Information Security: Progress Reported, but Weaknesses at	 
Federal Agencies Persist (12-MAR-08, GAO-08-571T).		 
                                                                 
Information security is especially important for federal	 
agencies, where the public's trust is essential and poor	 
information security can have devastating consequences. Since	 
1997, GAO has identified information security as a governmentwide
high-risk issue in each of our biennial reports to Congress.	 
Concerned by reports of significant weaknesses in federal	 
computer systems, Congress passed the Federal Information	 
Security Management Act (FISMA) of 2002, which permanently	 
authorized and strengthened information security program,	 
evaluation, and annual reporting requirements for federal	 
agencies. GAO was asked to testify on the current state of	 
federal information security and compliance with FISMA. This	 
testimony summarizes (1) the status of agency performance of	 
information security control activities as reported by major	 
agencies and their inspectors general (IG), (2) the effectiveness
of information security at federal agencies, and (3)		 
opportunities to improve federal information security. In	 
preparing for this testimony, GAO analyzed agency, IG, Office of 
Management and Budget (OMB), and GAO reports on information	 
security and reviewed OMB FISMA reporting instructions, 	 
information technology security guidance, and information on	 
reported security incidents.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-571T					        
    ACCNO:   A81297						        
  TITLE:     Information Security: Progress Reported, but Weaknesses  
at Federal Agencies Persist					 
     DATE:   03/12/2008 
  SUBJECT:   Access control					 
	     Computer systems					 
	     Cyber security					 
	     Data integrity					 
	     Federal agencies					 
	     Federal law					 
	     Government information				 
	     Government information dissemination		 
	     Information disclosure				 
	     Information infrastructure 			 
	     Information management				 
	     Information security				 
	     Information security management			 
	     Information systems				 
	     Information technology				 
	     Internal controls					 
	     Performance measures				 
	     Policy evaluation					 
	     Program evaluation 				 
	     Reporting requirements				 
	     Risk assessment					 
	     Risk management					 
	     Systems evaluation 				 
	     Systems integrity					 
	     Systems testing					 
	     Program implementation				 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-571T

This is the accessible text file for GAO report number GAO-08-571T 
entitled 'Information Security: Progress Reported, but Weaknesses at 
Federal Agencies Persist' which was released on March 13, 2008. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony: 

Before the Subcommittee on Federal Financial Management, Government 
Information, Federal Services, and International Security, Committee on 
Homeland Security and Governmental Affairs, U.S. Senate: 

United States Government Accountability Office: 

GAO: 

For Release on Delivery Expected at 2:30 p.m. EDT: 

Wednesday, March 12, 2008: 

Information Security: 

Progress Reported, but Weaknesses at Federal Agencies Persist: 

Statement of Gregory C. Wilshusen Director, Information Security 
Issues: 

Federal Information Security: 

GAO-08-571T: 

GAO Highlights: 

Highlights of GAO-08-571T, a testimony before the Subcommittee on 
Federal Financial Management, Government Information, Federal Services, 
and International Security, Committee on Homeland Security and 
Governmental Affairs, U.S. Senate. 

Why GAO Did This Study: 

Information security is especially important for federal agencies, 
where the publicï¿½s trust is essential and poor information security can 
have devastating consequences. Since 1997, GAO has identified 
information security as a governmentwide high-risk issue in each of our 
biennial reports to Congress. Concerned by reports of significant 
weaknesses in federal computer systems, Congress passed the Federal 
Information Security Management Act (FISMA) of 2002, which permanently 
authorized and strengthened information security program, evaluation, 
and annual reporting requirements for federal agencies. 

GAO was asked to testify on the current state of federal information 
security and compliance with FISMA. This testimony summarizes (1) the 
status of agency performance of information security control activities 
as reported by major agencies and their inspectors general (IG), (2) 
the effectiveness of information security at federal agencies, and (3) 
opportunities to improve federal information security. In preparing for 
this testimony, GAO analyzed agency, IG, Office of Management and 
Budget (OMB), and GAO reports on information security and reviewed OMB 
FISMA reporting instructions, information technology security guidance, 
and information on reported security incidents. 

What GAO Found: 

Over the past several years, 24 major federal agencies have 
consistently reported progress in performing information security 
control activities in their annual FISMA reports. For fiscal year 2007, 
the federal government continued to report improved information 
security performance relative to key performance metrics established by 
OMB. For example, an increasing percentage of systems governmentwide 
had been tested and evaluated, had tested contingency plans, and had 
been certified and accredited. However, IGs at several agencies 
sometimes disagreed with the agency reported information and identified 
weaknesses in the processes used to implement these and other security 
program activities. 

Despite agency reported progress, major federal agencies continue to 
experience significant information security control deficiencies that 
limit the effectiveness of their efforts to protect the 
confidentiality, integrity, and availability of their information and 
information systems. Most agencies did not implement controls to 
sufficiently prevent, limit, or detect access to computer networks, 
systems, or information. In addition, agencies did not always 
effectively manage the configuration of network devices to prevent 
unauthorized access and ensure system integrity, patch key servers and 
workstations in a timely manner, assign duties to different individuals 
or groups so that one individual did not control all aspects of a 
process or transaction, and maintain complete continuity of operations 
plans for key information systems. An underlying cause for these 
weaknesses is that agencies have not fully or effectively implemented 
agencywide information security programs. As a result, federal systems 
and information are at increased risk of unauthorized access to and 
disclosure, modification, or destruction of sensitive information, as 
well as inadvertent or deliberate disruption of system operations and 
services. Such risks are illustrated, in part, by an increasing number 
of security incidents experienced by federal agencies. 

Nevertheless, opportunities exist to bolster federal information 
security. Federal agencies could implement the hundreds of 
recommendations made by GAO and IGs to resolve prior significant 
control deficiencies and information security program shortfalls. In 
addition, OMB and other federal agencies have initiated several 
governmentwide initiatives that are intended to improve security over 
federal systems and information. For example, OMB has established an 
information systems security line of business to share common processes 
and functions for managing information systems security and directed 
agencies to adopt the security configurations developed by the National 
Institute of Standards and Technology and Departments of Defense and 
Homeland Security for certain Windows operating systems. Opportunities 
also exist to enhance policies and practices related to security 
control testing and evaluation, FISMA reporting, and the independent 
annual evaluations of agency information security programs required by 
FISMA. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.goav.gov/cgi-bin/getrpt?gao-08-571T]. For more information, contact 
Gregory Wilshusen at (202) 512-6244 or [email protected]. 

[End of section] 

Mr. Chairman and Members of the Subcommittee: 

Thank you for the opportunity to participate in today's hearing to 
discuss information security over federal systems. Information security 
is a critical consideration for any organization that depends on 
information systems and computer networks to carry out its mission or 
business. It is especially important for government agencies, where the 
public's trust is essential. The need for a vigilant approach to 
information security is demonstrated by the dramatic increase in 
reports of security incidents, the wide availability of hacking tools, 
and steady advances in the sophistication and effectiveness of attack 
technology. Over the past few years, federal agencies have reported 
numerous security incidents in which sensitive information has been 
lost or stolen, including personally identifiable information, which 
has exposed millions of Americans to a loss of privacy, identity theft, 
and other financial crimes. 

