Federal Agencies’ Security Weak

Monday, October 5, 2015 @ 06:10 PM gHale

In the wake of security lapses in various government agencies, the federal government needs to toughen is approach to security, a new report said.

Despite years of recommendations and billions of dollars spent, most federal agencies remain frighteningly weak when it comes to cyber security, according to the report from the Government Accountability Office (GAO).

Companies Still Gambling with Security
Federal Security Guidelines Reworked
Firing Up a Security Framework
Board Security Knowledge Questioned

“Federal agencies’ information and systems remain at a high risk of unauthorized access, use, disclosure, modification, and disruption,” the GAO report said. “These risks are illustrated by the wide array of cyber threats, an increasing number of cyber incidents, and breaches of [personally identifiable information (PII)] occurring at federal agencies. Agencies also continue to experience weaknesses with effectively implementing security controls, such as those for access, configuration management, and segregation of duties. OMB and federal agencies have initiated actions intended to enhance information security at federal agencies. Nevertheless, persistent weaknesses at agencies and breaches of PII demonstrate the need for improved security. Until agencies correct longstanding control deficiencies and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at increased and unnecessary risk of attack or compromise.”

All of this weakness shows in the face of unrelenting attacks. The GAO noted the number of information security incidents affecting systems supporting the federal government grew 1,121 percent since 2006 — 5,503 incidents in 2006 to 67,168 in fiscal year 2014. Similarly, the number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.

At the same time as the risks have exponentially grown, spending on security systems has grown with it to little apparent avail. From fiscal year 2010 to fiscal year 2014, 24 agencies reported spending anywhere between $10.3 and $14.6 billion annually on cyber security, including $12.7 billion in fiscal year 2014, which was a 23 percent increase from fiscal year 2013, the GAO said. For fiscal years 2013 and 2014, agencies reported information security spending in areas that include: Preventing malicious cyber activity; detecting, analyzing, and mitigating intrusions; and shaping the cyber security environment, the GAO stated.

Most agencies continue to have weaknesses in a number of areas the GAO stated, including:
• Limiting, preventing, and detecting inappropriate access to computer resources
• Managing the configuration of software and hardware
• Segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation
• Planning for continuity of operations in the event of a disaster or disruption
• Implementing agency-wide security management programs critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.

“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies’ efforts to fully implement effective information security programs. In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented.”

Click here to view the report.