"In their fiscal year 2008 performance and accountability reports, 20 of 24 major agencies noted that the information system controls over their financial systems and information were either a material weakness or a significant deficiency," said Gregory Wilshusen, director for information security issues at the GAO, testifying before the House of Representatives Subcommittee on Government Management, Organization, and Procurement.
"Over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information," he added. He blamed the deficiency directly on a lack of agency-wide information security programs as required by FISMA, Federal legislation that mandated Federal information security programs. "Six years after FISMA was enacted, we continue to report that poor information security is a widespread problem with potentially devastating consequences."
Agencies had failed on various levels, said Wilshusen, citing tasks that read like a basic security checklist. Authorizing users, implementing principles of least privilege, establishing boundary protection mechanisms, encrypting data, and logging security-related events were areas where agencies had failed.
"Agencies did not have adequate controls in place to ensure that only authorized individuals could access or manipulate data on their systems and networks. Weaknesses were reported in such controls at 23 of 24 major agencies for fiscal year 2008," he warned.
Other inadequacies included nine of the 24 agencies failing to physically secure information assets. And the percentage of employees with significant security responsibilities who had received specialized information security training plummeted from 90% in 2007 to 76% in 2008, said the report.
The Office of Management and Budget, which is responsible for issuing FISMA reporting instructions and approving agencies' reports, also seemed to be asleep at the wheel. The GAO said that it had failed to enforce effectiveness reporting for agencies, and had failed to approve or disapprove agencies' information security programs in fiscal 2008, as required under FISMA.
"Shortcomings in reporting and oversight can result in insufficient or misleading information being provided to Congress and diminish its ability to monitor and assist Federal agencies in improving the state of Federal information security," said Wilhausen.
There were some positive signs. The number of inspectors general using professional standards in their reporting of FISMA clients doubled year-on-year to 16. Nevertheless, the dire performance has once again caused the GAO to flag information security as a government-wide high-risk issue in its annual report to Congress, for the 13th year running.
The testimony was prepared as President Obama prepared for a major announcement on cybersecurity to take place on May 21, widely anticipated to address issues raised in Melissa Hathaway's cybersecurity review, which was submitted internally late last month but which has still not been made publicly available.