Concerned by reports of significant weaknesses in federal computer 
systems, Congress passed the Federal Information Security Management 
Act (FISMA) of 2002,[Footnote 1] which permanently authorized and 
strengthened information security program, evaluation, and annual 
reporting requirements for federal agencies. However, five years after 
FISMA was enacted, we continue to report that poor information security 
is a widespread problem with potentially devastating consequences. 
Since 1997, we have identified information security as a governmentwide 
high-risk issue in each of our biennial reports to the 
Congress.[Footnote 2] 

In my testimony today, I will summarize (1) the status of agency 
performance of information security control activities as reported by 
major agencies and their inspectors general (IG), (2) the effectiveness 
of information security at federal agencies, and (3) opportunities to 
improve federal information security. In preparing for this testimony, 
we analyzed the Office of Management and Budget's (OMB) FISMA report 
for fiscal year 2007[Footnote 3] and the annual FISMA reports and the 
performance and accountability reports for 24 major federal 
agencies;[Footnote 4] examined agency, IG, and our reports on 
information security; and reviewed OMB FISMA reporting instructions, 
information technology (IT) security guidance, and information on 
reported security incidents. We conducted our work, in support of this 
testimony, from February 2008 through March 2008, in the Washington, 
D.C. area. The work on which this testimony is based was performed in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Results in Brief: 

Over the past several years, major federal agencies have consistently 
reported progress in performing certain information security control 
activities. In fiscal year 2007, the percentage of certified and 
accredited[Footnote 5] systems governmentwide reportedly increased from 
88 percent to 92 percent. Gains were also reported in testing of 
security controls - from 88 percent of systems to 95 percent of systems 
- and for contingency plan testing - from 77 percent to 86 percent. 
These gains continue a historical trend that we reported on last 
year.[Footnote 6] However, IGs at several agencies sometimes disagreed 
with the agency reported information and identified weaknesses in the 
processes used to implement these and other security program 
activities. 

Despite the progress reported by agencies, they continue to confront 
long-standing information security control deficiencies that limit the 
effectiveness of their efforts in protecting the confidentiality, 
integrity, and availability of their information and information 
systems. Most agencies did not implement controls to sufficiently 
prevent, limit, or detect access to computer networks, systems, or 
information. In addition, agencies did not always effectively manage 
the configuration of network devices to prevent unauthorized access and 
ensure system integrity, install patches on key servers and 
workstations in a timely manner, assign duties to different individuals 
or groups so that one individual did not control all aspects of a 
process or transaction, and maintain complete continuity of operations 
plans for key information systems. An underlying cause for these 
weaknesses is that agencies have not fully or effectively implemented 
agencywide information security programs. As a result, federal systems 
and sensitive information are at increased risk of unauthorized access 
and disclosure, modification, or destruction, as well as inadvertent or 
deliberate disruption of system operations and services. Such risks are 
illustrated, in part, by the increasing number of security incidents 
experienced by federal agencies. 

Nevertheless, there are opportunities for federal agencies to bolster 
information security. Federal agencies could implement the hundreds of 
recommendations made by GAO and IGs to resolve prior significant 
control deficiencies and information security program shortfalls. In 
addition, OMB and other federal agencies have initiated several 
governmentwide initiatives that are intended to improve security over 
federal systems and information. For example, OMB has established an 
information system security line of business to share common processes 
and functions for managing information systems security and directed 
agencies to adopt the security configurations developed by the National 
Institute of Standards and Technology and Departments of Defense and 
Homeland Security for certain Windows operating systems. Opportunities 
also exist to enhance policies and practices related to security 
control testing and evaluation, FISMA reporting, and the independent 
annual evaluations of agency information security programs required by 
FISMA. 

Background: 

Virtually all federal operations are supported by automated systems and 
electronic data, and agencies would find it difficult, if not 
impossible, to carry out their missions and account for their resources 
without these information assets. Therefore, it is important for 
agencies to safeguard their systems against risks such as loss or theft 
of resources (such as federal payments and collections), modification 
or destruction of data, and unauthorized uses of computer resources or 
to launch attacks on other computer systems. Sensitive information, 
such as taxpayer data, Social Security records, medical records, and 
proprietary business information could be inappropriately disclosed, 
browsed, or copied for improper or criminal purposes. Critical 
operations could be disrupted, such as those supporting national 
defense and emergency services or agencies' missions could be 
undermined by embarrassing incidents, resulting in diminished 
confidence in their ability to conduct operations and fulfill their 
responsibilities. 

Critical Systems Face Multiple Cyber Threats: 

Cyber threats to federal systems and critical infrastructures can be 
unintentional and intentional, targeted or nontargeted, and can come 
from a variety of sources. Unintentional threats can be caused by 
software upgrades or maintenance procedures that inadvertently disrupt 
systems. Intentional threats include both targeted and nontargeted 
attacks. A targeted attack is when a group or individual specifically 
attacks a critical infrastructure system. A nontargeted attack occurs 
when the intended target of the attack is uncertain, such as when a 
virus, worm, or malware[Footnote 7] is released on the Internet with no 
specific target. The Federal Bureau of Investigation has identified 
multiple sources of threats to our nation's critical information 
systems, including foreign nation states engaged in information 
warfare, domestic criminals, hackers, virus writers, and disgruntled 
employees working within an organization. Table 1 summarizes those 
groups or individuals that are considered to be key sources of cyber 
threats to our nation's information systems and infrastructures. 

Table 1: Sources of Cyber Threats to Federal Systems and Critical 
Infrastructures: 

Threat source: Criminal groups; 
Description: There is an increased use of cyber intrusions by criminal 
groups that attack systems for monetary gain. 

Threat source: Foreign nation states; 
Description: Foreign intelligence services use cyber tools as part of 
their information gathering and espionage activities. Also, several 
nations are aggressively working to develop information warfare 
doctrine, programs, and capabilities. Such capabilities enable a single 
entity to have a significant and serious impact by disrupting the 
supply, communications, and economic infrastructures that support 
military power--impacts that, according to the Director of the Central 
Intelligence Agency, can affect the daily lives of Americans across the 
country.[A]. 

Threat source: Hackers; 
Description: Hackers sometimes crack into networks for the thrill of 
the challenge or for bragging rights in the hacker community. While 
remote cracking once required a fair amount of skill or computer 
knowledge, hackers can now download attack scripts and protocols from 
the Internet and launch them against victim sites. Thus, attack tools 
have become more sophisticated and easier to use. 

Threat source: Hacktivists; 
Description: Hacktivism refers to politically motivated attacks on 
publicly accessible Web pages or e- mail servers. These groups and 
individuals overload e-mail servers and hack into Web sites to send a 
political message. 

Threat source: Disgruntled insiders; 
Description: The disgruntled insider, working from within an 
organization, is a principal source of computer crimes. Insiders may 
not need a great deal of knowledge about computer intrusions because 
their knowledge of a victim system often allows them to gain 
unrestricted access to cause damage to the system or to steal system 
data. The insider threat also includes contractor personnel. 

Threat source: Terrorists; 
Description: Terrorists seek to destroy, incapacitate, or exploit 
critical infrastructures to threaten national security, cause mass 
casualties, weaken the U.S. economy, and damage public morale and 
confidence. However, traditional terrorist adversaries of the United 
States are less developed in their computer network capabilities than 
other adversaries. Terrorists likely pose a limited cyber threat. The 
Central Intelligence Agency believes terrorists will stay focused on 
traditional attack methods, but it anticipates growing cyber threats as 
a more technically competent generation enters the ranks. 

Source: Federal Bureau of Investigation, unless otherwise indicated. 

