Gov't Infosec Incidents Soar by 650% in 5 YearsGAO Blames Weaknesses in Security Controls at 24 Major Agencies
In its annual review required by the Federal Information Security Management Act, the GAO blames weaknesses in information security controls at 24 major federal agencies for creating the risk environment. "Agencies have not fully implemented their information security programs," Gregory Wilshusen, GAO director of information security issues, writes in the 49-page report. "As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."
(Story continues after charts.)
Today's news, in many respects, isn't new. In reports for fiscal years 2010 and 2011, Wilshusen says GAO and agency inspectors general have made hundreds of recommendations to agencies for actions necessary to resolve control deficiencies and information security program shortfalls. Agencies generally agreed with most of GAO's recommendations and indicated that they would implement them.
That fact - that agencies didn't always implement the recommendations - disturbs Sen. Thomas Carper, the Delaware Democrat who chairs a Senate subcommittee on government IT security. "These findings are all the more troubling given that GAO has been telling us for some time that these are areas of vulnerability and must be addressed, yet we still haven't made enough progress in shoring up these obvious weaknesses," Carper says in a statement accompanying release of the audit.
An exasperated Sen. Susan Collins, the ranking Republican on the Senate committee, in that statement, suggests the failure to secure critical IT systems and data goes beyond the agencies, but to include the executive and legislative branches for failing to provide leadership. "The government's work on this issue continues to be disjointed, ineffective and uncoordinated," Collins says. "Reform legislation continues to languish. This simply cannot continue because the stakes are far too high."
The prospect of significant cybersecurity reform, including updating FISMA, faces an uphill journey journey in Congress. In an article published last week on GovInfoSecurity.com (see Analysis: Dim Prospects for Cybersecurity Law in 2011), Melissa Hathaway, who led President Obama's cyberspace policy review, wrote that the prospects were dim for any significant cybersecurity legislation from enacted in the 112th Congress: "Bolder steps are needed but are unlikely to be taken given the combination of this fiscally constrained environment, politically divided Congress and the upcoming presidential election cycle."
GAO says the White House Office of Management and Budget, agencies and the National Institute of Standards and Technology have taken actions intended to improve the implementation of security requirements, but more work is necessary. Beginning in fiscal year 2009, OMB provided agencies with a new online tool to report their information security postures and, in fiscal year 2010, instituted the use of new and revised metrics. But, Wilshusen writes, OMB's guidance for those metrics didn't always provide performance targets for measuring improvement. And, agencies didn't consistently ensure personnel with significant responsibilities received training; security controls were monitored continuously; weaknesses were remediated effectively; and incidents were resolved in a timely manner.
"Until hundreds of recommendations are implemented and program weaknesses are corrected," Wilshusen says, "agencies will continue to face challenges in securing their information and information systems."