Twenty years after the Government Accountability Office put federal information security on the High-Risk List, it found that most of the 24 Chief Financial Officers Act agencies still have significant information security weaknesses.
“What we found is that federal agencies continue to be ineffective in implementing their information security controls that are intended to protect the confidentiality, integrity and availability of their information and information systems consistently over time,” Greg Wilshusen, GAO director of information security issues, said on Cybersecurity Month.
Wilshusen did clarify that doesn’t mean there weren’t improvements; he said agencies’ information security efforts have improved in both type and sophistication. But he also said that information security is a case of constantly moving goalposts.
“We are not working in or operating in a static environment,” Wilshusen said. “So too are the security threats to federal information and information systems also becoming more sophisticated and pronounced. And also the increasing complexity of the information technologies used by the federal agencies and their evolving business practices, which encourage increased connectivity. It also inherently increases the risk to the agency’s systems and information. And so yes, while there are new developments and stronger security controls in place, they need to be. Because the threats and computing environments have also become far more complicated and pronounced.”
And this information security treadmill, where everyone runs as fast as they can to stay where they are, is fed by the fact that software is always released with major vulnerabilities, then patched later when they are identified by vendors and developers. But it’s up to the agencies themselves to acquire and install the patches.
That can be a big task; agencies have to find out the patch exists and install it across all their systems, which can be extensive.
“And we find that that’s not always being done,” Wilshusen said. “Indeed, patch management is one of the key areas that we’ve identified that agencies consistently are not implementing in a timely or prioritized manner.”
Another of the main weaknesses GAO found was in the area of access control. Firewalls, routers and switches are all examples of this kind of control, intended keep out intrusions, or at least detect and mitigate the damage of bad actors that do get through. Likewise, identification and authorization controls, meant to validate the identifications of legitimate users and restrict access to what’s necessary.
“What we found is that generally speaking, those security management control weaknesses are the underlying causes for some of those other types of controls,” he said.
Wilshusen said GAO reviewed hundreds of recommendations it and various agency inspectors general had made over the years to agencies about their information security that had not yet been implemented. Some were very technical, he said: change a setting, restrict network access, or reconfigure a program.
But others revolve around the processes themselves, he said, like an agency’s procedure for assessing risk, selecting appropriate controls to mitigate risk, or practices for training.