[A] Prepared statement of George J. Tenet, Director of Central 
Intelligence, before the Senate Select Committee on Intelligence, 
February 2, 2000. 

[End of table] 

There is increasing concern among both government officials and 
industry experts regarding the potential for a cyber attack. According 
to the Director of National Intelligence,[Footnote 8] ''Our information 
infrastructure--including the internet, telecommunications networks, 
computer systems, and embedded processors and controllers in critical 
industries--increasingly is being targeted for exploitation and 
potentially for disruption or destruction, by a growing array of state 
and non-state adversaries. Over the past year, cyber exploitation 
activity has grown more sophisticated, more targeted, and more serious. 
The Intelligence Community expects these trends to continue in the 
coming year." 

Increased Vulnerabilities Could Expose Federal Systems to Attack: 

As federal information systems increase their connectivity with other 
networks and the Internet and as the system capabilities continue to 
increase, federal systems will become increasingly more vulnerable. 
Data from the National Vulnerability Database, the U.S. government 
repository of standards-based vulnerability management data, showed 
that, as of March 6, 2008, there were about 29,000 security 
vulnerabilities or software defects that can be directly used by a 
hacker to gain access to a system or network. On average, close to 18 
new vulnerabilities are added each day. Furthermore, the database 
revealed that more than 13,000 products contained security 
vulnerabilities. 

These vulnerabilities become particularly significant when considering 
the ease of obtaining and using hacking tools, the steady advances in 
the sophistication and effectiveness of attack technology, and the 
emergence of new and more destructive attacks. Thus, protecting federal 
computer systems and the systems that support critical infrastructures 
has never been more important. 

Federal Law and Policy Established Federal Information Security 
Requirements: 

FISMA sets forth a comprehensive framework for ensuring the 
effectiveness of security controls over information resources that 
support federal operations and assets. FISMA's framework creates a 
cycle of risk management activities necessary for an effective security 
program, and these activities are similar to the principles noted in 
our study of the risk management activities of leading private sector 
organizations[Footnote 9]--assessing risk, establishing a central 
management focal point, implementing appropriate policies and 
procedures, promoting awareness, and monitoring and evaluating policy 
and control effectiveness. More specifically, FISMA requires the head 
of each agency to provide information security protections commensurate 
with the risk and magnitude of harm resulting from the unauthorized 
access, use, disclosure, disruption, modification or destruction of 
information and information systems used or operated by the agency or 
on behalf of the agency. In this regard, FISMA requires that agencies 
implement information security programs that, among other things, 
include: 

* periodic assessments of the risk; 

* risk-based policies and procedures; 

* subordinate plans for providing adequate information security for 
networks, facilities, and systems or groups of information systems, as 
appropriate; 

* security awareness training for agency personnel, including 
contractors and other users of information systems that support the 
operations and assets of the agency; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, performed with a 
frequency depending on risk, but no less than annually; 

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies; 

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations. 

In addition, agencies must develop and maintain an inventory of major 
information systems that is updated at least annually and report 
annually to the Director of OMB and several Congressional Committees on 
the adequacy and effectiveness of their information security policies, 
procedures, and practices and compliance with the requirements of the 
act. 

OMB and agency IGs also play key roles under FISMA. Among other 
responsibilities, OMB is to develop policies, principles, standards, 
and guidelines on information security and is required to report 
annually to Congress on agency compliance with the requirements of the 
act. OMB has provided instructions to federal agencies and their IGs 
for preparing annual FISMA reports. OMB's reporting instructions focus 
on performance metrics related to the performance of key control 
activities such as developing a complete inventory of major information 
systems, providing security training to personnel, testing and 
evaluating security controls, testing contingency plans, and certifying 
and accrediting systems. Its yearly guidance also requires agencies to 
identify any physical or electronic incidents involving the loss of, or 
unauthorized access to, personally identifiable information. 

FISMA also requires agency IGs to perform an independent evaluation of 
the information security programs and practices of the agency to 
determine the effectiveness of such programs and practices. Each 
evaluation is to include (1) testing of the effectiveness of 
information security policies, procedures, and practices of a 
representative subset of the agency's information systems and (2) 
assessing compliance (based on the results of the testing) with FISMA 
requirements and related information security policies, procedures, 
standards, and guidelines. These required evaluations are then 
submitted by each agency to OMB in the form of an OMB-developed 
template that summarizes the results. In addition to the template 
submission, OMB encourages agency IGs to provide any additional 
narrative in an appendix to the report to the extent they provide 
meaningful insight into the status of the agency's security or privacy 
program. 

Agencies Report Progress in Performing Control Activities, but Some IGs 
Report that Weaknesses Exist: 

Major federal agencies have continued to report steady progress over 
the past several years in performing information security control 
activities, although IGs at several agencies identified inconsistencies 
with reported information. According to OMB and agency FISMA reports, 
the federal government continued to improve information security 
performance in fiscal year 2007 relative to key performance metrics 
established by OMB. For fiscal year 2007, IGs reported that more 
agencies had completed approximately 96-100 percent of their 
inventories and the governmentwide percentage of employees with 
significant security responsibilities who received specialized training 
increased. Percentages also increased for systems that had been tested 
and evaluated at least annually, systems with tested contingency plans, 
and systems that had been certified and accredited. However, agencies 
reported a decline in the percentage of employees and contractors who 
received security awareness training (see fig. 1). In addition, IGs at 
several agencies sometimes disagreed with the information reported by 
the agency and have identified weaknesses in the processes used to 
implement these and other security program activities. 

Figure 1: Reported Data for Selected Performance Metrics for 24 Major 
Agencies: 

This figure is a combination bar graph showing reported data for 
selected performance metrics for 24 major agencies. The bars represent 
fiscal year 2005, 2006, and 2007. 

[See PDF for image] 

Source: GAO analysis of agency FISMAA reports. 

[End of figure] 

Inventory of Systems: 

In fiscal year 2007, 24 major federal agencies reported a total of 
10,285 systems, composed of 8,933 agency and 1,352 contractor systems. 
Table 2 summarizes the number of agency and contractor systems by 
system impact level. 

Table 2: Total Number of Agency and Contractor Systems in FY07 by 
Impact Level: 

Impact Level: High; 
Agency: 1,089; 
Contractor: 121; 
Total: 1,210. 

Impact Level: Moderate; 
Agency: 3,264; 
Contractor: 513; 
Total: 3,777. 

Impact Level: Low; 
Agency: 4,351; 
Contractor: 334; 
Total: 4,685. 

Impact Level: Not Categorized; 
Agency: 229; 
Contractor: 384; 
Total: 613. 

Impact Level: Total; 
Agency: 8,933; 
Contractor: 1,352; 
Total: 10,285. 

Source: GAO analysis of agency FY2007 FISMA reports. 

[End of table] 

IGs reported that 19 agencies had completed approximately 96-100 
percent of their inventories, an increase from 18 agencies in 2006. 
However, IGs identified problems with system inventories at several 
agencies. For example, three agency IGs did not agree with the reported 
number of agency systems or systems operated by a contractor or another 
organization on the agency's behalf and one IG for a large agency 
reported that it did not agree with the number of agency owned systems. 
Additionally, one agency IG identified discrepancies in the number of 
system interfaces and interconnections reported and one IG reported the 
agency lacked procedures to ensure contractor systems are identified. 
Without complete and accurate inventories, agencies cannot effectively 
maintain and secure their systems. In addition, the performance 
measures used to assess agencies' progress may not accurately reflect 
the extent to which these security practices have been implemented. 

