High-impact federal systems are vulnerable and under constant assault

Federal agencies could do more to secure high-impact systems, starting with fully implementing their own comprehensive information security programs, the Government Accountability Office said in a report released June 21.

The systems GAO surveyed are "those that hold sensitive information, the loss of which could cause individuals, the government or the nation catastrophic harm," the report states.

GAO said the 24 agencies governed by the Chief Financial Officers Act have a total of 912 high-impact systems -- almost 10 percent of their systems.

Auditors questioned 18 of those agencies more closely. In fiscal 2014, the 18 agencies reported 2,267 security incidents that targeted their high-impact systems. Nearly 500 involved the installation of malicious code, and 202 pertained to unauthorized access.

The high-impact incidents are part of a broader trend: a 1,303 percent increase in federal information security incidents from 2006 to 2015.

The 18 agencies reported a wide variety of attack vectors, but the old threat -- risky clicks via web- and email-based phishing attempts -- led to most breaches.

The agencies said nation-state actors are among the most serious cyber adversaries testing their high-impact systems.

GAO took a deeper look at four agencies: NASA, the Office of Personnel Management, the Department of Veterans Affairs and the Nuclear Regulatory Commission.

In that deep dive into two high-impact systems at each of the four agencies, GAO found that authorization (or making sure users have the fewest privileges needed to get their jobs done) and boundary protection were weak in every system.

In some cases, patches weren't kept up-to-date or training programs were lacking.

GAO determined that more thorough implementation of existing information security plans would help better secure agencies' systems. The report urges the Office of Management and Budget to issue its revised Circular A-130 to provide agencies with solid security guidance.

GAO also made broad recommendations for NASA, OPM, the VA and NRC, and issued limited-release technical recommendations.

NASA, the VA and NRC concurred with GAO’s recommendations, but OPM took issue with some aspects of the report in its reply comments.

OPM Associate CIO David Vargas said one system under scrutiny belonged to a contractor, and, therefore, OPM didn't have direct responsibility for software patches and training. He also said GAO did not supply the information OPM requested so that the agency could confirm the watchdog's findings. GAO said the information in question had initially been supplied by OPM.

But the procedural quibbles were not the main thrust of GAO's critique.

"Without comprehensive security control assessments, OPM is at increased risk that it may not detect vulnerabilities in its systems," GAO warned.

The Senate Homeland Security and Governmental Affairs Committee publicized the report as a cause for continued congressional oversight.

"I remain concerned that federal agencies are not fulfilling their responsibilities under the law to secure federal information systems," Chairman Ron Johnson (R-Wis.) said in a statement.

"GAO's report details key improvements that must be immediately implemented by the four agencies covered in this report, including OPM," Sen. Susan Collins (R-Maine) said. "The work done by GAO helps to ensure that all our federal networks and databases are properly protected and secured."