Audit: Federal networks still vulnerable

Thinkstock

Federal agencies are struggling to prevent network breaches after failing to put in place key security changes, the Government Accountability Office said in an audit released Tuesday.

The GAO found “persistent weaknesses” at 24 federal agencies, including deficiencies in how organizations prevented inappropriate access to computer networks, identified intrusions and planned for a network disruption.

ADVERTISEMENT
“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies' efforts to fully implement effective information security programs,” GAO said in its release.

The office chided agencies for failing to implement past recommendations, one of the key accusations leveled against the Office of Personnel Management (OPM) in the wake of the massive breach revealed this spring.

“In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented,” the report reads.

OPM leadership took fire during a series of damning hearings this summer for failing to heed its inspector general’s warnings, even refusing to shut down several of its weakest computer systems as recommended.

But the weaknesses identified in Tuesday’s report span the federal government. The GAO found that while “most” agencies had developed risk-management policies required by a 2002 data security law, “each agency's inspector general reported weaknesses in the processes used to implement” those requirements.

It also found that agency inspectors general inconsistently reported security performance as a result of spotty guidance from the Office of Management and Budget and the Department of Homeland Security.

Sen. Tom CarperTom CarperWhite House seeks distance from ISIS transcript edit White House: Redaction decision was all Justice Dem senator: CDC already has authority to study guns MORE (D-Del.) defended government networks in light of the GAO report, calling the results “disappointing” but noting that much of the audit took place before recent updates to the Federal Information Security Act and the Federal Information Technology Acquisition Reform Act law were enacted.

“These laws represent two significant steps in empowering agencies to better protect their cyber networks, and I am optimistic that next year’s audit results will reflect those benefits,” Carper said in a statement. “But in order to be successful, leadership at all agencies must make cybersecurity a top priority.”

Carper also called for movement on the stalled Federal Cybersecurity Enhancement Act, which would require all agencies to adopt several cybersecurity best practices.

It would also accelerate the rollout of the government’s anti-hacking shield, dubbed “Einstein,” that detects and repels known cyber threats.

Introduced by Carper and Sen. Ron JohnsonRon JohnsonMcConnell quashes Senate effort on guns Bipartisan gun measure survives test vote Senate to vote on two gun bills MORE (R-Wis.), the legislation was approved by the Senate Homeland Security and Governmental Affairs Committee in July.