GAO report: IT testing lacks consistency

A new General Accounting Office report has found that despite the emphasis placed on IT security in recent years, federal agencies are not testing their security controls with any consistency or timeliness. As a result, the agencies may not be aware of their systems' weaknesses.

"Federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls," the GAO concluded after surveying 24 major agencies and conducting in-depth case studies on 30 IT systems at six of the agencies.

These problems are occurring despite the requirements of the Federal Information Security Management Act, under which agencies have been laboring since its passage in 2002. The study was initiated at the request of Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee and the originator of FISMA.

"What this shows is that we have a long way to go to ensure Americans the information their government keeps about them is safe," Davis said in a release. "We're going to do this, but it's going to take time."

It is unclear whether the committee will hold a hearing to discuss the findings, the committee added.

According to the GAO, none of the 24 agencies have fully implemented six elements included in guidelines and standards developed by the Office of Management and Budget and the National Institute for Standards and Technology for conducting effective security testing and evaluation. Those six elements are:

  • Identifying the frequency of periodic testing;
  • Defining roles and responsibilities of personnel performing the testing;
  • Selecting a minimum set of security controls evaluated during periodic tests;
  • Identifying and testing common security controls;
  • Determining the depth and breadth of periodic testing; and
  • Including assessment results in remediation plans.

Because the problems were governmentwide, the GAO has recommended that OMB instruct agencies to develop and implement policies on periodic testing and evaluation, and revise instructions for future FISMA reporting by inspectors general to include assessments on the quality of agencies' testing processes.

"We received oral comments on a draft of this report from representatives" at OMB, the GAO reported. "The representatives agreed to consider our recommendations as part of their oversight responsibilities for information security at federal agencies."

Patience Wait is a staff writer for Washington Technology's affiliate publication, Government Computer News.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.