Summary

Recent audits and self-assessments at 15 major agencies reveal that weak information security is a widespread problem in the federal government. Billions of dollars worth of assets are at risk of theft, misuse, or loss, and vast amounts of sensitive information--including personal data on American citizens--are vulnerable to unauthorized disclosure. Weaknesses, such as poor controls over access to data and inadequate disaster recovery plans, diminish the reliability of the enormous amounts of electronically maintained information essential to delivering federal services, measuring the success of federal programs, and monitoring agency performance. An underlying cause is that agencies have not introduced information security programs that establish appropriate policies and routinely monitor their effectiveness. The Office of Management and Budget's (OMB) oversight efforts have been uneven, and OMB did not actively attempt to identify and overcome basic security program weaknesses that are likely to be at the root of these problems. OMB can improve its oversight by taking advantage of the increasing amount of audit information that is now routinely available as a result of agency financial statement audits required under the Chief Financial Officers Act. In addition, the recently established Chief Information Officers' Council, which OMB will chair, can serve as a vehicle for strategically addressing information security governmentwide. However, OMB also needs to develop better sources of information and staff expertise for overseeing the overall design and effectiveness of agency information security programs.

GAO found that: (1) recent audits and reviews indicate that weak information security is a serious governmentwide problem, with serious weaknesses reported for over two-thirds of the agencies reviewed; (2) commonly reported weaknesses include information access control problems and inadequate disaster planning; (3) at half of the agencies reviewed, information security problems remained uncorrected for 5 years or longer; (4) many agencies lack a well-managed information security program with senior management support; (5) although OMB has improved federal information security guidance and its monitoring of agency efforts to address identified weaknesses, the scope and depth of its oversight efforts varies considerably among agencies; (6) information that OMB obtains on federal information security programs varies significantly in terms of the quality, quantity, and usefulness of the information; (7) OMB could use expanded requirements under the Chief Financial Officers Act to further monitor agencies' information security programs and weaknesses; and (8) the recently established Chief Information Officers (CIO) Council can serve as a forum for addressing governmentwide information security issues.