Security Awareness and Specialized Training: 

Overall, agencies reported a decline in the percentage of employees and 
contractors receiving security awareness training. According to agency 
FISMA reports, 84 percent of total employees and contractors 
governmentwide received security awareness training in fiscal year 
2007, a decrease from 2006 in which 91 percent of employees and 
contractors governmentwide received security awareness training. 
However, 10 agencies reported increasing percentages of employees and 
contractors receiving security awareness training and five other 
agencies continue to report that 100 percent of their employees and 
contractors received security awareness training. In addition, each 
agency reported it had explained policies regarding peer-to-peer file 
sharing in security awareness training, ethics training, or other 
agencywide training. 

Governmentwide, agencies reported an increasing percentage of employees 
with significant security responsibilities who received specialized 
training. In fiscal year 2007, 90 percent of these employees had 
received specialized training, compared with 86 percent in fiscal year 
2006. 

Although the majority of agencies reported improvements in both the 
percentage of employees and contractors receiving security awareness 
training and the percentage of employees with significant security 
responsibilities who received specialized training, several did not. 
For example, nine agencies reported a decrease in the percentage of 
employees and contractors who received security awareness training. In 
addition, several IGs reported weaknesses in agencies security 
awareness and training efforts. For example, one IG reported that the 
agency was unable to ensure that contractors received security 
awareness training and another IG reported that the agency security 
awareness program needs to increase employees' awareness of social 
engineering techniques and the importance of protecting their usernames 
and passwords as a result of successful social engineering attempts. 
Two agency IGs also noted that weaknesses exist in ensuring that all 
employees who have specialized responsibilities receive specialized 
training. Further, eight agency IGs disagree with the percentage of 
individuals that their agency reported as having received security 
awareness training. Figure 2 shows a comparison between agency and IG 
reporting of the percentage of employees receiving security awareness 
training. Failure to provide up-to-date information security awareness 
training could contribute to the information security problems at 
agencies. 

Figure 2: Percentage of Employees Receiving Security Awareness Training 
As Reported by Agencies and IGs: 

This figure is a combination bar graph showing percentage of employees 
receiving security awareness training as reported by agencies and IGs. 
The X axis represents percent of employees trained, and the Y axis 
represents the number of agencies. 

[See PDF for image] 

Source: GAO analysis of agency FY2007 FISMA reports. 

Note: One agency IG did not provide the percentage of employees and 
contractors who received security awareness training. This agency is 
not included. 

[End of figure] 

Periodic Testing and Evaluation of the Effectiveness of Information 
Security Policies, Procedures, and Practices: 

In 2007, federal agencies reported testing and evaluating security 
controls for 95 percent of their systems, up from 88 percent in 2006. 
The number of agencies that reported testing and evaluating 90 percent 
or more of their systems also increased from 16 in 2006 to 23 in 2007. 
However, IGs reported shortcomings in agency procedures for testing and 
evaluating security controls at several agencies. For example, 11 IGs 
reported that their agency did not always ensure that information 
systems used or operated by a contractor met the requirements of FISMA, 
OMB policy, NIST guidelines, national security policy, and agency 
policy. In addition, two IGs reported that agencies did not conduct 
their annual assessments using current NIST guidance. As a result, 
these agencies may not have reasonable assurance that controls are 
implemented correctly, are operating as intended, and producing the 
desired outcome with respect to meeting the security requirements of 
the agency. In addition, agencies may not be fully aware of the 
security control weaknesses in their systems, thereby leaving the 
agencies' information and systems vulnerable to attack or compromise. 

Continuity of Operations: 

Federal agencies reported that 86 percent of total systems had 
contingency plans that had been tested, an increase from 77 percent in 
2006. However, as we reported in 2006, high-risk systems continue to 
have the smallest percentage of tested contingency plans--only 77 
percent of high-risk systems had tested contingency plans. In contrast, 
agencies had tested contingency plans for 90 percent of moderate-risk 
systems, 85 percent of low-risk systems, and 91 percent of 
uncategorized systems (see fig. 3). 

Figure 3: Percentage of Systems with Contingency Plans that Have Been 
Tested for Fiscal Year 2007 by Risk Level: 

This figure is a bar graph showing percentage of systems with 
contingency plans that have been tested for fiscal year 2007 by risk 
level. The X axis represents the FIPS 199 System Impact Level, and the 
Y axis represents percent. 

[See PDF for image] 

Source: GAO analysis of agency FY2007 FISMA reports. 

[End of figure] 

Two IGs reported that systems for their agencies were not tested in 
accordance with federal government requirements. Without developing and 
testing contingency plans, agencies have limited assurance that they 
will be able to recover mission-critical applications, business 
processes, and information in the event of an unexpected interruption. 

Certification and Accreditation: 

Federal agencies continue to report an increasing percentage of systems 
that have been certified and accredited. For fiscal year 2007, 92 
percent of agencies' systems governmentwide were reported as certified 
and accredited, as compared with 88 percent in 2006. In addition, 
agencies reported certifying and accrediting 95 percent of their high- 
risk systems, an increase from 89 percent in 2006. 

Although agencies reported increases in the overall percentage of 
systems certified and accredited, IGs reported that several agencies 
continued to experience shortcomings in the quality of their 
certification and accreditation process. As figure 4 depicts, five IGs 
rated their agencies' certification and accreditation process as poor 
or failing, including three agencies that reported over 90 percent of 
their systems as certified and accredited. 

Figure 4: OIG Assessment of Certification and Accreditation Process for 
Fiscal Year 2007: 

This figure is a pie graph showing OIG assessment of certification and 
accreditation process for fiscal year 2007. 

Satisfactory: 11; 
Good: 3; 
Excellent: 4; 
Failing: 1; 
Poor: 4. 

[See PDF for image] 

Source: GAO analysis of agency FY2007 FISMA reports. 

Note: One agency IG did not rate the quality of the agency 
certification and accreditation process. 

[End of figure] 

In addition, IGs at six agencies identified specific weaknesses with 
key documents in the certification and accreditation process such as 
risk assessments, testing and evaluation, and security plans not being 
consistent with NIST guidance or finding those items missing from 
certification and accreditation packages. In other cases where systems 
were certified and accredited, IGs noted that contingency plans and 
security controls were not tested annually and security controls were 
not fully tested and evaluated when significant changes were made to 
agency systems. Additionally, one agency IG noted that the agency does 
not follow a formally established and documented process for 
certification and accreditation. As a result, reported certification 
and accreditation progress may not be providing an accurate reflection 
of the actual status of agencies' implementation of this requirement. 
Furthermore, agencies may not have assurance that accredited systems 
have controls in place that properly protect those systems. 

Policies and Procedures: 

Agencies had not always implemented security configuration policies. 
Twenty-three of the major federal agencies reported that they had an 
agencywide security configuration policy. Although the IGs agreed that 
their agency had such a policy, several IGs did not agree to the extent 
to which their agencies implemented the policies or applied the common 
security configurations as established by NIST. In addition, only seven 
agencies reported that they complied with NIST security configuration 
requirements 96 percent or more of the time. If minimally acceptable 
configuration requirements policies are not properly implemented to 
systems, agencies will not have assurance that products are configured 
adequately to protect those systems, which could increase their 
vulnerability and make them easier to compromise. 

