The 18 government agencies with high-impact systems constantly fend off cyberattacks from “nations,” which are groups of hackers sponsored by nation-states. According to a U.S. Government Accountability Office security report released June 21, these attacks pose the most serious threat to the security of these systems.
GAO surveyed 24 government agencies and found that 18 of them are equipped with high-impact systems, which contain sensitive information about the Federal government. In 2014, 11 of those 18 agencies reported 2,267 security incidents with their systems, 500 of which involved the installation of harmful code.
The government has taken precautions to help agencies ward off these attacks. The National Institute of Standards and Technology has set up standards for minimum security requirements and 83 privacy controls specific to high-impact systems. The Office of Management and Budget is developing plans to create shared services for Federal security operations centers. The OMB has not yet issued these plans. Additionally, some agencies are in the process of creating tools to detect cyber intrusions and offer stronger controls over agency networks.
The GAO report revealed that certain government agencies have some security weaknesses that need to be addressed. GAO conducted a risk assessment of every agency it reviewed. The assessment revealed that the National Aeronautics and Space Administration, Nuclear Regulatory Commission, Office of Personnel Management, and Department of Veterans Affairs contained certain weaknesses in their access controls. These control weaknesses included identifying and authenticating users, auditing and monitoring system activities, authorizing access for users to perform certain duties, and protecting system boundaries. GAO stated in its report that these vulnerabilities resulted from the agencies’ failures to install key elements of their information security systems.
“NASA, NRC, OPM, and VA had implemented numerous controls, such as completion of risk assessments, over selected systems. However, they had not always effectively implemented access controls, patch management, and contingency planning to protect the confidentiality, integrity and availability of these high impact systems,” said the GAO in its report.
The sensitive data on these four agencies’ systems will remain at risk of unauthorized access and modification until the agencies complete the elements of their information security systems. GAO recommended in its report that the OMB continue working to complete its plans for securing Federal systems and that NASA, NRC, OPM, and VA install the remaining key elements of their information security programs.
With the exception of OPM, all agencies generally concurred with GAO’s recommendations. Although OPM did not concur, GAO said that it still believes the recommendation is warranted. GAO will distribute separate reports to aid the four agencies in mitigating the weaknesses in their access control systems.