GAO: Many Federal Agencies Still Don't Meet Security Standards

GAO: Many Federal Agencies Still Don't Meet Security Standards
GAO: Many Federal Agencies Still Don't Meet Security Standards 

By Tim Wilson
July 20, 2009

Virtually all of the U.S. federal government's key civilian agencies are 
still falling short of the security marks they have been asked to meet, 
according to the Government Accountability Office (GAO).

In a report (PDF) issued earlier today, the GAO says of the 24 agencies 
reviewed, almost all had deficiencies in security controls and 
management, "leaving them vulnerable to attack or compromise." The GAO 
says it has made "hundreds" of recommendations to the agencies, yet many 
have not been addressed.

During the past three years, the number of incidents reported by federal 
agencies to U.S.-CERT has increased by almost 200 percent -- from 5,503 
in 2006 to 16,843 in 2008, according to the report. More than one-third 
of the incidents are still under investigation, and the sources of the 
compromises are not yet known.

Of the incidents in which the sources are known, approximately 22 
percent were caused by improper use of computers by authorized users, 
the report states. Eighteen percent of the compromises were caused by 
unauthorized access, and 14 percent were caused by malicious code. About 
12 percent of the breaches were caused by scans, probes, or attempted 
access by external attackers, the report says.

Of the 24 agencies reviewed, 13 reported "significant deficiencies" in 
information security, the GAO says. Seven agencies reported "material 
weaknesses" that still have not been repaired. Only four agencies 
reported "no significant weakness," the report states.


Attend Black Hat USA, July 25-30 in Las Vegas, 
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. 

Site design & layout copyright © 1986-2015 CodeGods