As we have previously reported,[Footnote 10] not all agencies had 
developed and documented policies and procedures reflecting OMB 
guidance on protection of personally identifiable information that is 
either accessed remotely or physically transported outside an agency's 
secured physical perimeter. Of the 24 major agencies, 22 had developed 
policies requiring personally identifiable information to be encrypted 
on mobile computers and devices. Fifteen of the agencies had policies 
to use a "time-out" function for remote access and mobile devices 
requiring user reauthentication after 30 minutes of inactivity. Fewer 
agencies (11) had established policies to log computer-readable data 
extracts for databases holding sensitive information and erase the data 
within 90 days after extraction. Several agencies indicated that they 
were researching technical solutions to address these issues. 
Furthermore, four IGs reported agencies' progress of implementing OMB 
guidance as poor or failing and at least 14 IGs reported weaknesses in 
agencies' implementation of OMB guidance related to the protection of 
PII. Gaps in their policies and procedures reduce agencies' ability to 
protect personally identifiable information from improper disclosure. 

Security Incident Procedures: 

Shortcomings exist in agencies' security incident reporting procedures. 
According to OMB, the number of incidents reported by agencies in their 
annual FISMA reports continued to fluctuate dramatically from the prior 
year. The majority of IGs reported that these agencies followed 
documented procedures for identifying and reporting incidents 
internally, to US-CERT, and to law enforcement. However, five IGs noted 
that the agency was not following procedures for internal incident 
reporting, two noted that their agency was not following reporting 
procedures to US-CERT, and one noted that the agency was not following 
reporting procedures to law enforcement. Several IGs also noted 
specific weaknesses in incident procedures such as components not 
reporting incidents reliably or consistently, components not keeping 
records of incidents, and incomplete or inaccurate incident reports. 
Without properly accounting for and analyzing security problems and 
incidents, agencies risk losing valuable information needed to prevent 
future exploits and understand the nature and cost of threats directed 
at the agency. 

Remedial Actions to Address Deficiencies in Information Security 
Policies, Procedures, and Practices: 

IGs reported weaknesses in their agency's remediation process. 
According to IG assessments, 10 of the 24 major agencies did not almost 
always incorporate information security weaknesses for all systems into 
their remediation plans. Twelve IGs found that vulnerabilities from 
reviews were not always included in remedial action plans and 10 IGs 
found that agencies were not always prioritizing weaknesses to help 
ensure they are addressed in a timely manner. Without a sound 
remediation process, agencies cannot be assured that information 
security weaknesses are efficiently and effectively corrected. 

Significant Control Deficiencies at Federal Agencies Place Sensitive 
Information and Systems at Risk: 

Our work and that of IGs show that significant weaknesses continue to 
threaten the confidentiality, integrity, and availability of critical 
information and information systems used to support the operations, 
assets, and personnel of federal agencies. In their fiscal year 2007 
performance and accountability reports, 20 of 24 major agencies 
indicated that inadequate information security controls were either a 
significant deficiency or a material weakness for financial statement 
reporting (see fig. 5).[Footnote 11] Our audits continue to identify 
similar conditions in both financial and non-financial systems, 
including agencywide weaknesses as well as weaknesses in critical 
federal systems. 

Figure 5: Number of Major Agencies Reporting Significant Deficiencies 
in Information Security: 

This figure is a pie graph showing number of major agencies reporting 
significant deficiencies in information security. 

Significant deficiency: 11; 
Material weakness: 9; 
No significant weakness: 4. 

[See PDF for image] 

Source: GAO analysis of agency performance and accountability reports 
for FY2007. 

[End of figure] 

Persistent weaknesses appear in five major categories of information 
system controls: (1) access controls, which ensure that only authorized 
individuals can read, alter, or delete data; (2) configuration 
management controls, which provide assurance that only authorized 
software programs are implemented; (3) segregation of duties, which 
reduces the risk that one individual can independently perform 
inappropriate actions without detection; (4) continuity of operations 
planning, which provides for the prevention of significant disruptions 
of computer-dependent operations; and (5) an agencywide information 
security program, which provides the framework for ensuring that risks 
are understood and that effective controls are selected and properly 
implemented. Figure 6 shows the number of major agencies with 
weaknesses in these five areas. 

Figure 6: Number of Major Agencies Reporting Weaknesses in Control 
Categories: 

This figure is a bar graph showing number of major agencies reporting 
weaknesses in control categories. 

[See PDF for image] 

Source: GAO analysis of agency,IG, and GAO reports for FY2007. 

[End of figure] 

Access Controls Were Not Adequate: 

A basic management control objective for any organization is to protect 
data supporting its critical operations from unauthorized access, which 
could lead to improper modification, disclosure, or deletion of the 
data. Access controls, which are intended to prevent, limit, and detect 
unauthorized access to computing resources, programs, information, and 
facilities, can be both electronic and physical. Electronic access 
controls include use of passwords, access privileges, encryption, and 
audit logs. Physical security controls are important for protecting 
computer facilities and resources from espionage, sabotage, damage, and 
theft. 

Most agencies did not implement controls to sufficiently prevent, 
limit, or detect access to computer networks, systems, or information. 
Our analysis of IG, agency, and our own reports uncovered that agencies 
did not have adequate controls in place to ensure that only authorized 
individuals could access or manipulate data on their systems and 
networks. To illustrate, 23 of 24 major agencies reported weaknesses in 
such controls. For example, agencies did not consistently (1) identify 
and authenticate users to prevent unauthorized access, (2) enforce the 
principle of least privilege to ensure that authorized access was 
necessary and appropriate, (3) establish sufficient boundary protection 
mechanisms, (4) apply encryption to protect sensitive data on networks 
and portable devices, and (5) log, audit, and monitor security-relevant 
events. Agencies also lacked effective controls to restrict physical 
access to information assets. We previously reported that many of the 
data losses occurring at federal agencies over the past few years were 
a result of physical thefts or improper safeguarding of systems, 
including laptops and other portable devices. 

Weaknesses Also Existed in Other Controls: 

In addition to access controls, other important controls should be in 
place to protect the confidentiality, integrity, and availability of 
information. These controls include the policies, procedures, and 
techniques for ensuring that computer hardware and software are 
configured in accordance with agency policies and that software patches 
are installed in a timely manner; appropriately segregating 
incompatible duties; and establishing plans and procedures to ensure 
continuity of operations for systems that support the operations and 
assets of the agency. 

However, 22 agencies did not always configure network devices and 
services to prevent unauthorized access and ensure system integrity, or 
patch key servers and workstations in a timely manner. In addition, 18 
agencies did not always segregate incompatible duties to different 
individuals or groups so that one individual does not control all 
aspects of a process or transaction. Furthermore, 23 agencies did not 
always ensure that continuity of operations plans contained all 
essential information or were sufficiently tested. Weaknesses in these 
areas increase the risk of unauthorized use, disclosure, modification, 
or loss of information. 

Agencywide Security Programs Were Not Fully Implemented: 

An underlying cause for information security weaknesses identified at 
federal agencies is that they have not yet fully or effectively 
implemented all the FISMA-required elements for an agencywide 
information security program. An agencywide security program, required 
by FISMA, provides a framework and continuing cycle of activity for 
assessing and managing risk, developing and implementing security 
policies and procedures, promoting security awareness and training, 
monitoring the adequacy of the entity's computer-related controls 
through security tests and evaluations, and implementing remedial 
actions as appropriate. Our analysis determined that 21 of 24 major 
federal agencies had weaknesses in their agencywide information 
security programs. Our recent reports illustrate that agencies often 
did not adequately design or effectively implement policies for 
elements key to an information security program. 

