GAO: Civilian Federal Agencies Trail Defense Department, Intel in Cybersecurity Efforts

Key challenges continue to plague U.S. federal agencies and contractors in the area of cybersecurity, particularly for civilian agencies that trail the robust cyberdefense efforts of the Defense Department and intelligence community, according to a congressional investigative office tasked with summarizing the volatile situation for lawmakers.

During fiscal 2014, 19 of 24 major federal agencies reported that deficiencies in information security controls “constituted either a material weakness or significant deficiency in internal controls over their financial reporting,” reads a report by the Government Accountability Office (GAO). Additionally, inspectors general at 23 of the agencies cited information security as a major management challenge.

“While the federal government has made many advances in cybersecurity—organizationally, strategically and technically, particularly in critical agencies like the Department of Defense, the intelligence community and the [Department of Homeland Security]—in some of the civilian agencies, there is a lot of work to be done,” says Tom Gann, vice president for government relations at McAfee.

For the 24 federal agencies covered by the Chief Financial Officers Act, the GAO investigators reviewed their implementation plans for risk-based cybersecurity programs, access control systems, oversight of contractors’ network access and responses to breaches, among other criteria.  

The 24 agencies include the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury and Veterans Affairs; and the offices of the Environmental Protection Agency, General Services Administration, NASA, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration and the U.S. Agency for International Development.

“Until agencies take actions to address these challenges—including the hundreds of recommendations made by the GAO and inspectors general—their systems and information will be at increased risk of compromise from cyber-based attacks and other threats,” reads a portion of the report, presented at testimony to lawmakers in April.

The agencies were inconsistent in overseeing contractors' implementation of security controls for systems they operate on behalf of the federal government and did not always effectively respond to cybersecurity incidents or breaches, nor did many develop comprehensive policies, plans and procedures to guide incident-response activities.

“I think [the GAO investigators] were right to talk about the government facing significant challenges, including things like … securing buildings and access control,” Gann says. “Often that’s not thought of as a cybersecurity matter—having good credentials, knowing who is who in terms of who gets into a building and who logs onto a system. But it is crucial. Identity management is a profoundly important part of the cybersecurity equation, and agencies are still making progress there.

“The question of overseeing contractors and contractor systems is huge,” Gann continues. “Responding to breaches of personal data happens again and again and again. I think the GAO did a good job of describing the current state.”

The number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team increased from 5,503 in fiscal 2006 to 67,168 in fiscal 2014, an increase of 1,121 percent, the GAO reported. Additionally, the number of information security incidents involving personally identifiable information reported by federal agencies more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.

An effort led by the Department of Homeland Security in development of the Continuous Diagnostics and Mitigation (CDM) program will help mitigate vulnerabilities as agencies work toward fortifying networks and systems against the trillions of cyber events, Gann says. CDM allows agencies to get a firm hold on the inventoried assets and assessing identity management.

“The GAO report, in many ways, rings the most true for the civilian agencies that are still working to get up the capacity scale on security,” Gann says. “I think things like the CDM program … are an example of the government thinking about risk-based security, the government [spending] money to address the civilian cybersecurity set of challenges, putting DHS in a leadership role and creating better collaboration and the sharing of tools.”