GAO: Federal Cybersecurity Problems Remain

According to a recent report from the Government Accountability Office, despite efforts to implement stronger cybersecurity controls, several federal agencies remain in a weakened state. Since 2006, security incident reports have risen over 650-percent.

“Federal agencies have reported increasing numbers of security incidents that placed sensitive information at risk. When incidents occur, agencies are to notify the federal information security incident center—US-CERT. Over the past 5 years, the number of incidents reported by federal agencies to US-CERT has increased from 5,503 incidents in fiscal year 2006 to 41,776 incidents in fiscal year 2010, an increase of over 650 percent,” the GAO notes.

The watchdog further notes that the reason for the year-to-year increase is that agencies have not fully implemented their information security programs. In 2002, the FISMA Act established information security program, evaluation, and annual reporting requirements for federal agencies. So it isn’t as if they are unaware of their responsibilities.

“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs. As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise,” the report explains.

“Until hundreds of recommendations are implemented and program weaknesses are corrected, agencies will continue to face challenges in securing their information and information systems. GAO is recommending that the Director of OMB provide performance targets for metrics included in OMB’s annual FISMA reporting instructions to agencies and inspectors general.”

When examining the top reasons for poor performance, the GAO said that agencies did not always ensure personnel with significant responsibilities received training, there is a failure to ensure security controls were monitored continuously; failure to ensure weaknesses were remediated effectively; and a lack of oversight to ensure discovered incidents were resolved in a timely manner.

Another issue, aimed at the OMB, states that while there have been new cybersecurity metrics given to federal agencies, a lack of planning to provide performance targets to measure improvement contributed to the jump in reported incidents.

The full report from the GAO is available here.