Infrastructure security on GAO's high-risk list
- By Richard W. Walker
- Jan 31, 2007
Programs designed to safeguard the nation's critical infrastructures including federal computer systems, remain a 'continuing concern,' the Government Accountability Office reported today.
The government's systems security and critical infrastructure protection (CIP) programs were among 27 areas on GAO's 2007 'high-risk' list. Federal information security, which has been on GAO's annual list of high-risk operations since 1997, is still hampered by weaknesses in information security management, GAO said in its recent report
Other areas at risk include the IRS' Business Systems Modernization initiative and programs aimed at protecting technologies critical to U.S. national-security interests, GAO said.
On the CIP front, many agencies still haven't complied with the Federal Information Security Management Act of 2002's requirement to develop, document and implement information security programs, according to the report. Specifically, agencies are not uniformly creating and maintaining security plans, devising and testing contingency plans, and evaluating security controls managed by contractors.
Progress on CIP must involve collaboration among agencies across the government, comptroller general David M. Walker, head of GAO, told a Capitol Hill news briefing.
'This is an example of something that clearly is an interagency effort,' Walker said. 'It involves the intelligence community, broadly defined, and a number of other agencies, including law enforcement agencies, in order to get that done. ' I think the biggest transformational challenges that we face are in defense, homeland security and intelligence, and this really intersects all three.'
The report singled out the Homeland Security Department and its National Cyber Security Division, which represents the focal point for federal efforts to protect critical infrastructures, for not completely meeting 'any of its key responsibilities.' For instance, GAO said, DHS has failed to develop national cyberthreat and vulnerability assessments or public-private recovery plans for cybersecurity. Hurdles to reducing CIP risk at DHS include the lack of leadership crucial to gaining the trust of other stakeholders in the cybersecurity world and the absence of organizational stability at the department.
'Until DHS fulfills its cybersecurity responsibilities, our nation's critical infrastructures will remain at risk,' the report said.
DHS itself is still at high risk, GAO found. The department still needs to develop a departmentwide transformation strategy and improve its management systems to fully integrate the 22 agencies it comprises, GAO said.
IRS's Business Systems Modernization program has been on GAO's risk list since 1995 and, despite recent progress, 'improvements made have not been sustained long enough to provide confidence that the program is fully stable,' according to the report. IRS needs to improve processes for designing and delivering modernized IT systems and utilize cost-based performance measures to help evaluate the effectiveness of programs over time, GAO said.
The protection of technologies critical to national security interests, a newcomer to GAO's list, pertains largely to military and weapons technologies sold to foreign countries by U.S. companies and by the U.S. government for foreign policy, security and economic reasons. While these technologies 'continue to be targets for theft, espionage, reverse engineering and illegal export,' programs designed to protect them are stymied by abstruse interagency processes and inefficient program operations. For example, Commerce and State have yet to clearly determine which department controls the export of certain missile technologies, which heightens the risk that these items will fall into the wrong hands, GAO said.
Other areas on GAO's 2007 high-risk list are Defense Department contracting, financial management and business transformation programs.
The list identifies programs, policies and operations that need broad-based transformation or are vulnerable to fraud, waste and abuse, and mismanagement.