By Katie Bo Williams - 09/29/15 06:04 PM EDT
Federal agencies are struggling to prevent network breaches after failing to put in place key security changes, the Government Accountability Office said in an audit released Tuesday.
The GAO found “persistent weaknesses” at 24 federal agencies, including deficiencies in how organizations prevented inappropriate access to computer networks, identified intrusions and planned for a network disruption.
The office chided agencies for failing to implement past recommendations, one of the key accusations leveled against the Office of Personnel Management (OPM) in the wake of the massive breach revealed this spring.
“In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented,” the report reads.
OPM leadership took fire during a series of damning hearings this summer for failing to heed its inspector general’s warnings, even refusing to shut down several of its weakest computer systems as recommended.
But the weaknesses identified in Tuesday’s report span the federal government. The GAO found that while “most” agencies had developed risk-management policies required by a 2002 data security law, “each agency's inspector general reported weaknesses in the processes used to implement” those requirements.
It also found that agency inspectors general inconsistently reported security performance as a result of spotty guidance from the Office of Management and Budget and the Department of Homeland Security.
Sen. Tom CarperTom CarperFinancial industry spars with retailers over data breach bill Week ahead: Cyber Command in the spotlight Lawsuit exposes M cybertheft through banking software MORE (D-Del.) defended government networks in light of the GAO report, calling the results “disappointing” but noting that much of the audit took place before recent updates to the Federal Information Security Act and the Federal Information Technology Acquisition Reform Act law were enacted.
“These laws represent two significant steps in empowering agencies to better protect their cyber networks, and I am optimistic that next year’s audit results will reflect those benefits,” Carper said in a statement. “But in order to be successful, leadership at all agencies must make cybersecurity a top priority.”
Carper also called for movement on the stalled Federal Cybersecurity Enhancement Act, which would require all agencies to adopt several cybersecurity best practices.
It would also accelerate the rollout of the government’s anti-hacking shield, dubbed “Einstein,” that detects and repels known cyber threats.
Introduced by Carper and Sen. Ron JohnsonRon JohnsonSenate report: Systematic failures at VA watchdog led to veterans' deaths Clinton emails dominate Sunday shows GOP senator: Did Clinton email setup play a role in Russian invasions? MORE (R-Wis.), the legislation was approved by the Senate Homeland Security and Governmental Affairs Committee in July.