GAO: IT security hampered by lack of consistent processes

With agency progress in certifying and accrediting their IT systems leveling off through the first six months of 2004, the Government Accountability Office is calling on the administration to ensure more consistency in the processes to improve federal cybersecurity.

In a report issued today, examiners found agencies certified and accredited 63 percent of their IT systems, up from 62 percent in 2003.

The Office of Management and Budget had set a goal for agencies to certify and accredit 90 percent of their systems by last December.

Additionally, the Federal Information Security Management Act of 2002 required OMB to create processes to ensure systems are protected.

And in the two years since FISMA became law, the audit agency found inconsistencies in OMB policy and how agencies interpret that policy affecting the rate of certification and accreditation.

GAO said seven agencies reported having more than 90 percent of their systems certified and accredited, while four agencies reported approval of less than 20 percent of their systems.

The report was requested by Reps. Tom Davis (R-Va.), Government Reform Committee chairman, and Adam Putnam (R-Fla.), chairman of the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

'I have been disappointed in the status of information security in the federal government,' Putnam said. 'While 2003 demonstrated improvement, it is clear that greater focus and attention on reducing vulnerabilities and improving our overall information security profile is critical to the protection of federal computer networks and the information assets that they contain.'

Auditors recommended that the OMB do a better job of ensuring agencies implement IT security certification and accreditation processes consistent with guidance from the National Institute of Standards and Technology and FISMA.

GAO also suggested the administration make sure agency IT security processes include current risk assessments, control testing and evaluation, a tested contingency plan and identification of the accepted risks.

In addition to ensuring agencies consistently use the guidance, GAO recommended OMB improve its FISMA guidance to:

  • Clarify the definition of national security systems, which are exempt from FISMA requirements

  • Require agencies to report how they make ensure the quality and consistency of their certification and accreditation processes

  • Report on the status of their efforts to certify and accredit systems based on risk or impact assessments

  • Encourage inspectors general to assess FISMA reporting processes and agency data as part of their independent evaluations.

  • OMB agreed with GAO's findings, and officials said many of the examiners' concerns would be addressed in the 2004 FISMA reporting guidance.

    'I am disturbed at the overall results of this report,' Putnam said. 'The current information security threat environment that exists in the world today demands that the federal government lead by example and demonstrate dramatic improvement in the information security profile of individual agencies.'


    • Records management: Look beyond the NARA mandates

      Pandemic tests electronic records management

      Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

    • boy learning at home (Travelpixs/

      Tucson’s community wireless bridges the digital divide

      The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

    Stay Connected