Tuesday, July 21, 2009

GAO: Many Federal Agencies Still Don't Meet Security Standards

Via DarkReading -

Virtually all of the U.S. federal government's key civilian agencies are still falling short of the security marks they have been asked to meet, according to the Government Accountability Office (GAO).

In a report (PDF) issued earlier today, the GAO says of the 24 agencies reviewed, almost all had deficiencies in security controls and management, "leaving them vulnerable to attack or compromise." The GAO says it has made "hundreds" of recommendations to the agencies, yet many have not been addressed.

During the past three years, the number of incidents reported by federal agencies to U.S.-CERT has increased by almost 200 percent -- from 5,503 in 2006 to 16,843 in 2008, according to the report. More than one-third of the incidents are still under investigation, and the sources of the compromises are not yet known.

Of the incidents in which the sources are known, approximately 22 percent were caused by improper use of computers by authorized users, the report states. Eighteen percent of the compromises were caused by unauthorized access, and 14 percent were caused by malicious code. About 12 percent of the breaches were caused by scans, probes, or attempted access by external attackers, the report says.

Of the 24 agencies reviewed, 13 reported "significant deficiencies" in information security, the GAO says. Seven agencies reported "material weaknesses" that still have not been repaired. Only four agencies reported "no significant weakness," the report states.

No comments:

Post a Comment