A recent study requested by the chairman of the U.S. House of Representatives Committee on Government Reform found that many federal agencies are not properly testing their information security controls.
A Government Accountability Office (GAO) report released this week summarized the findings of a nine month study of 24 major agencies.
Requested by Rep. Tom Davis, R-Va., the probe looked into how well agencies are keeping tabs on their security controls.
"Agencies have not adequately designed and effectively implemented policies for periodically testing information security controls," wrote Gregory C. Wilshusen, director of information security for the GAO. "While almost all agencies had documented policies for security testing, the policies did not always adequately address elements important for effective testing."
Wilshusen and his department took special care to examine six agencies for in-depth case studies. The GAO found that these six agencies consistently did not document their test methods and results, failed to define assessment methods, didn't test their controls and couldn't determine whether previously reported problems had been addressed.
Government agencies are mandated by the Federal Information Security Management Act (FISMA) to take these steps and others to improve information security.
The GAO reported that many agencies have made the effort to improve their yearly FISMA scores, but that the White House Office of Management and Budget (OMB) should offer better guidance to agencies who fail to test their information security system controls.
"What this shows is that we have a long way to go to ensure Americans the information their government keeps about them is safe," said Davis. "We're going to do this, but it's going to take time."
Click here to email Ericka Chickowski.