GAO faults Army Corps security

The Army Corps of Engineers has made great strides in managing its computer systems since a scathing 1999 review by the General Accounting Office, but the agency still has numerous security shortcomings, according to a new GAO report.

"Information Security: Corps of Engineers Making Improvements, but Weaknesses Continue," released June 10, details a number of computer security issues that the Army Corps must address, including:

* Controlling access to critical systems and data.

* Developing adequate system software controls to protect programs and sensitive files.

* Documenting software changes.

* Securing networks.

"These vulnerabilities warrant management's attention to decrease the risk of inappropriate disclosure and modification of data and programs, misuse of or damage to computer resources, or disruption of critical operations," according to the report. "Such vulnerabilities also increase risks to other Department of Defense networks and systems to which the corps' network is linked."

The audit, which was conducted from January through October 2001, found that the Army Corps had not maintained accurate records of users who were granted access to the Corps of Engineers Financial Management System (CEFMS).

"The weaknesses that we identified...placed the Corps' computer resources, programs and files at risk from inappropriate disclosure of financial and sensitive data and programs, modification of data, misuse of or damage to computer resources, or disruption of critical operations," according to the report.

Additional tests also revealed problems with the smart cards that store users' electronic signatures for use with CEFMS. In some cases, smart cards were not under the sole control of an individual cardholder, an audit found, and "as a result, authentication controls were not effective to provide reasonable assurance that users' electronic signatures are valid."

The GAO report said the primary reason for the Army Corps' computer control weaknesses was that officials had not fully developed and implemented a comprehensive security management program.

In a May 20 letter responding to a draft copy of the report, Lt. Gen. Robert Flowers, commander of the Army Corps, said the agency has already taken corrective action on 11 past recommendations and has developed an action plan to correct all but 12 of the remaining recommendations by Sept. 30, 2002. He added that the remaining 12 recommendations would be completed in fiscal 2003 or beyond.