The U.S. Government Accountability Office (GAO) studied how the agencies were responding to the regulations described in the Federal Information Security Management Act of 2002 (FISMA). The mandate requires government entities to develop and implement an agencywide information security program. Inspectors general conduct annual reviews of agency progress.
The GAO review, which took place between last December and this month, concluded that, partly based on inspectors general and federal Office of Management and Budget (OMB) reports, that 23 of 24 agencies contain lax controls to ensure that only approved users can access system data. Meanwhile, 22 of 24 agencies described information security as a "major management challenge," according to the report.
The report added that agencies' security posture also fell short in other areas, including encrypting sensitive data on networks and portable devices, logging and auditing security events, configuring network devices, segregating duties and patching servers and computers in timely manners.
"Six years after FISMA was enacted, we continue to report that poor information security is a widespread problem with potentially devastating consequences," Gregory Wilshusen, director of GAO's Information Security Issues, said in the report, which was presented Tuesday to a U.S. House subcommittee. "Over the past few years, the 24 major federal agencies have reported numerous security incidents in which sensitive information has been lost or stolen, including personally identifiable information, which has exposed millions of Americans to the loss of privacy, identity theft and other financial crimes."
The report noted some positives, including increased user awareness training and more certification and accreditation of information systems. But the review also found that the number and percentage of systems evaluated at least once a year dropped slightly and the number and percentage of security workers who received specialized training fell from 90 percent to 76 percent, from 2007 to 2008.
Some experts said the report missed the mark. Rich Cummings, CTO of HBGary, a memory forensics and incident response company, said the most pressing issue facing organizations is the amount of malware entering their environments.
"I think we're asking the wrong questions," he told SCMagazineUS.com on Thursday. "From our perspective, the real weakness is in malicious detection. The government has not forced the commercial vendors to improve malicious code detection. Incidents continue to rise, and it's not because people are authenticated improperly. It's because malicious code is coming in."
In a recommendation, the GAO said OMB should better describe the effectiveness of information security programs so that Congress can more effectively "monitor and assist federal agencies in improving the state of federal information security."