Federal Agencies Struggle to Address Information Security Vulnerabilities

Published: July 29, 2015

CybersecurityDigital GovernmentEducation & TrainingDHSIT WorkforceOMB

Reported information security incidents have grown by over 1100% since 2006, increasing from around 5,500 to over 67,000 in 2014. The number of these incidents involving personal information are on the rise as well.

Since the late 1990s, government watchdogs have called out federal information security as a government-wide high-risk area. In 2003, this area was expanded to include computerized systems related to the nation’s critical infrastructure. In the 2015 update to the government’s high-risk list, this area was further expanded to include protecting the privacy of personally identifiable information (PII) that is collected, maintained, and shared by both federal and non-federal entities. 

It seems a new security issue or breach is being featured in the news with greater frequency. Indeed, government agencies face information security threats are increasing in number and complexity. Over the last nine years, the United States Computer Emergency Readiness Team (US-CERT) has recorded a steady increase in the number of incidents reported.

In a recent report, the Government Accountability Office (GAO) has identified a number of challenges federal agencies face in addressing threats to their cybersecurity, including the following:

  • designing and implementing a risk-based cybersecurity program,
  • enhancing oversight of contractors providing IT services,
  • improving security incident response activities,
  • responding to breaches of personal information, and
  • implementing cybersecurity programs at small agencies.

The GAO’s report included review of various assessments from 24 federal agencies. The reviewed organizations were the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; General Services Administration; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and the U.S. Agency for International Development. The conclusion the drawn from those reviews indicate that security vulnerabilities are a pervasive issue across government, and five categories of security controls were highlighted as particularly wide-spread. While technology plays a role in some of these areas, these pain points show that agencies are also contending with hurdles related to governance, personnel, and risk management strategies. 

Out of the 24 agencies GAO reviewed in FY 2014, nearly all of them experienced issues with security management, access control, and configuration management. Many also lagged when it came to continuity of operations and segregation of duties. The Department of Homeland Security (DHS) and Office of Management and Budget (OMB) have several initiatives underway to address personal identity verification, continuous diagnostics and mitigation, and a national protection system. These efforts will help to gain ground in particular areas, but agencies will still need to ensure they take a holistic view of risk management and attend to foundational requirements like personnel training, consistent process application, and employment of appropriate technologies.