Audit: Federal networks still vulnerable

Audit: Federal networks still vulnerable
© Thinkstock

Federal agencies are struggling to prevent network breaches after failing to put in place key security changes, the Government Accountability Office said in an audit released Tuesday.

The GAO found “persistent weaknesses” at 24 federal agencies, including deficiencies in how organizations prevented inappropriate access to computer networks, identified intrusions and planned for a network disruption.

“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies' efforts to fully implement effective information security programs,” GAO said in its release.

The office chided agencies for failing to implement past recommendations, one of the key accusations leveled against the Office of Personnel Management (OPM) in the wake of the massive breach revealed this spring.

“In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented,” the report reads.

OPM leadership took fire during a series of damning hearings this summer for failing to heed its inspector general’s warnings, even refusing to shut down several of its weakest computer systems as recommended.

But the weaknesses identified in Tuesday’s report span the federal government. The GAO found that while “most” agencies had developed risk-management policies required by a 2002 data security law, “each agency's inspector general reported weaknesses in the processes used to implement” those requirements.

It also found that agency inspectors general inconsistently reported security performance as a result of spotty guidance from the Office of Management and Budget and the Department of Homeland Security.

Sen. Tom CarperThomas (Tom) Richard CarperOvernight Energy: Inhofe defends Pruitt after criticisms | Agency releases study on water contaminant | Trump rescinds Obama ocean policy Dems press EPA nominees on ethics, climate Overnight Energy: Senate panel sets Pruitt hearing | Colorado joins California with tougher emissions rules | Court sides with Trump on coal leasing program MORE (D-Del.) defended government networks in light of the GAO report, calling the results “disappointing” but noting that much of the audit took place before recent updates to the Federal Information Security Act and the Federal Information Technology Acquisition Reform Act law were enacted.

“These laws represent two significant steps in empowering agencies to better protect their cyber networks, and I am optimistic that next year’s audit results will reflect those benefits,” Carper said in a statement. “But in order to be successful, leadership at all agencies must make cybersecurity a top priority.”

Carper also called for movement on the stalled Federal Cybersecurity Enhancement Act, which would require all agencies to adopt several cybersecurity best practices.

It would also accelerate the rollout of the government’s anti-hacking shield, dubbed “Einstein,” that detects and repels known cyber threats.

Introduced by Carper and Sen. Ron JohnsonRonald (Ron) Harold JohnsonSenate probes FBI's heavy-handed use of redactions to obstruct congressional investigators Hillicon Valley: DHS gets new cyber chief | White House warns lawmakers not to block ZTE deal | White nationalists find home on Google Plus | Comcast outbids Disney for Fox | Anticipation builds for report on FBI Clinton probe Graham jokes about Corker: GOP would have to be organized to be a cult MORE (R-Wis.), the legislation was approved by the Senate Homeland Security and Governmental Affairs Committee in July.