Seven of 24 meet security requirements

A recent audit of 24 of the largest federal agencies found only seven agencies in compliance with a law requiring that they certify and accredit their information systems' security.

The audit report released this week by the Government Accountability Office prompted Rep. Adam Putnam (R-Fla.) to issue a statement chastising federal agencies for not complying with security policies and guidelines issued by Office of Management and Budget officials.

Among the 24 agencies reviewed by GAO auditors, six reported having fewer than half of their information systems accredited and certified. Two agencies, the Agriculture and Housing and Urban Development departments, have no accredited and certified systems.

The best performers were the Social Security Administration and Nuclear Regulator Commission, which reported having 100 percent of their critical information systems certified and accredited to operate.

Officials at 18 of the agencies surveyed said they struggled to find funds to enact the mandatory certifications.

The review looked at agencies' certification and accreditation procedures to determine whether they provided consistent and comparable results. It also looked at whether the certification procedures provide sufficient information for senior agency officials to understand the risks of operating those systems.

GAO's analysis found inconsistencies in the way agencies report certification and accreditation data, which lessened the usefulness of the data. Auditors further questioned the reliability and quality of the data.

The auditors reviewed end-of-year data reported to OMB officials in fiscal 2002 and 2003, in addition to quarterly data submitted to the agency in March. Most of the systems covered in the review were not national security systems.

The audit report recommends that OMB officials amend their reporting guidelines to require agencies to submit additional information on the quality and consistency of their certification and accreditation data.

In addition, it recommends that agency inspectors general examine the quality of agency-reported certification data as part of independent security evaluations that IGs are required to perform under the Federal Information Security Management Act of 2002.

Putnam, who is head of the House subcommittee that oversees federal information technology policies, expressed his disappointment with the report's findings. "The current information security threat environment that exists in the world today demands that the federal government lead by example," he said.