Skip to main content

Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems

GAO-16-501 Published: May 18, 2016. Publicly Released: Jun 21, 2016.
Jump To:
Skip to Highlights

Highlights

What GAO Found

In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting their high-impact systems, with almost 500 of the incidents involving the installation of malicious code.

Government entities have provided guidance and established initiatives and services to aid agencies in protecting their systems, including those categorized as high impact. The National Institute of Standards and Technology has prescribed federal standards for minimum security requirements and guidance on security and privacy controls for high-impact systems, including 83 controls specific to such systems. The Office of Management and Budget (OMB) is developing plans for shared services and practices for federal security operations centers but has not issued them yet. In addition, agencies reported that they are in the process of implementing various federal initiatives, such as tools to diagnose and mitigate intrusions on a continuous basis and stronger controls over access to agency networks.

The National Aeronautics and Space Administration (NASA), Nuclear Regulatory Commission (NRC), Office of Personnel Management (OPM), and Department of Veterans Affairs (VA) had implemented numerous controls over the eight high-impact systems GAO reviewed. For example, all the agencies reviewed had developed a risk assessment for their selected high-risk systems. However, the four agencies had not always effectively implemented access controls. These control weaknesses included those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities. Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs, as shown in the table.

Agency Implementation of Key Information Security Program Elements for Selected Systems

 

NASA

NRC

OPM

VA

Risk assessments

Security plans

Controls assessments

Remedial action plans

Source: GAO analysis of agency documentation. | GAO-16-501

Note: ● – Met ◐– Partially met ○ – Did not meet

Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption.

Why GAO Did This Study

Federal systems categorized as high impact—those that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm—warrant increased security to protect them. In this report, GAO (1) describes the extent to which agencies have identified cyber threats and have reported incidents involving high-impact systems, (2) identifies government-wide guidance and efforts to protect these systems, and (3) assesses the effectiveness of controls to protect selected high-impact systems at federal agencies. To do this, GAO surveyed 24 federal agencies; examined federal policies, standards, guidelines and reports; and interviewed agency officials. In addition, GAO tested and evaluated the security controls over eight high-impact systems at four agencies.

Recommendations

GAO recommends that OMB complete its plans and practices for securing federal systems and that NASA, NRC, OPM, and VA fully implement key elements of their information security programs. The agencies generally concurred with GAO's recommendations, with the exception of OPM. OPM did not concur with the recommendation regarding evaluating security control assessments. GAO continues to believe the recommendation is warranted.

