GAO: Agencies must pay more attention to cybersecurity

Federal cybersecurity programs run the risk of becoming static and unresponsive in the face of emerging threats, according to the findings of a study by the Government Accountability Office.

The study, titled "Emerging Cybersecurity Issues Threaten Federal Information Systems," focused on three challenges that have evolved rapidly in the last three years: spam, phishing and spyware. And the Federal Information Security Management Act could become a Maginot line against this blitzkrieg of new attacks.

"Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agencywide information security programs," GAO found.

Agencies are required to report all cybersecurity incidents, but there is no governmentwide guidance on which incidents should be reported. The most recent guidance was issued in 2000, before the formation of the U.S. Computer Emergency Readiness Team (US-CERT).

"Lacking the necessary guidance, agencies do not have a clear understanding of which incidents they should be reporting, or how and to whom they should report," GAO concluded.

As a result, government IT systems often remain exposed to unrecognized threats. Some help may be on the way from the Office of Management and Budget, charged with FISMA oversight, and the Homeland Security Department.

OMB said it would begin incorporating new threats into its annual agency FISMA reviews. Together with US-CERT, it is developing a concept of operations and taxonomy for incident reporting, expected to be released this summer.

Despite, or because of, the fact they are so common, spam, phishing and spyware often are not perceived as security threats, GAO found. Only one of 24 major executive branch agencies surveyed recognized the risk presented by spam for delivering malicious code or other attacks. Fourteen agencies reported that phishing had little or no impact, despite the fact that the FBI, IRS and Federal Deposit Insurance Corp. have been targeted in phishing scams. Spyware was recognized as a greater problem, with 11 agencies reporting some impact on productivity caused by the intrusive programs.

Although a number of agencies have consumer awareness programs for these threats, there are no programs to educate users within the agencies.

GAO recommended that:
  • Agencies include emerging threats in their required risk assessments and planning required under FISMA
  • , and
  • OMB, DHS and the attorney general develop guidelines for comprehensive incident reporting.


William Jackson is a senior writer for Washington Technology's sister publication, Government Computer News.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.