GAO: Federal Reserve needs better controls over auction systems

The Federal Reserve needs to bolster security controls for its distributed-based systems and supporting network environment used for Treasury Department securities auctions, the Government Accountability Office said.

Federal Reserve banks have in general implemented effective information system controls over the mainframe applications they maintain and operate for the Treasury Department's Bureau of the Public Debt to support auctions and financial reporting, GAO said in its report released yesterday.

But Fed banks did not consistently identify and authenticate users to prevent unauthorized access, ensure that access was authorized only when necessary and appropriate, and implement adequate boundary protections to limit connectivity to systems that process Public Debt business.

'Without consistent application of these controls, the auction information and computing resources for key distributed-based auction systems remain at increased risk of unauthorized and possibly undetected use, modification, destruction and disclosure,' GAO said in its report authored by Gregory Wilshusen, director of GAO's information security issues; Keith Rhodes, GAO's chief technologist; and Gary Engel, director of GAO financial management and assurance.

The Federal Reserve needs to establish a management structure to ensure that decentralized IT security is effective and put in place an application test environment for the auction systems. The Fed also should correct weaknesses in identification authentication, authorization, boundary protection, encryption, auditing, and monitoring and configuration management.

The Fed has already taken corrective actions, including improving its ability to coordinate and oversee its operational and technical environments, and replacing its existing auction applications and operational infrastructure by the end of 2007, said Louise Roseman, director of the Federal Reserve's division of Reserve bank operations and payments systems.

'We have also taken actions to improve our ability to coordinate and oversee our complex IT systems effectively,' she said.

The Fed and Treasury plan to validate the integrity of the new application and infrastructure at several points during the development of the application, she said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.