Skip to main content

Federal Information Security: There’s Work to Do

Posted on December 03, 2019

 

Just about every federal government operation—from processing taxes and protecting national parks to coordinating military operations and delivering foreign aid—relies in some way on computers. Protecting government computer systems and the information stored in them is vital, and a 2014 law lays out requirements and steps federal agencies need to take to do so.

Are agencies doing a good job implementing the law? Today’s WatchBlog looks at our report on this subject. Read on and listen to our podcast with Greg Wilshusen.

Missing media item.

spacer

Photo Showing Someone Typing on a Laptop

Information security shortcomings for individual agencies

We looked at a sample of 16 federal agencies and found that most of their information security policies and programs had weaknesses in 5 core areas of security control defined in the law. For example, 15 of the agencies did not adequately take steps to identify cybersecurity risks—and identifying risks is an important step toward mitigating them.

Figure Showing Number of 16 Selected Agencies with Deficiencies in Information Security Policies, Procedures, and Practices, by Core Security Function

The law also requires inspectors general to evaluate and report on information security at their respective agencies. We reviewed 24 of these reports and found that 18 inspectors general determined that their agency’s information security policies and practices were not effective. These reports showed that agencies had taken steps to protect their information systems but there were deficiencies in the protections in place and agencies still had a lot of progress left to make before their policies and programs could be considered optimal.

Government-wide challenges with information security

While information security is vital and agencies still have a lot of work to do, no one says this work is easy. Government information systems are complex and dynamic. They rely on different types of technologies to operate, they’re geographically dispersed, and they are interconnected with a variety of internal and external systems and networks like the Internet. Safeguarding them is a challenge.

But agencies are not alone in their efforts to address these challenges and implement the information security law—the Office of Management and Budget, the National Institute of Standards and Technology, and the Department of Homeland Security all have roles, too.

The law requires OMB to oversee agencies’ information security efforts and issue reports on their status. One way OMB fulfills these responsibilities is by holding cybersecurity review meetings with agencies. These meetings help agencies improve their information security programs and also help OMB oversee specific agency efforts. However, OMB met with only 3 agencies in 2018 compared to 24 in 2016.

For its role, NIST develops information security standards and provides guidance to agencies. In April 2019, for example, NIST provided agencies with updated guidance on vetting the security of mobile applications.

DHS develops operational directives related to information security—such as a directive that required agencies to stop using a particular brand of information security products—and oversees the directives’ implementation. We are looking at DHS’s efforts in a separate report.

We made 3 recommendations to OMB in our report. In addition, information security is on our High Risk List.