Federal agencies are struggling to prevent network breaches after failing to put in place key security changes, the Government Accountability Office said in an audit released Tuesday.
The GAO found “persistent weaknesses” at 24 federal agencies, including deficiencies in how organizations prevented inappropriate access to computer networks, identified intrusions and planned for a network disruption.
The office chided agencies for failing to implement past recommendations, one of the key accusations leveled against the Office of Personnel Management (OPM) in the wake of the massive breach revealed this spring.
“In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented,” the report reads.
OPM leadership took fire during a series of damning hearings this summer for failing to heed its inspector general’s warnings, even refusing to shut down several of its weakest computer systems as recommended.
But the weaknesses identified in Tuesday’s report span the federal government. The GAO found that while “most” agencies had developed risk-management policies required by a 2002 data security law, “each agency's inspector general reported weaknesses in the processes used to implement” those requirements.
It also found that agency inspectors general inconsistently reported security performance as a result of spotty guidance from the Office of Management and Budget and the Department of Homeland Security.
Sen. Tom CarperTom CarperDems probe claims of religious bias in DHS 'trusted traveler' program Senate Dems want Trump to release ethics waivers, visitor logs Medicare’s coverage decisions need more input from physicians MORE (D-Del.) defended government networks in light of the GAO report, calling the results “disappointing” but noting that much of the audit took place before recent updates to the Federal Information Security Act and the Federal Information Technology Acquisition Reform Act law were enacted.
“These laws represent two significant steps in empowering agencies to better protect their cyber networks, and I am optimistic that next year’s audit results will reflect those benefits,” Carper said in a statement. “But in order to be successful, leadership at all agencies must make cybersecurity a top priority.”
Carper also called for movement on the stalled Federal Cybersecurity Enhancement Act, which would require all agencies to adopt several cybersecurity best practices.
It would also accelerate the rollout of the government’s anti-hacking shield, dubbed “Einstein,” that detects and repels known cyber threats.
Introduced by Carper and Sen. Ron JohnsonRon JohnsonTrump should work with Congress to block regulations on prepaid cards Five reasons to worry about the ShadowBrokers hack Border Patrol could drop polygraph requirement for new agents: report MORE (R-Wis.), the legislation was approved by the Senate Homeland Security and Governmental Affairs Committee in July.