7 Takeaways from GAO's Information Security Assessment

Cyber incidents affecting federal agencies have increased 1,300 percent in the last decade, but the same previously identified issues keep government systems vulnerable, according to the Government Accountability Office.

GAO submitted testimony about the state of federal information security to the president’s Commission on Enhancing National Cybersecurity, tasked with figuring out how to improve the nation’s cybersecurity stance. The take home? GAO concluded the government has laws and policy to address cyber risks but “inconsistent” implementation means more action is needed.

“Specifically, agencies need to address control deficiencies and fully implement organization-wide information security programs, cyber incident response and mitigation efforts need to be improved across the government, and establishing and maintaining a qualified cybersecurity workforce needs to be a priority,” wrote GAO Director of Information Security Greg Wilshusen.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The testimony, pulled from previously published work, featured other interesting tidbits:

1. GAO first designated federal information security as a governmentwide high-risk area in 1997. The designation highlights agencies or programs most in need of transformation or are vulnerable to fraud, waste, abuse and mismanagement.
2. The diverse, dispersed nature of federal systems make them hard to protect. “This complexity increases the difficulty in identifying, managing, and protecting the myriad of operating systems,” Wilshusen wrote.
3. Threats only increase. The national vulnerability database identified 78,907 vulnerabilities as of Sept. 15. Advanced persistent threats, which GAO defined as sophisticated adversaries with “significant resources to pursue their objectives,” also are on the rise.
4. Of the 2,500 recommendations GAO made during the last several years, 1,000 have yet to be implemented as of Sept. 16.
5. Many agencies' missions now depend on their information systems. “Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets,” Wilshusen wrote.
6. Keeping software up to date is challenging for agencies. The testimony says agencies “consistently fail” to patch vulnerable systems in a timely manner, sometimes applying updates years later. Agencies also use software that vendors no longer support.
7. In an April 2014 report, GAO found 24 major agencies—in other words, all the major agencies—lacked consistent, effective responses to cyber incidents.