Federal Agencies (still) Have Major Weakness in Their Cybersecurity Controls

During fiscal year (FY) 2016, federal agencies continued to experience weaknesses in protecting their information and information systems due to ineffective implementation of information security policies and practices. That is the conclusion made by the Government Accountability Office (GAO) in a recent study, Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices released in late September.

In their review the GAO sought two objectives, “to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) the extent to which agencies with governmentwide responsibilities have implemented their requirements under FISMA,” the Federal Information Security Modernization Act, first enacted in 2002 and updated in 2014.

GAO categorized information security-related weaknesses reported by the 24 Chief Financial Officers Act (CFO) agencies, their Inspectors General (IGs), and the Office of Management and Budget (OMB) according to the control areas defined in the Federal Information System Controls Audit Manual (FISCAM); reviewed prior GAO work; examined OMB, DHS, and NIST documents; and interviewed agency officials.

The 24 CFO Act agencies are: the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Interior, Justice, Labor, State, Transportation, Treasury, and Veterans Affairs; the Environmental Protection Agency; General Services Administration; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and the U.S. Agency for International Development.

What GAO found was that most of the 24 CFO Act agencies had weaknesses in five major control areas—access controls, configuration management controls, segregation of duties, contingency planning, and agencywide security management. (See chart below.)  Further, GAO’s and IGs’ assessments of agency information security programs, policies, and practices concluded that most federal agencies did not have effective information security program functions in FY 2016 and that many of the hundreds of past recommendations to address these security deficiencies have not yet been fully implemented.

For each of the five major control categories the critical areas where agencies exhibited the most weaknesses are:

• Access Controls – identification and authentication, authorization, and audit and monitoring
• Agencywide Security Management – security management program establishment and security program monitoring critical elements
• Configuration Management – configuration identification, configuration change management, and patch management
• Segregation of Duties – segregation of incompatible duties and establishment of related policies
• Contingency Planning – contingency planning and contingency plan testing

Implications

While looking back at the federal government’s security posture in FY 2016 has its limits in value—one would assume that they have made at least some significant progress in FY 2017—the fact that so many agencies had so many major weakness up through FY 2016 seems well worthy of concern, and action.

For the areas of weaknesses that still persist it is likely that agencies are working to address them through a combination of internal leadership and partnership with those outside their agency, including industry.

Some of these deficiencies may be addressed through updated tools available from industry for effectively implementing and managing things like access controls, configuration management, and security program monitoring.

Agencies will also continue to need the assistance of industry partners that can assist them in developing and instituting the information security governance policies, practices and procedures necessary to not only improve their performance on internal audits and assessments, but also to position them for nimbleness in adapting to the cybersecurity challenges of the future.