Agencies have not adopted — or are only slowly implementing — numerous recommendations and actions that could significantly improve the federal security posture, the Government Accountability Office has said.

GAO also reported that agencies did make incremental but steady progress in improving information security in 2007.

Persistent weaknesses in agency information security controls still threaten the confidentiality, integrity and availability of federal information and the systems on which the data runs, said Gregory Wilshusen, director of GAO’s information technology issues. The latest report to Congress on agencies’ compliance with the Federal Information Security Management Act also showed a jump in reported security incidents. 

GAO audits continue to identify similar conditions in financial and nonfinancial systems, including agencywide weaknesses as weaknesses in critical federal systems. For example, 20 of 24 major agencies indicated that inadequate information security controls were a significant deficiency or a material weakness for financial statement reporting, he said.

in addition to acting on past recommendations, agencies should take advantage of more robust security control testing, information security performance metrics and independent evaluations, Wilshusen said. He also urged agencies to implement user identification and authentication, authorization, boundary protections, encryption, and audit and monitoring.

“Until such opportunities are seized and fully exploited and the hundreds of GAO and [inspector general] recommendations to mitigate information security control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain at undue and unnecessary risk,” Wilshusen said March 12 at a hearing of the Senate Homeland Security and Governmental Affairs Committee’s Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.

Agencies' most persistent weaknesses are in access controls, configuration management controls, segregation of duties, continuity-of-operations planning and agencywide information security programs, Wilshusen said. Agencies may not be fully aware of the security control weaknesses in their systems, leaving them vulnerable to attack or compromise.

Agencies in 2007 hit a milestone by certifying and accrediting more than 90 percent of all 10,304 federal systems, said Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology. The C&A process assesses information technology systems for security controls. Some critics of FISMA have said the process has become more paper checklist than a way to evaluate risk and needs to be updated.

Evans cautioned against major changes, saying clarification might be more effective. Instead, those in oversight should keep monitoriing what agencies are doing and whether they are implementing solutions.

Evans testified that if agencies perform the work only to comply with OMB, those are just paper exercises. But many agencies use the guidance and conduct FISMA procedures to discover and manage risk to serve the mission, she said.