendations under advisement when modifying its
FISMA reporting instructions.
Significant weaknesses in information security policies and practices
threaten the confidentiality, integrity, and availability of critical
information and information systems used to support the operations,
assets, and personnel of most federal agencies. Recently reported
incidents at federal agencies have placed sensitive data at risk,
including the theft, loss, or improper disclosure of personally
identifiable information on millions of Americans, thereby exposing them
to loss of privacy and identity theft. Almost all of the major federal
agencies had weaknesses in one or more areas of information security
controls (see figure). Most agencies did not implement controls to
sufficiently prevent, limit, or detect access to computer resources. In
addition, agencies did not always manage the configuration of network
devices to prevent unauthorized access and ensure system integrity, such
as patching key servers and workstations in a timely manner; assign
incompatible duties to different individuals or groups so that one
individual does not control all aspects of a process or transaction; or
maintain or test continuity of operations plans for key information
systems. An underlying cause for these weaknesses is that agencies have
not fully implemented their information security programs. As a result,
agencies may not have assurance that controls are in place and operating
as intended to protect their information resources, thereby leaving them
vulnerable to attack or compromise.
Nevertheless, federal agencies have continued to report steady progress in
implementing certain information security requirements. For fiscal year
2006, agencies generally reported performing various control activities
for an increasing percentage of their systems and personnel. However, IGs
at several agencies disagreed with the information the agency reported and
identified weaknesses in the processes used to implement these activities.
Further, although OMB enhanced its reporting instructions to agencies for
preparing fiscal year 2006 FISMA reports, the metrics specified in the
instructions do not measure how effectively agencies are performing
various activities, and there are no requirements to report on a key
activity. As a result, reporting may not adequately reflect the status of
agency implementation of required information security policies and
procedures.
Information Security Weaknesses at Major Federal Agencies for Fiscal Year
2006
(310592)
References
Visible links
102. http://www.gao.gov/cgi-bin/getrpt?GAO/HR-97-9
103. http://www.gao.gov/cgi-bin/getrpt?GAO-07-310
104. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-98-68
105. http://www.gao.gov/cgi-bin/getrpt?GAO-07-368
106. http://www.gao.gov/cgi-bin/getrpt?GAO-07-751T
107. http://www.gao.gov/cgi-bin/getrpt?GAO-07-364
108. http://www.gao.gov/cgi-bin/getrpt?GAO-07-256
109. http://www.gao.gov/cgi-bin/getrpt?GAO-07-532T
110. http://www.gao.gov/cgi-bin/getrpt?GAO-07-65
111. http://www.gao.gov/cgi-bin/getrpt?GAO-06-811
112. http://www.gao.gov/cgi-bin/getrpt?GAO-06-620
113. http://www.gao.gov/cgi-bin/getrpt?GAO-06-659
114. http://www.gao.gov/cgi-bin/getrpt?GAO-06-750
115. http://www.gao.gov/cgi-bin/getrpt?GAO-06-897T
116. http://www.gao.gov/cgi-bin/getrpt?GAO-06-866T
117. http://www.gao.gov/
118. http://www.gao.gov/
119. http://www.gao.gov/fraudnet/fraudnet.htm
120. mailto:[email protected]
121. mailto:[email protected]
122. mailto:[email protected]
123. http://www.gao.gov/cgi-bin/getrpt?GAO-07-657
124. http://www.gao.gov/cgi-bin/getrpt?GAO-07-65
125. http://www.gao.gov/cgi-bin/getrpt?GAO-07-65
126. http://www.gao.gov/cgi-bin/getrpt?GAO-06-267
127. http://www.gao.gov/cgi-bin/getrpt?GAO-06-256
128. http://www.gao.gov/cgi-bin/getrpt?GAO-07-364
129. http://www.gao.gov/cgi-bin/getrpt?GAO-05-712
130. http://www.gao.gov/cgi-bin/getrpt?GAO-06-659
131. http://www.gao.gov/cgi-bin/getrpt?GAO-06-750
132. http://www.gao.gov/cgi-bin/getrpt?GAO-07-368
133. http://www.gao.gov/cgi-bin/getrpt?GAO-05-552
134. http://www.gao.gov/cgi-bin/getrpt?GAO-07-837
135. http://www.gao.gov/cgi-bin/getrpt?GAO-07-837
137. http://www.gao.gov/cgi-bin/getrpt?GAO-06-408
138. http://www.gao.gov/cgi-bin/getrpt?GAO-06-392
139. http://www.gao.gov/cgi-bin/getrpt?GAO-06-328
140. http://www.gao.gov/cgi-bin/getrpt?GAO-06-522R
141. http://www.gao.gov/cgi-bin/getrpt?GAO-06-527T
142. http://www.gao.gov/cgi-bin/getrpt?GAO-06-267
143. http://www.gao.gov/cgi-bin/getrpt?GAO-06-31
144. http://www.gao.gov/cgi-bin/getrpt?GAO-05-712
145. http://www.gao.gov/cgi-bin/getrpt?GAO-05-552
146. http://www.gao.gov/cgi-bin/getrpt?GAO-05-849T
147. http://www.gao.gov/cgi-bin/getrpt?GAO-05-700
148. http://www.gao.gov/cgi-bin/getrpt?GAO-05-551
149. http://www.gao.gov/cgi-bin/getrpt?GAO-05-707T
*** End of document. ***