In separate reports with limited distribution, GAO is making specific recommendations to each of the four agencies to mitigate identified weaknesses in access controls, patch management, and contingency planning.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue Circular A-130.
Closed – Implemented
The Office of Management and Budget generally concurred with this recommendation. In fiscal year 2016 we verified that OMB issued an updated Circular A-130 on July 28, 2016.
National Aeronautics and Space Administration
Priority Rec.
To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should provide and track specialized training for all individuals who have significant security responsibilities.
Closed – Implemented
The National Aeronautics and Space Administration (NASA) concurred with our recommendation. In fiscal year 2016 we verified that NASA provides through its training system, a catalog of NASA-sponsored learning opportunities and links to externally sponsored opportunities. Additionally, NASA uses this system to track individuals' training plans and compliance.
National Aeronautics and Space Administration
Priority Rec.
To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.
Closed – Implemented
NASA concurred with the recommendation. In fiscal year 2018 we verified that the agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. NASA has issued updated security assessment plans that include the test procedures to be performed for the two selected high-impact systems.
National Aeronautics and Space Administration
Priority Rec.
To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.
Closed – Implemented
NASA concurred with the recommendation. In fiscal year 2019 we verified that NASA has taken steps to ensure comprehensive testing of the technical security controls for the systems we examined. NASA's security assessments include on-site testing of controls and component testing, in addition to interviews and document reviews. Its System Assessment Reports (SARs) show that the agency has re-evaluated the control assessments for selected systems, and identified controls that did not meet requirements. The agency has also identified deficiencies in the scope of tests for some security controls. In addition, NASA has developed recommendations to review the scope of testing annually as part of its continuous monitoring efforts.
National Aeronautics and Space Administration
Priority Rec.
To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.
Closed – Implemented
NASA concurred with the recommendation. In fiscal year 2018, we verified that NASA has implemented a system that generates plans of action and milestones (POA&Ms). The agency provided, for the two selected systems, examples of POA&Ms that include responsible organizations and sources of funding, as well as estimated funding, updated milestones, and completion dates.
National Aeronautics and Space Administration
Priority Rec.
To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.
Closed – Implemented
NASA concurred with the recommendation. The agency updated its information security continuous monitoring strategy by defining metrics to assess the effectiveness of its information security efforts. In addition, the strategy specifies how frequently each metric must be monitored and reported.
Nuclear Regulatory Commission To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.
Closed – Implemented
The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2017 we verified that NRC changed the security level of one of the high-impact systems to moderate. Consequently, our recommendation to update security plans to meet controls specific to high-impact systems no longer applies to this system. In fiscal year 2017 we also verified that NRC, in response to our recommendation, issued an updated system security plan for the other high-impact system that we reviewed. This plan addresses all controls specific to high-impact systems and offers explanations for those instances where a control is not implemented.
Nuclear Regulatory Commission To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should provide and track specialized training for all individuals who have significant security responsibilities.
Closed – Implemented
The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2016 we verified that NRC is providing specialized security training for staff with significant security responsibilities in information technology, is defining training requirements, and is tracking compliance.
Nuclear Regulatory Commission To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.
Closed – Implemented
NRC concurred with our recommendation. In December 2016 NRC changed the security level of one of the high-impact systems to moderate. Consequently, our recommendation to reevaluate security control assessments to meet controls specific to high-impact systems no longer applies to this system. In fiscal year 2018 we verified that NRC has fully implemented a continuous monitoring process for the remaining high-impact system. NRC now conducts quarterly security testing and the results of these tests are evaluated in assessment reports that list the system's percentage of compliance for security, privacy, and program management controls.
Nuclear Regulatory Commission To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.
Closed – Implemented
NRC concurred with our recommendation. In fiscal year 2018 we verified that the agency has substantially addressed this recommendation by updating its plans of action and milestones (POA&Ms) to include the organization responsible for each POA&M, and scheduled completion dates. NRC does not include the estimated funding or the funding source in the POA&Ms, however. According to the agency, POA&Ms are not individually evaluated for cost estimates and resources needed because of the high volume of POA&Ms and the nature of the findings. NRC's cybersecurity budget, which is provided to OMB, includes POA&M remediation. Funding for POA&M remediation is also included in contracts for operations and maintenance services.
Nuclear Regulatory Commission To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.
Closed – Implemented
NRC concurred with our recommendation. NRC has issued an Office Instruction that lists the metrics NRC will use to continuously monitor the security status of systems owned and used by the agency. The instruction also specifies the frequency with which NRC is to conduct status monitoring, ranging from quarterly to continuous.
Office of Personnel Management
Priority Rec.
To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.
Closed – Implemented
OPM agreed with the recommendation. In 2018 OPM decommissioned one of the two systems we assessed in our audit. In fiscal year 2019 we verified that OPM updated the system security plan of the remaining system to address all high-impact specific controls.
Office of Personnel Management
Priority Rec.
To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.
Closed – Implemented
OPM partially agreed with this recommendation. In October 2022, we verified that OPM provides and tracks specialized training for all individuals, including contractors, who have significant security responsibilities.
Office of Personnel Management
Priority Rec.
To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.
Closed – Implemented
OPM disagreed with this recommendation. Because of the importance of ensuring personally identifiable information is protected and our national IT systems are secure, we maintain that OPM should fully address this recommendation. In October 2020 we verified that OPM has implemented a quality assurance review process to re-evaluate security control assessments to ensure that they comprehensively test technical controls. This quality assurance review, in conjunction with OPM's continuous monitoring assessments and various other testing mechanisms are sufficient to close this recommendation.
Office of Personnel Management To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.
Closed – Implemented
OPM concurred with our recommendation. In 2018 OPM decommissioned one of the two systems we assessed in our audit. In fiscal year 2019 we verified that OPM, in response to our recommendation, addressed deficiencies in its POA&Ms for the remaining system.
Department of Veterans Affairs To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.
Closed – Implemented
VA concurred with our recommendation. In fiscal year 2018, we verified that VA updated the two system security plans to include all 83 security controls that are specific to high-impact systems.
Department of Veterans Affairs To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.
Closed – Implemented
VA concurred with our recommendation. In fiscal year 2018, we verified that VA is offering specialized courses for staff with significant security responsibilities, and is tracking staff members' completion of courses.
Department of Veterans Affairs To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.
Closed – Implemented
VA concurred with our recommendation. In April 2021 we verified that VA decommissioned one of the selected systems, and comprehensively tested technical controls for the remaining system.
Department of Veterans Affairs To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.
Closed – Implemented
VA concurred with our recommendation. In fiscal year 2018, we verified that VA is listing in its POA&Ms the estimated funding and the source of the funding. This action increases assurance that the agency will be able to efficiently address known information security weaknesses.
Department of Veterans Affairs To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.
Closed – Implemented
VA concurred with our recommendation. In March 2017 VA issued an Information Security Continuous Monitoring Strategy. However, this strategy did not provide detailed information on what metrics were collected and how often, how monitoring occurred, and how often the metrics were reported to management. In fiscal year 2019 VA provided further evidence of actions taken in response to this recommendation. We verified that the agency has developed an Information Security Continuous Monitoring (ISCM) Metrics Catalog. The catalog describes 87 metrics, how they are measured, what outcomes are sought, how frequently each metric is measured, and what is being evaluated, such as system security plans, vulnerability scans, or other information security components. According to VA, data on these metrics are available on demand and are reported to management on a weekly basis.
Office of Management and Budget To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.
Closed – Implemented
OMB concurred with our recommendation. In fiscal year 2022, we verified that OMB took alternative actions to address this recommendation. For example, the agency issued memorandum M-19-16 which details the processes and desired outcomes for Federal shared services. In addition, OMB issued memorandum M-21-31 which addresses logging, log retention, and log management, with a focus on ensuring centralized access and visibility for agency enterprise security operations centers.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Computer securityConfidential communicationsCyber securityEmployeesIndependent regulatory commissionsInformation securityInformation systemsInformation technologyInternal controlsLossesReporting requirementsStandardsStrategic information systems planningStrategic planningTechnologyRisk managementMonitoring