GAO: IT security hampered by lack of consistent processes
- By Jason Miller
- Jul 28, 2004
With agency progress in certifying and accrediting their IT systems leveling off through the first six months of 2004, the Government Accountability Office is calling on the administration to ensure more consistency in the processes to improve federal cybersecurity.
In a report
issued today, examiners found agencies certified and accredited 63 percent of their IT systems, up from 62 percent in 2003.
The Office of Management and Budget had set a goal for agencies to certify and accredit 90 percent of their systems by last December.
Additionally, the Federal Information Security Management Act of 2002 required OMB to create processes to ensure systems are protected.
And in the two years since FISMA became law, the audit agency found inconsistencies in OMB policy and how agencies interpret that policy affecting the rate of certification and accreditation.
GAO said seven agencies reported having more than 90 percent of their systems certified and accredited, while four agencies reported approval of less than 20 percent of their systems.
The report was requested by Reps. Tom Davis (R-Va.), Government Reform Committee chairman, and Adam Putnam (R-Fla.), chairman of the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
'I have been disappointed in the status of information security in the federal government,' Putnam said. 'While 2003 demonstrated improvement, it is clear that greater focus and attention on reducing vulnerabilities and improving our overall information security profile is critical to the protection of federal computer networks and the information assets that they contain.'
Auditors recommended that the OMB do a better job of ensuring agencies implement IT security certification and accreditation processes consistent with guidance from the National Institute of Standards and Technology and FISMA.
GAO also suggested the administration make sure agency IT security processes include current risk assessments, control testing and evaluation, a tested contingency plan and identification of the accepted risks.
In addition to ensuring agencies consistently use the guidance, GAO recommended OMB improve its FISMA guidance to:Clarify the definition of national security systems, which are exempt from FISMA requirementsRequire agencies to report how they make ensure the quality and consistency of their certification and accreditation processesReport on the status of their efforts to certify and accredit systems based on risk or impact assessmentsEncourage inspectors general to assess FISMA reporting processes and agency data as part of their independent evaluations.
OMB agreed with GAO's findings, and officials said many of the examiners' concerns would be addressed in the 2004 FISMA reporting guidance.
'I am disturbed at the overall results of this report,' Putnam said. 'The current information security threat environment that exists in the world today demands that the federal government lead by example and demonstrate dramatic improvement in the information security profile of individual agencies.'