[ISN] GAO finds information security compliance is sporadic

From: InfoSec News (isn@private)
Date: Wed Jul 28 2004 - 23:52:03 PDT


By David McGlinchey
July 28, 2004

Agency compliance with federal information security standards is
irregular and the process that measures compliance is unreliable, the
Government Accountability Office said in a report released Wednesday.

A GAO survey of 24 federal agencies found that 63 percent of
information systems met security guidelines issued by the National
Institute of Standards and Technology, including the minimum security
controls mandated by the 2002 Federal Information Security Management
Act. The GAO report determined, however, that compliance and
accreditation varied greatly. Seven of the 24 agencies said more than
90 percent of their systems were certified and accredited as secure
while, six reported less than half of their systems were accredited as

The survey was completed for House Government Reform Committee
Chairman Tom Davis, R-Va., who has been critical of the government's
information security. In March, Davis warned of a "cyber Pearl Harbor"  
if IT security measures were not improved.

The Housing and Urban Development and Agriculture departments reported
that none of their systems are certified or accredited to meet the
NIST guidelines. Officials at both agencies said concerns over the
certification process caused them to report that their systems were
not in compliance.

The top compliance levels were at the Social Security Administration
and the Nuclear Regulatory Commission, which both registered 100
percent accreditation and certification. NASA reported 98 percent
compliance and the National Science Foundation told GAO that 95
percent of its information systems met the guidelines. At the Defense
Department, 77 percent of systems meet the guidelines, according to
GAO. The study was conducted between September 2003 and June 2004.

The NIST compliance guidelines are an update to its previous security
guidance. They are tailored to "reflect today's more distributed
computing environment in which systems are constantly evolving and
require real-time, ongoing monitoring," according to the report
[GAO-04-376]. The guidelines do not apply to information systems that
deal with intelligence issues, the management of military forces and
other national security subjects.

Every agency surveyed reported that its process for certification and
accreditation met the federal guidelines, but a closer GAO
investigation of four agencies showed that the standards were not
always satisfied.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Thu Jul 29 2004 - 01:38:28 PDT