From: GCN
By William Jackson
After 16 years of plans, strategies and regulation, federal IT security remains one of 30 program areas designated by government auditors as high risk.
The Government Accountability Office released its latest biennial assessment of programs most vulnerable to fraud, waste, abuse, and mismanagement and ineffectiveness. The security of government information systems has been on the list since 1997, and in 2003 protection of the nation’s privately owned critical infrastructure was added.
The two are lumped together as one high-risk area, which is receiving increasing attention from the administration, Congress and non-government security experts. Despite the attention and initiatives being taken to improve security, little progress was noted by GAO.
“Until the administration and executive branch agencies implement the hundreds of recommendations made by GAO and agency inspectors general to address cyber challenges, resolve identified deficiencies, and fully implement effective security programs, a broad array of federal assets and operations will remain at risk of fraud, misuse and disruption, and the nation’s most critical federal and private-sector infrastructure systems will remain at increased risk of attack from adversaries,” the report concluded.
GAO began the list in 1990 with 14 areas designated and updates it every two years. Since the original list, 41 problem areas have been added and 23 removed. Of the 30 listed today, IT security is number 10 in length of time it has remained. Six problem areas date back to 1990.
This year’s list removes two areas from the previous list: Management of interagency contracting and the IRS Business Systems Modernization program. It also added two areas: The economic risks of climate change and mitigating gaps in weather satellite data.
In its assessment of cybersecurity, GAO cited the growing number of IT security incidents, which has gone from 5,503 incidents reported to US-CERT in 2006 to 48,652 in 2012.
The Obama administration has paid attention to the issue, and in 2011 issued the National Strategy for Trusted Identities in Cyberspace; the International Strategy for Cyberspace, to create international norms; and a Strategic Plan for the Federal Cybersecurity Research and Development Program. In 2012, three priority areas identified by the administration for improvement:
Trusted Internet Connections: Consolidate external telecommunication access points and establish a set of baseline security capabilities for situational awareness and enhanced monitoring.
Continuous monitoring of federal information systems: Transform static security control assessment and authorization process into a dynamic risk-mitigation program that provides essential, near real-time security status and remediation.
Strong authentication: Increase the use of federal smart-card credentials such as Personal Identity Verification and Common Access Cards that provide multifactor authentication and digital signature and encryption capabilities.
Leave a Reply