GAO Finds Faults in Security Programs at OPM, NASA, Elsewhere
The Office of Personnel Management and three other federal agencies haven't always “effectively implemented access controls” on high-impact systems under their jurisdiction,” GAO said in a report released Tuesday. It stemmed from GAO's survey of 24 federal agencies, including 18…
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
that identified cyberattacks from foreign governments on their systems as their most frequently occurring security threat. OPM, the Department of Veterans Affairs, NASA and Nuclear Regulatory Commission displayed control weaknesses in “protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities,” GAO said. “Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs.” All four agencies had fully implemented risk assessments but were less thorough in implementing security plans, controls assessments and action plans, the GAO said. NASA, NRC, OPM and VA “should all fully implement key elements of their information security programs,” GAO said. The four agencies generally agreed to the GAO recommendations, but OPM said it didn’t concur with the recommendation on evaluating its security control assessments.