Summary
"Pay.gov" is an Internet portal sponsored and managed by the Department of the Treasury's Financial Management Service (FMS) and operated at three Federal Reserve facilities. Pay.gov is intended to allow the public to make certain non-income-tax-payments to the federal government securely over the Internet. FMS estimates that Pay.gov eventually could annually process 80 million transactions valued at $125 billion annually. Because of the magnitude of transaction volume and dollar value envisioned for Pay.gov, GAO was asked to determine whether FMS (1) conducted a comprehensive security risk assessment and (2) implemented and documented appropriate security measures and controls for the system's protection.
FMS had not fully assessed the risks associated with the Pay.gov initiative. Although the agency prepared a business risk assessment for the Pay.gov application, it had not fully assessed the risks associated with Pay.gov computing environment. Insufficiently assessing risks can lead to implementing inadequate or inappropriate security controls. Although FMS and the Federal Reserve had documented and implemented many security controls to protect Pay.gov, security controls were not always effectively implemented to ensure the confidentiality, integrity, and availability of the Pay.gov environment and data. FMS and the Federal Reserve established and documented key security and control policies and procedures for Pay.gov. In addition, they established numerous controls intended to restrict access to the application and computing environment and performed several security reviews to identify and mitigate vulnerabilities. However, numerous information security control weaknesses increased the risk that external and internal users could gain unauthorized access to Pay.gov, which could lead to the inappropriate disclosure or modification of its data or to the disruption of service. For example, FMS and the Federal Reserve had not consistently implemented access controls to prevent, limit, and detect electronic access to the Pay.gov application and computing environment. These weaknesses involved user accounts and passwords, access rights and permissions, and network services and security, as well as auditing and monitoring security-relevant events. In addition, weaknesses in other information systems controls--such as segregation of duties, software change controls, service continuity, and application security controls--reduced FMS's effectiveness in mitigating the risk of errors or fraud, preventing unauthorized changes to software, and ensuring the continuity of data processing operations when unexpected interruptions occur. These computer weaknesses existed, in part, because FMS did not provide sufficient management oversight of Pay.gov operating personnel at the Federal Reserve facilities to ensure that elements of the Pay.gov computer security program were fully or consistently implemented.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: To ensure the confidentiality, integrity, and availability of the Pay.gov application and computing environment, the FMS Commissioner should direct the Pay.gov program manager to develop and implement an action plan for strenghening Pay.gov computer controls.
Agency Affected: Department of the Treasury: Financial Management Service
Status: Implemented
Comments: In response to GAO's recommendation, as of December 2003 the Department of the Treasury's Financial Management Service developed and followed a Plan of Action and Milestones that has strengthened IT security controls for Pay.gov.
Recommendation: In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to assess risks for the Pay.gov computing environment.
Agency Affected: Department of the Treasury: Financial Management Service
Status: Implemented
Comments: In response to GAO's recommendation, as of April 2007 the Department of the Treasury's Financial Management Service has developed a risk assessment that addresses risks to the Pay.gov computing environment.
Recommendation: In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to develop technical implementation guidance to (1) assist Pay.gov operating personnel with implementing controls and configuring Pay.gov devices in accordance with strong security practice and (2) document reasons for using less secure configuration settings.
Agency Affected: Department of the Treasury: Financial Management Service
Status: Implemented
Comments: In response to GAO's recommendation, as of May 2005 the Department of the Treasury's Financial Management Service has developed a configuration management plan that addresses configuring Pay.gov devices in accordance with strong security practices and documents configuration settings.
Recommendation: In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to track and actively coordinate with Pay.gov operating personnel to correct or mitigate known weaknesses and report the status of corrective actions to the FMS Commissioner on a regular basis.
Agency Affected: Department of the Treasury: Financial Management Service
Status: Implemented
Comments: In response to GAO's recommendation, as of April 2007 the Department of the Treasury's Financial Management Service has in place Plans of Actions and Milestones that describe its actions to correct or mitigate weaknesses. FMS also provides weekly briefings and reports on the status of corrective actions to the FMS Commissioner.
Recommendation: In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to establish procedures for the proactive review or audit of the configuration settings on Pay.gov devices after installation or maintenance.
Agency Affected: Department of the Treasury: Financial Management Service
Status: Implemented
Comments: In response to GAO's recommendation, as of April 2007 the Department of the Treasury's Financial Management Service has developed a configuration management plan for Pay.gov that contains procedures for reviewing configuration settings on devices when they are installed and when changes occur.