We identified weaknesses in information security program activities, 
such as agencies' risk assessments, information security policies and 
procedures, security planning, security training, system tests and 
evaluations, and remedial actions. For example, 

* One agency's risk assessment was completed without the benefit of an 
inventory of all the interconnections between it and other systems. In 
another case, an agency had assessed and categorized system risk levels 
and conducted risk assessments, but did not identify many of the 
vulnerabilities we found and had not subsequently assessed the risks 
associated with them. 

* Agencies had developed and documented information security policies, 
standards, and guidelines for information security, but did not always 
provide specific guidance for securing critical systems or implement 
guidance concerning systems that processed Privacy Act-protected data. 

* Security plans were not always up-to-date or complete. 

* Agencies did not ensure all information security employees and 
contractors, including those who have significant information security 
responsibilities, received sufficient training. 

* Agencies had tested and evaluated information security controls, but 
their testing was not always comprehensive and did not identify many of 
the vulnerabilities we identified. 

* Agencies did not consistently document weaknesses or resources in 
remedial action plans. 

As a result, agencies do not have reasonable assurance that controls 
are implemented correctly, operating as intended, or producing the 
desired outcome with respect to meeting the security requirements of 
the agency, and responsibilities may be unclear, misunderstood, and 
improperly implemented. Furthermore, agencies may not be fully aware of 
the security control weaknesses in their systems, thereby leaving their 
information and systems vulnerable to attack or compromise. 
Consequently, federal systems and information are at increased risk of 
unauthorized access to and disclosure, modification, or destruction of 
sensitive information, as well as inadvertent or deliberate disruption 
of system operations and services. In prior reports, we and the IGs 
have made hundreds of recommendations to agencies to address specific 
information security control weaknesses and program shortfalls. Until 
agencies effectively and fully implement agencywide information 
security programs, including addressing the hundreds of recommendations 
that we and IGs have made, federal information and information systems 
will not be adequately safeguarded to prevent their disruption, 
unauthorized use, disclosure, or modification. 

Incidents at Federal Agencies Place Sensitive Information and Systems 
at Risk: 

The need for effective information security policies and practices is 
further illustrated by the number of security incidents experienced by 
federal agencies that put sensitive information at risk. Personally 
identifiable information about millions of Americans has been lost, 
stolen, or improperly disclosed, thereby potentially exposing those 
individuals to loss of privacy, identity theft, and financial crimes. 
Reported attacks and unintentional incidents involving critical 
infrastructure systems demonstrate that a serious attack could be 
devastating. Agencies have experienced a wide range of incidents 
involving data loss or theft, computer intrusions, and privacy 
breaches, underscoring the need for improved security practices. 

These incidents illustrate that a broad array of federal information 
and critical infrastructures are at risk. 

* The Department of Veterans Affairs (VA) announced that computer 
equipment containing personally identifiable information on 
approximately 26.5 million veterans and active duty members of the 
military was stolen from the home of a VA employee. Until the equipment 
was recovered, veterans did not know whether their information was 
likely to be misused. VA sent notices to the affected individuals that 
explained the breach and offered advice concerning steps to reduce the 
risk of identity theft. The equipment was eventually recovered, and 
forensic analysts concluded that it was unlikely that the personal 
information contained therein was compromised. 

* The Transportation Security Administration (TSA) announced a data 
security incident involving approximately 100,000 archived employment 
records of individuals employed by the agency from January 2002 until 
August 2005. An external hard drive containing personnel data, such as 
Social Security number, date of birth, payroll information, and bank 
account and routing information, was discovered missing from a 
controlled area at the TSA Headquarters Office of Human Capital. 

* A contractor for the Centers for Medicare and Medicaid Services 
reported the theft of one of its employee's laptop computer from his 
office. The computer contained personal information including names, 
telephone numbers, medical record numbers, and dates of birth of 49,572 
Medicare beneficiaries. 

* The Census Bureau reported 672 missing laptops, of which 246 
contained some degree of personal data. Of the missing laptops 
containing personal information, almost half (104) were stolen, often 
from employees' vehicles, and another 113 were not returned by former 
employees. The Commerce Department reported that employees had not been 
held accountable for not returning their laptops. 

* The Department of State experienced a breach on its unclassified 
network, which daily processes about 750,000 e-mails and instant 
messages from more than 40,000 employees and contractors at 100 
domestic and 260 overseas locations. The breach involved an e-mail 
containing what was thought to be an innocuous attachment. However, the 
e-mail contained code to exploit vulnerabilities in a well-known 
application for which no security patch existed. Because the vendor was 
unable to expedite testing and deploy a new patch, the department 
developed its own temporary fix to protect systems from being further 
exploited. In addition, the department sanitized the infected computers 
and servers, rebuilt them, changed all passwords, installed critical 
patches, and updated their anti-virus software. 

* In August 2006, two circulation pumps at Unit 3 of the Tennessee 
Valley Authority's Browns Ferry nuclear power plant failed, forcing the 
unit to be shut down manually. The failure of the pumps was traced to 
excessive traffic on the control system network, possibly caused by the 
failure of another control system device. 

* Officials at the Department of Commerce's Bureau of Industry and 
Security discovered a security breach in July 2006. In investigating 
this incident, officials were able to review firewall logs for an 8- 
month period prior to the initial detection of the incident, but were 
unable to clearly define the amount of time that perpetrators were 
inside its computers, or find any evidence to show that data was lost 
as a result. 

* The Nuclear Regulatory Commission confirmed that in January 2003, the 
Microsoft SQL Server worm known as "Slammer" infected a private 
computer network at the idled Davis-Besse nuclear power plant in Oak 
Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. 
In addition, the plant's process computer failed, and it took about 6 
hours for it to become available again. 

When incidents occur, agencies are to notify the federal information 
security incident center--US-CERT. As shown in figure 7, the number of 
incidents reported by federal agencies to US-CERT has increased 
dramatically over the past 3 years, increasing from 3,634 incidents 
reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007, 
(about a 259 percent increase). 

Figure 7: Incidents Reported to US-CERT in Fiscal Years 2005 through 
2007: 

This figure is a bar graph showing incidents reported to US-CERT in 
fiscal years 2005 through 2007. 

[See PDF for image] 

Source: GAO analysis of US-CERT data. 

[End of figure] 

Incidents are categorized by US-CERT in the following manner: 

* Unauthorized access: In this category, an individual gains logical or 
physical access without permission to a federal agency's network, 
system, application, data, or other resource. 

* Denial of service: An attack that successfully prevents or impairs 
the normal authorized functionality of networks, systems, or 
applications by exhausting resources. This activity includes being the 
victim or participating in a denial of service attack. 

* Malicious code: Successful installation of malicious software (e.g., 
virus, worm, Trojan horse, or other code-based malicious entity) that 
infects an operating system or application. Agencies are not required 
to report malicious logic that has been successfully quarantined by 
antivirus software. 

* Improper usage: A person violates acceptable computing use policies. 

* Scans/probes/attempted access: This category includes any activity 
that seeks to access or identify a federal agency computer, open ports, 
protocols, service, or any combination of these for later exploit. This 
activity does not directly result in a compromise or denial of service. 

* Investigation: Unconfirmed incidents that are potentially malicious 
or anomalous activity deemed by the reporting entity to warrant further 
review. 

