WASHINGTON – Homeland Security and Government Affairs Committee Ranking Member Joe Lieberman, D-Conn, says federal agencies are failing to fulfill their responsibilities for implementing effective information security policies and practices and must do a better job of safeguarding their computer resources.
A recent study by the Government Accountability Office (GAO) found that pervasive weaknesses exists in almost all areas of information security controls at 24 major agencies, threatening the integrity, confidentiality, and availability of federal information and information systems. The study was a requirement under the Federal Information Security Management Act (FISMA) enacted in 2002.
“Information security is critical to carrying out all government functions and to preventing the inappropriate disclosure of sensitive individual and national security information,” Lieberman said. “Protecting federal computer systems and the systems that support critical infrastructures has never been more important due to the emergence of new and more destructive attacks. Consequently, it is imperative that federal agencies improve information security.”
Some of the major deficiencies cited in the GAO report include the following:
• access controls, which ensure that only authorized individuals can read, alter, or delete data, were not effectively implemented
• software change controls, which provide assurances that only authorized software programs are implemented, were not always in place
• segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection, was not consistently implemented and
• continuity of operations planning, which provides for the prevention of significant disruptions of computer –dependent operations, was often inadequate
The report concluded that “As a result, federal operations and assets are at increased risk of fraud, misuse, and destruction and these weakness place financial data at risk of unauthorized modification or destruction. In addition, these weaknesses place financial data at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption.”
In prior GAO reports, as well as reports by various Offices of the Inspector General, specific recommendations were made to each agency to remedy previously identified deficiencies. In this most recent report, the GAO recommended that the Director of the Office of Management and Budget (OMB) take the following steps:
• request the Inspectors General to report on the quality of additional agency processes, such as the annual system reviews
• require agencies to report FISMA data by risk category
• ensure that compliance with all key FISMA requirements are reported on annually, and
• review guidance to ensure clarity of instructions.
Senator Lieberman’s E-government Act, which was signed into law on Dec. 17, 2002, included FISMA, which was a strengthened version of the Government Information Security Reform Act that he had originally coauthored in 2000. The law established guidelines for computer security throughout the federal government and provided for both OMB and Congressional oversight.
The GAO report is available at: http://www.gao.gov/new.items/d05552.pdf