GAO’s Federal Financial Audit Calls Out Ongoing Information Security Deficiencies

Published: January 24, 2013

CybersecurityForecasts and SpendingPolicy and LegislationPublic Finance

If there is any federal topic that competes for prominence with that of the budget and financial policy then it must be the topic of information security, or cybersecurity as it has become widely called. Even a recent Government Accountability Office (GAO) audit of the government’s latest financial statements highlights some significant issues with federal information security practices. GAO’s findings in this area reveal both risk areas as well as weaknesses where agencies need to improve.

Each year, the U.S. Secretary of the Treasury, in coordination with the Director of the Office of Management and Budget, is required to submit to the President and Congress audited financial statements for the U.S. government. The GAO is required to audit these statements and their latest report not only highlights issues with the government’s finances and financial reporting but also notes some significant deficiencies with its information security practices.
Information Security Risk Areas
GAO has consistently reported information security as a high-risk area across government since 1997. They acknowledge that progress has been made in enhancing performance measures and reporting processes necessary for monitoring and assessing the effectiveness of agencies’ information security programs (e.g. FISMA). GAO also acknowledged progress in moving the government toward using trusted internet connections, increasing continuous monitoring capabilities, and improving authentication through use of smart cards credentials. However, “serious and widespread information security control deficiencies” continue to place federal information, systems and assets at risk, including:
  • Inadvertent or deliberate misuse of federal assets,
  • Unauthorized modification or destruction of financial information,
  • Inappropriate disclosure of sensitive information, and
  • Disruption of critical operations.
Information Security Deficiencies
The specific information security control deficiencies that GAO identified are related to the following areas:
  • Security management,
  • Access to computer resources (data, equipment, and facilities),
  • Changes to information system resources,
  • Segregation of incompatible duties, and
  • Contingency planning.
While, clearly, these kinds of deficiencies increase the risk to federal financial management systems and the data stored on and transmitted by them, the reason GAO cites for these deficiencies is what is most concerning. According to GAO, “a primary reason for these deficiencies is that federal entities generally have not yet fully institutionalized comprehensive security management programs, which are critical to identifying information security control deficiencies, resolving information security problems, and managing information security risks on an ongoing basis” (emphasis added).  
Much has been said about the national security concerns over the information security preparedness of public- and private-sector critical infrastructure, including energy, financial, transportation, health, communications, and others. While some legislative and policy initiatives seek to increase federal regulatory authority over these areas it seems that such moves may be premature until federal agencies can get their own information security house in order. As GAO recognized, until agencies identify and resolve these and other information security deficiencies and more effectively manage information security risks going forward, federal data and systems will remain at risk of disruption, destruction and unauthorized disclosure. This ongoing challenge is why, even in an atmosphere of budget scrutiny where no area or program seems safe from the budget axe, information security remains a priority and will likely seen increased resource allocation – in internal staffing, outside contractor support, and technological tools and infrastructure.