The Government Accountability Office revealed that four “high impact” agencies are not fully implementing certain cyber security standards prescribed by The National Institute of Standards and Technology.
The GAO classifies “high impact” agencies as “those that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm.”
After surveying 24 federal agencies, the GAO revealed that 18 of those agencies with high impact systems identified cyber attacks from other countries as their biggest threat. According to the same report, there were over 2,000 combined security incidents across 11 agencies during the fiscal year 2014.
To aid in combating these threats, The National Institute of Standards and Technology has issued national standards for minimum security requirements. However, the GAO found that not every agency was following these procedures.
Their audit revealed that NASA, the Nuclear Regulatory Commission, the Office of Personnel Management and the VA were not fully implementing the prescribed security measures, which include risk assessments, security plans, controls assessments and remedial actions plans.
The GAO said all four agencies have fully implemented risk assessments. However NASA was the only agency to have been fully implementing security plans, and none of the agencies fully implemented controls assessments or remedial action plans.
This could lead to problems in identifying and authenticating users, authorizing access for job duties, monitoring and auditing system activities and patching known software vulnerabilities.
“Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption,” the report said.
The agency made several suggestions to fix these problems, the largest of which was that the agencies begin to fully implement the existing security protocols. All four agencies agreed to implement the procedures, except the OPM, who “did not concur with the recommendation regarding evaluating security control assessments.”
While the agencies begin to implement these protocols the Office of Management and Budget is also developing plans for federal security operations for the future.