Summary

Federal agencies rely extensively on computerized information systems and electronic data to carry out their missions. The security of these systems and date is essential to preventing data tampering, disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. Congress and the executive branch have taken actions to address this challenge, such as enacting and implementing the Federal Information Security Management Act (FISMA). FISMA and other federal guidance discuss the need for specific technical controls to secure information systems. In order to meet the requirements of FISMA to effectively implement these technical controls, it is critical that federal agencies consider whether they have adequately implemented available cybersecurity technologies. GAO was asked by the Chairman of the House Committee on Government Reform and its Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census to identify commercially available, state-of-the-practice cybersecurity technologies that federal agencies can use to defend their computer systems against cyber attacks.

Many cybersecurity technologies offered in today's marketplace can serve as safeguards and countermeasures to protect agencies' information technology infrastructures. To assist agencies in identifying and selecting such technologies, we have categorized specific technologies according to the control functionality they provide and described what the technologies do, how they work, and their reported effectiveness. We identified 18 technologies that are available within these categories, including smart tokens--which establish users' identities through an integrated circuit chip in a portable device such as a smart card or time- synchronized token--and security event correlation tools--which monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred. The selection and effective implementation of cybersecurity technologies require adequate consideration of a number of key factors, including: (1) implementing technologies through a layered, defense-in-depth strategy, (2) considering the agency's unique information technology infrastructure when selecting technologies, (3) utilizing results of independent testing when assessing the technologies' capabilities, (4) training staff on the secure implementation and utilization of these technologies, and (5) ensuring that the technologies are securely configured.