GSA Gets Thumbs Up on Cybersecurity Act Assessment

The General Services Administration got a nod from its inspector general in a mandatory assessment carried out under the 2015 Cybersecurity Act.

“GSA policies and procedures regarding access controls are generally consistent with significant governmentwide policies and procedures, including relevant standards established by the National Institute of Standards and Technology and Office of Management and Budget guidance,” the audit states.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The audit goes on to state that for 11 of GSA’s 18 covered systems, GSA has implemented multifactor authentication for privileged users “consistent with governmentwide policies.”

For the other seven covered systems, GSA “relies on compensating controls for privileged user access,” and has implemented “appropriate automated or manual software and license inventory management practices.”

The IG found no issues with GSA’s data loss capabilities and said GSA has created sufficient policies to ensure partnering service providers adhere to GSA IT policies and procedures.

Section 406 of the Cybersecurity Act of 2015 calls for CFO Act agencies to be subjected to audits of policies, procedures and practices for securing its computer networks and IT systems with emphasis on five key areas: logical access control policies and practices; use of multifactor authentication; software inventory threat prevention and contractor oversight.

GSA is among the first agencies to have their audits published. The Interior Department fared worse in its assessment, while the Energy Department's Office of Inspector General found issues with the agency’s decentralized approach to managing software licenses.