Posts Tagged ‘gao’

The US Government Accountability Office (GAO) has released a draft report summarizing the progress government agencies have made in the implementation of information security polices and practices under the Federal Information Security Management Act of 2002 (FISMA).

6 years after FISMA was enacted, the GAO reports that poor information security is still a widespread issue in the Federal government. In the 2008 performance and accountability reports, 20 out of 24 major agencies noted that information system controls over their financial systems and information were either a “significant deficiency” or a “material weakness.”

The GAO summary notes that:

Over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agencywide information security program, as required by FISMA.

23 out of 24 agencies were found to have weaknesses in their agencywide information security programs in 2008. Although agencies reported an increased compliance in implementing security controls in 2008, the GAO notes that there are shortcomings with implementing key control activities for the year.

For fiscal year 2008 reporting, agencies reported higher levels of FISMA implementation for most information security metrics and lower levels for others. Increases were reported in the number and percentage of employees and contractors receiving security awareness training, the number and percentage of systems with tested contingency plans, and the number and percentage of systems that were certified and accredited. However, the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly and the number and percentage of systems that had been tested and evaluated at least annually decreased slightly.

The GAO recommends that current reporting requirements change in order that inspector generals be required to report on the agencies’ effectiveness of activities, which would help determine if agencies are effectively implementing their policies, procedures and practices. The full list of GAO recommendations can be found in this PDF.

The US Government Accountability Office (GAO) recently released highlights of their study on Cybersecurity. The report notes that key improvements are needed to strengthen the Nation’s posture and criticizes the Department of Homeland Security (DHS) strongly for having “yet to fully satisfy its responsibilities designated by the national cybersecurity strategy.” Here’s a summary of the report:

Pervasive and sustained computerbased (cyber) attacks against federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity nationwide. Congress and the Executive Branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high risk and has reported on needed improvements in implementing the national cybersecurity strategy.

The GAO made 30 recommendations in key cybersecurity areas, including bolstering cyber analysis and warning capabilities, completing actions identified during cyber exercises, improving cybersecurity of infrastructure control systems, strengthening DHS’ ability to help recover from Internet disruptions and addressing cybercrime.

In addition to these areas identified as needing improvement, the GAO report identified 12 key strategy improvements:

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy
3. Establish a governance structure for strategy implementation
4. Publicize and raise awareness about the seriousness of the cybersecurity problem
5. Create an accountable, operational cybersecurity organization
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans
7. Bolster public/private partnerships through an improved value proposition and use of incentives
8. Focus greater attention on addressing the global aspects of cyberspace
9. Improve law enforcement efforts to address malicious activities in cyberspace
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts
11. Increase the cadre of cybersecurity professionals
12. Make the federal government a model for cybersecurity

The GAO says that the nation’s federal and private-sector infrastructure systems remain at risk without these improvements. They suggest the new administration consider these improvements as part of the nation’s cybersecurity strategy.

Via network world