GAO: Federal IT security vulnerable despite progress
Although federal agencies reported increased compliance in implementing key information security control activities for fiscal year 2008, inspectors general are still noting shortcomings with implementation of information security requirements, according to a new report from the Government Accountability Office (GAO).

Significant weaknesses in information security policies and practices expose sensitive data to significant risk. Without proper safeguards, federal agencies' computer systems are vulnerable to intrusions by individuals and groups who have malicious intentions and can obtain sensitive information, commit fraud, disrupt operations or launch attacks against other computer systems and networks.

The GAO was asked to testify on its draft report regarding: (1) the adequacy and effectiveness of federal agencies' information security policies and practices and (2) their implementation of requirements under the Federal Information Security Management Act (FISMA), which permanently authorized and strengthened information security program, evaluation and annual reporting requirements for federal agencies.requirements.

In their fiscal year 2008 performance and accountability reports, 20 of 24 major agencies noted that the information system controls over their financial systems and information were either a significant deficiency or a material weakness. In addition, over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information.

An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agency-wide information security program, as required by FISMA. The GAO report said that 23 of the 24 major federal organizations had weaknesses in their agency-wide information security programs.

"The risks to federal systems are well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology," wrote Gregory C. Wilshusen, director information security issues, in his statement to the Committee on Oversight and Government Reform and the U.S. House of Representatives.

"Over the past few years, the 24 major federal agencies have reported numerous security incidents in which sensitive information has been lost or stolen, including personally identifiable information, which has exposed millions of Americans to the loss of privacy, identity theft and other financial crimes," Wilshusen noted.

The 24 major departments and agencies (agencies) are the Departments of Agriculture,Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development.

For fiscal year 2008 reporting, agencies reported higher levels of FISMA implementation for most information security metrics and lower levels for others. Increases were reported in the number and percentage of employees and contractors receiving security awareness training, the number and percentage of systems with tested contingency plans, and the number and percentage of systems that were certified and accredited. However, the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly and the number and percentage of systems that had been tested and evaluated at least annually decreased slightly.

In addition, the current reporting instructions do not request inspectors general to report on agencies' effectiveness of key activities and did not always provide them with clear guidance for annual reporting. This information could be useful in determining whether agencies are effectively implementing information security policies, procedures, and practices. Without such information, Congress may not be fully informed about the state of federal information security.

To read the entire report, visit