By Jason Miller
July 30, 2007
Agency computer systems are vulnerable because many lack basic controls,
and one of the best ways to improve information technology security is
to improve the metrics for how departments measure how these basic
controls are implemented.
That was the conclusion of the Government Accountability Office, which
on Friday issued a tell-tale report  identifying widespread IT
security weaknesses across the government.
Weaknesses exist predominantly in access controls, including
authentication and identification, authorization, cryptography, audit
and monitoring, boundary protection and physical security, the report
said. Weaknesses also exist in configuration management, segregation of
duties and continuity of operations.
Auditors said the metrics under the Federal Information Security
Management Act are not effective enough and offer only limited assurance
of the quality of agency evaluations.
[A]gencies are required to test and evaluate the effectiveness of the
controls over their systems at least once a year and to report on the
number of systems undergoing such tests, the report said. However there
is no measure of the quality of agencies test and evaluation processes.
GAO recommended that the Office of Management and Budget improve FISMA
in three general ways. The audit agencys most specific recommendation
was for OMB to require agencies to report how they perform patch
management. OMB previously required this in 2004, but since dropped it
from FISMA guidance.
Auditors said patch management is one area of weakness among agencies.
OMB and Congress lack information that could demonstrate whether or not
agencies are taking appropriate steps for protecting their systems, the
Sen. Joe Lieberman (I-Conn.), Homeland Security and Governmental Affairs
Committee chairman and author of the E-Government Act of 2002, which
included FISMA, said agencies need to do more to protect their systems.
He said that the federal government is not doing enough to guarantee the
security of its computers and the vast databases within them. Lieberman
added that as technology moves forward so should the methods by which IT
In addition to the patch management suggestion, GAO recommended that OMB
develop additional performance metrics, and request agency inspectors
general to report on the quality of additional agency security
processes, such as system test and evaluation, and risk categorization.
Karen Evans, OMBs administrator for IT and e-government, said in a
letter to GAO that her office would review GAOs recommendations. But
Evans said the certification and accreditation process does provide a
systematic approach for determining whether appropriate security
controls are in place, functioning properly and producing the desired
Evans added that the IGs have flexibility to tailor their evaluation
based on the agencys documented weaknesses and plans for improvement.
If OMB were to request quality reviews on specific control groups, we
would require qualitative reviews on certain areas where agencies may
already be effective, Evans wrote. We would also reduce the flexibility
needed by agencies to tailor their evaluations to address documented
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com