As noted in figure 8, the three most prevalent types of incidents 
reported to US-CERT in fiscal year 2007 were unauthorized access, 
improper usage, and investigation. 

Figure 8: Percentage of Incidents Reported to US-CERT in FY07: 

This figure is a pie graph showing percentage of incidents reported to 
US-CERT in FY07. 

Investigations: 31%; 
Improper usage: 26%; 
Unauthorized access: 18%; 
Scans/probes attempted access: 13; 
Malicious code: 12%; 
Denial of service: <1%. 

[See PDF for image] 

Source: GAO analysis of US-CERT data. 

[End of figure] 

Opportunities Exist for Enhancing Federal Information Security: 

In prior reports, GAO and IGs have made hundreds of recommendations to 
agencies for actions necessary to resolve prior significant control 
deficiencies and information security program shortfalls. For example, 
we recommended agencies correct specific information security 
deficiencies related to user identification and authentication, 
authorization, boundary protections, cryptography, audit and monitoring 
and physical security. We have also recommended that agencies fully 
implement comprehensive, agencywide information security programs by 
correcting weaknesses in risk assessments, information security 
policies and procedures, security planning, security training, system 
tests and evaluations, and remedial actions. The effective 
implementation of these recommendations will strengthen the security 
posture at these agencies. 

In addition, recognizing the need for common solutions to improving 
security, OMB and certain federal agencies have continued or launched 
several governmentwide initiatives that are intended to enhance 
information security at federal agencies. These key initiatives are 
discussed below. 

* The Information Systems Security Line of Business: The goal of this 
initiative is to improve the level of information systems security 
across government agencies and reduce costs by sharing common processes 
and functions for managing information systems security. Several 
agencies have been designated as service providers for IT security 
awareness training and FISMA reporting. 

* Federal Desktop Core Configuration: This initiative directs agencies 
that have Windows XP deployed and plan to upgrade to Windows Vista 
operating systems to adopt the security configurations developed by 
NIST, DOD, and DHS. The goal of this initiative is to improve 
information security and reduce overall IT operating costs. 

* SmartBUY: This program, led by GSA, is to support enterprise-level 
software management through the aggregate buying of commercial software 
governmentwide in an effort to achieve cost savings through volume 
discounts. The SmartBUY initiative was expanded to include commercial 
off-the-shelf encryption software and to permit all federal agencies to 
participate in the program. The initiative is to also include licenses 
for information assurance. 

* Trusted Internet Connections initiative: This is an effort designed 
to optimize individual agency network services into a common solution 
for the federal government. The initiative is to facilitate the 
reduction of external connections, including Internet points of 
presence, to a target of fifty. 

In addition to these initiatives, OMB has issued several policy 
memorandums over the past two years to help agencies protect sensitive 
data. For example, it has sent memorandums to agencies to reemphasize 
their responsibilities under law and policy to (1) appropriately 
safeguard sensitive and personally identifiable information, (2) train 
employees on their responsibilities to protect sensitive information, 
and (3) report security incidents. In May 2007, OMB issued additional 
detailed guidelines to agencies on safeguarding against and responding 
to the breach of personally identifiable information, including 
developing and implementing a risk-based breach notification policy, 
reviewing and reducing current holdings of personal information, 
protecting federal information accessed remotely, and developing and 
implementing a policy outlining the rules of behavior, as well as 
identifying consequences and potential corrective actions for failure 
to follow these rules. 

Opportunities also exist to enhance policies and practices related to 
security control testing and evaluation, FISMA reporting, and the 
independent annual evaluations of agency information security programs 
required by FISMA. 

* Clarify requirements for testing and evaluating security controls. 
Periodic testing and evaluation of information security controls is a 
critical element for ensuring that controls are properly designed, 
operating effectively, and achieving control objectives. FISMA requires 
that agency information security programs include the testing and 
evaluation of the effectiveness of information security policies, 
procedures, and practices, and that such tests be performed with a 
frequency depending on risk, but no less than annually. 

We previously reported[Footnote 12] that federal agencies had not 
adequately designed and effectively implemented policies for 
periodically testing and evaluating information security controls. 
Agency policies often did not include important elements for performing 
effective testing such as how to determine the frequency, depth, and 
breadth of testing according to risk. In addition, the methods and 
practices at six test case agencies were not adequate to ensure that 
assessments were consistent, of similar quality, or repeatable. For 
example, these agencies did not define the assessment methods to be 
used when evaluating security controls, did not test controls as 
prescribed, and did not include previously reported remedial actions or 
weaknesses in their test plans to ensure that they had been addressed. 
In addition, our audits of information security controls often identify 
weaknesses that agency or contractor personnel who tested the controls 
of the same systems did not identify. Clarifying or strengthening 
federal policies and requirements for determining the frequency, depth, 
and breadth of security controls according to risk could help agencies 
better assess the effectiveness of the controls protecting the 
information and systems supporting their programs, operations, and 
assets. 

* Enhance FISMA reporting requirements. Periodic reporting of 
performance measures for FISMA requirements and related analyses 
provides valuable information on the status and progress of agency 
efforts to implement effective security management programs. 

In previous reports, we have recommended that OMB improve FISMA 
reporting by clarifying reporting instructions and requesting IGs to 
report on the quality of additional performance metrics. OMB has taken 
steps to enhance its reporting instructions. For example, OMB added 
questions regarding incident reporting and assessments of system 
inventory. However, the current metrics do not measure how effectively 
agencies are performing various activities. Current performance 
measures offer limited assurance of the quality of agency processes 
that implement key security policies, controls, and practices. For 
example, agencies are required to test and evaluate the effectiveness 
of the controls over their systems at least once a year and to report 
on the number of systems undergoing such tests. However, there is no 
measure of the quality of agencies' test and evaluation processes. 
Similarly, OMB's reporting instructions do not address the quality of 
other activities such as risk categorization, security awareness 
training, intrusion detection and prevention, or incident reporting. 
OMB has recognized the need for assurance of quality for certain agency 
processes. For example, it specifically requested that IGs evaluate the 
quality of their agency's certification and accreditation process. OMB 
instructed IGs to rate their agency's certification and accreditation 
process using the terms "excellent," "good," "satisfactory," "poor," or 
"failing." For fiscal year 2007, OMB requested that IGs identify the 
aspect(s) of the certification and accreditation process they included 
or considered in rating the quality of their agency's process. Examples 
OMB included were security plan, system impact level, system test and 
evaluation, security control testing, incident handling, security 
awareness training, and security configurations (including patch 
management). While this information is helpful and provides insight on 
the scope of the rating, IGs are not requested to comment on the 
quality of these items. Providing information on the quality of the 
security-related processes used to implement key control activities 
would further enhance the usefulness of the annually reported data for 
management and oversight purposes. 

As we have previously reported, OMB's reporting guidance and 
performance measures did not include complete reporting on certain key 
FISMA-related activities. For example, FISMA requires each agency to 
include policies and procedures in its security program that ensure 
compliance with minimally acceptable system configuration requirements, 
as determined by the agency. In our report on patch 
management,[Footnote 13] we stated that maintaining up-to-date patches 
is key to complying with this requirement. As such, we recommended that 
OMB address patch management in its FISMA reporting instructions. OMB's 
current reporting instructions only request that IGs comment on whether 
or not they considered patching as part of their agency's certification 
and accreditation rating but nothing more. As a result, OMB and 
Congress lack information that could identify governmentwide issues 
regarding patch management. This information could prove useful in 
demonstrating whether or not agencies are taking appropriate steps for 
protecting their systems. 

