IG: GSA must improve information security

Audit says agency must improve contractor oversight and encrypt all mobile devices.

The General Services Administration must improve its information technology security program to protect its sensitive information, according to an inspector general's report released this week.

Comment on this article in The Forum.The report outlined several deficiencies in GSA's information security program, including inadequate contractor oversight, a failure to encrypt all mobile devices and weaknesses in the agency's public Web sites.

Under the 2002 Federal Information Security Management Act, agencies are required to undergo annual independent audits of their IT security programs. The IG's audit revealed that while the agency has taken steps to identify and reduce risks to information security, several vulnerabilities remain.

The report said certain contractor-supported systems were inadequately secured because of weaknesses in their security configurations. In addition, background investigations of contractors were deemed inconsistent.

"The failure to perform appropriate and timely background investigations means that contractors for the affected systems were granted privileged access without appropriate background investigations, placing GSA systems and data at risk of insider attack," the report stated.

Another problem identified was the failure of GSA to comply with the Office of Management and Budget Memorandum M-06-16, which requires all agencies to encrypt data on mobile devices. According to the IG, fewer than 1,800 of the 8,000 laptops GSA identified have been encrypted, leaving sensitive data at risk if the computers are lost or stolen.

The IG recommended that GSA address weaknesses through more consistent application of policies and controls. GSA's chief information officer agreed with both the findings and the recommendations.