Just about every federal government operation—from processing taxes and protecting national parks to coordinating military operations and delivering foreign aid—relies in some way on computers. Protecting government computer systems and the information stored in them is vital, and a 2014 law lays out requirements and steps federal agencies need to take to do so.
Are agencies doing a good job implementing the law? Today’s WatchBlog looks at our report on this subject. Read on and listen to our podcast with Greg Wilshusen.
Information security shortcomings for individual agencies
We looked at a sample of 16 federal agencies and found that most of their information security policies and programs had weaknesses in 5 core areas of security control defined in the law. For example, 15 of the agencies did not adequately take steps to identify cybersecurity risks—and identifying risks is an important step toward mitigating them.
The law also requires inspectors general to evaluate and report on information security at their respective agencies. We reviewed 24 of these reports and found that 18 inspectors general determined that their agency’s information security policies and practices were not effective. These reports showed that agencies had taken steps to protect their information systems but there were deficiencies in the protections in place and agencies still had a lot of progress left to make before their policies and programs could be considered optimal.
Government-wide challenges with information security
While information security is vital and agencies still have a lot of work to do, no one says this work is easy. Government information systems are complex and dynamic. They rely on different types of technologies to operate, they’re geographically dispersed, and they are interconnected with a variety of internal and external systems and networks like the Internet. Safeguarding them is a challenge.
But agencies are not alone in their efforts to address these challenges and implement the information security law—the Office of Management and Budget, the National Institute of Standards and Technology, and the Department of Homeland Security all have roles, too.
The law requires OMB to oversee agencies’ information security efforts and issue reports on their status. One way OMB fulfills these responsibilities is by holding cybersecurity review meetings with agencies. These meetings help agencies improve their information security programs and also help OMB oversee specific agency efforts. However, OMB met with only 3 agencies in 2018 compared to 24 in 2016.
For its role, NIST develops information security standards and provides guidance to agencies. In April 2019, for example, NIST provided agencies with updated guidance on vetting the security of mobile applications.
DHS develops operational directives related to information security—such as a directive that required agencies to stop using a particular brand of information security products—and oversees the directives’ implementation. We are looking at DHS’s efforts in a separate report.