Consider conducting FISMA-mandated annual independent evaluations in 
accordance with audit standards or a common approach and framework. We 
previously reported that the annual IG FISMA evaluations lacked a 
common approach and that the scope and methodology of the evaluations 
varied across agencies. 

Similar to our previous reports, we found that the IGs continue to lack 
a common methodology, or framework, which culminated in disparities in 
type of work conducted, scope, methodology, and content of the IGs' 
annual independent evaluations. To illustrate: 

* Of 24 agency IGs, seven reported performing audits that were in 
accordance with generally accepted government auditing standards and 
one cited compliance with the Quality Standards for Inspections, issued 
by the President's Council on Integrity and Efficiency (PCIE).[Footnote 
14] The remaining IGs did not indicate whether or not their evaluations 
were performed in accordance with professional standards. 

* One IG indicated that the evaluation focused specifically on 
nonfinancial systems, while others cited work conducted for financial 
systems as part of their evaluations. In addition, multiple IGs 
indicated that their reviews were focused on selected components, 
whereas others did not make any reference to the scope or breadth of 
their work. 

* According to their FISMA reports, certain IGs reported interviewing 
officials and reviewing agency documentation, such as security plans. 
In addition, certain IGs also conducted technical vulnerability 
assessments. In contrast, other IGs did not indicate their methods for 
evaluating controls. 

* The content of the information reported by IGs varied. For example, 
several IGs only provided a completed OMB template, while others 
completed the OMB template and provided reports summarizing their 
evaluations. Content in these reports also differed in that several 
included comments on whether or not their agency was in compliance with 
laws and regulations. 

* Several reports were comprised of a summary of relevant information 
security audits conducted during the fiscal year, while others included 
additional evaluations that addressed specific FISMA-required elements, 
such as risk assessments and remedial actions. Furthermore, some IGs 
issued recommendations to their agencies to improve the effectiveness 
of those agencies' information security programs, while others did not 
indicate whether or not recommendations were issued. 

These inconsistencies could hamper the efforts of the collective IG 
community to perform their evaluations with optimal effectiveness and 
efficiency. Conducting the evaluations in accordance with generally 
accepted government auditing standards and/or a robust commonly used 
framework or methodology could provide improved effectiveness, 
increased efficiency, quality control, and consistency in assessing 
whether the agency has an effective information security program. IGs 
may be able to use the framework and methodology to be more efficient 
by focusing evaluative procedures on areas of higher risk and by 
following an integrated approach designed to gather sufficient, 
competent evidence efficiently. Having a documented methodology may 
also offer quality control by providing a standardized methodology, 
which can help the IG community obtain consistency of application. 

Last year we reported on efforts to develop such a framework. In 
September 2006, the PCIE developed a tool to assist the IG community 
with conducting its FISMA evaluations. The framework consists of 
program and system control areas that map directly to the control areas 
identified in NIST Special Publication 800-100[Footnote 15] and NIST 
Special Publication 800-53,[Footnote 16] respectively. According to 
PCIE members, the framework includes broad recommendations rather than 
a specific methodology due to the varying levels of resources available 
to each agency IG. According to PCIE members, this framework is an 
effort to provide a common approach to completing the required 
evaluations, and PCIE has encouraged IGs to use it. 

In summary, agencies have reported progress in implementing control 
activities, but persistent weaknesses in agency information security 
controls threaten the confidentiality, integrity, and availability of 
federal information and information systems, as illustrated by the 
increasing number of reported security incidents. Opportunities exist 
to improve information security at federal agencies. OMB and certain 
federal agencies have initiated efforts that are intended to strengthen 
the protection of federal information and information systems. 
Opportunities also exist to enhance policies and practices related to 
security control testing and evaluation of information security 
performance metrics and independent evaluations. Until such 
opportunities are seized and fully exploited and the hundreds of GAO 
and IG recommendations to mitigate information security control 
deficiencies and implement agencywide information security programs are 
fully and effectively implemented, federal information and systems will 
remain at undue and unnecessary risk. 

Mr. Chairman, this concludes my statement. I would be happy to answer 
questions at this time. 

Contact and Acknowledgments: 

If you have any questions regarding this report, please contact Gregory 
C. Wilshusen, Director, Information Security Issues, at (202) 512-6244 
or [email protected]. Other key contributors to this report include 
Nancy DeFranceso (Assistant Director), Larry Crosland, Neil Doherty, 
Rebecca LaPaze, Stephanie Lee, and Jayne Wilson. 

Footnotes: 

[1] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No.107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). 

[2] Most recently, GAO, High-Risk Series: An Update, GAO-07-310 
(Washington, D.C.: January 2007). 

[3] Office of Management and Budget, Fiscal Year 2007 Report to 
Congress on Implementation of The Federal Information Security 
Management Act of 2002, March 1, 2008. 

[4] The 24 major departments and agencies are the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Justice, Labor, State, Transportation, the Treasury, and 
Veterans Affairs, the Environmental Protection Agency, General Services 
Administration, National Aeronautics and Space Administration, National 
Science Foundation, Nuclear Regulatory Commission, Office of Personnel 
Management, Small Business Administration, Social Security 
Administration, and U.S. Agency for International Development. 

[5] OMB requires that agency management officials formally authorize 
their information systems to process information and accept the risk 
associated with their operation. This management authorization 
(accreditation) is to be supported by a formal technical evaluation 
(certification) of the management, operational, and technical controls 
established in an information system's security plan. 

[6] GAO, Information Security: Despite Reported Progress, Federal 
Agencies Need to Address Persistent Weaknesses, GAO-07-837 (Washington, 
D.C.: July 27, 2007). 

[7] "Malware" (malicious software) is defined as programs that are 
designed to carry out annoying or harmful actions. They often 
masquerade as useful programs or are embedded into useful programs so 
that users are induced into activating them. 

[8] Annual Threat Assessment of the Director of National Intelligence 
for the Senate Select Committee on Intelligence, Feb. 5, 2008. 

[9] GAO, Executive Guide: Information Security Management Learning From 
Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: May, 1998). 

[10] GAO, Information Security: Protecting Personally Identifiable 
Information, GAO-08-343 (Washington, D.C.: Jan. 25, 2008). 

[11] A material weakness is a significant deficiency, or combination of 
significant deficiencies, that results in more than a remote likelihood 
that a material misstatement of the financial statements will not be 
prevented or detected. 

[12] GAO, Information Security, Agencies Need to Develop and Implement 
Adequate Policies for Periodic Testing, GAO-07-65 (Washington, D.C.: 
Oct. 20, 2006). 

[13] GAO, Information Security: Continued Action Needed to Improve 
Software Patch Management, GAO-04-706 (Washington, D.C.: June 2, 2004). 

[14] The President's Council on Integrity and Efficiency was 
established by executive order to address integrity, economy, and 
effectiveness issues that transcend individual government agencies and 
increase the professionalism and effectiveness of IG personnel 
throughout government. 

[15] NIST, Special Publication 800-100, Information Security Handbook: 
A Guide for Managers, (Gaithersburg, Md: October 2006) 

[16] NIST, Special Publication 800-53, Revision 2, Recommended Security 
Controls for Federal Information Systems, (Gaithersburg, Md; December 
2007).

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548:
 
*** End of document. ***