Summary

Pursuant to a congressional request, GAO reviewed computer security weaknesses within 22 federal agencies' operations.

GAO noted that: (1) the Department of Agriculture's National Finance Center had serious access control weaknesses that affected its ability to prevent or detect unauthorized changes to payroll and other payment data or computer software; (2) the Department of Commerce Inspector General (IG) reported weaknesses in the Department's information system controls; (3) the Department of Defense (DOD) information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data; (4) the Department of Education IG reported that improvements were required in security over financial systems and in disaster recovery capabilities; (5) the Department of Energy recognized the need to improve unclassified computer security, noting the apparent increase in system and network vulnerabilities at the department; (6) the Environmental Protection Agency IG reported weaknesses in critical mainframe operating system software controls; (7) as part of its audit of the Federal Emergency Management Agency's financial statements, an independent accounting firm reported information system security and access control deficiencies; (8) an independent firm recommended that the General Services Administration: (a) strengthen logical and physical access controls over its information technology environment; and (b) apply security policies and procedures uniformly across service lines; (9) the Department of Health and Human Services IG reported serious control weaknesses associated with the Department's Health Care Financing Administration computers; (10) the Department of Housing and Urban Development (HUD) IG reported the need for improvements related to general system security, administration of personnel security operations, and access controls over HUD's two major payment systems; (11) the Department of the Interior IG reported general control weaknesses at the Bureau of Indian Affairs and the U.S. Geological Survey; (12) the Department of the Justice IG reported that improvements were needed in general controls at the department's data centers and component financial management systems; and (13) the Department of Labor IG reported weaknesses associated with security, access controls, and application software development and change control.