Protecting the Federal Government's Information Systems and the Nation's Cyber Critical Infrastructures
Why It's High Risk
Federal agencies and our nation's critical infrastructures—such as power distribution, water supply, telecommunications, national defense, and emergency services— rely extensively on computerized information systems and electronic data to carry out their operations. The security of these systems and data is essential to preventing disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information and to protecting national and economic security, and public health and safety. Safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection, or cyber CIP—is a continuing concern.
GAO has designated federal information security as high risk since 1997 and expanded this area to include cyber CIP in 2003. The continued risks to information systems and cyber critical infrastructure include
- insider threats from disaffected or careless employees and business partners,
- escalating and emerging threats from around the globe,
- the ease of obtaining and using hacking tools,
- the steady advance in the sophistication of attack technology, and
- the emergence of new and more destructive attacks.
^ Back to topWhat We Found
The administration and executive branch agencies (including the Department of Homeland Security (DHS)) continue to improve the security of federal systems, better protect cyber-reliant critical infrastructures, and strengthen the nation's security posture. However, the administration and executive branch agencies continue to experience significant deficiencies that jeopardize the nation's cyber critical infrastructure and federal systems and information.
The administration and executive branch agencies have not yet fully implemented key actions that are intended to address threats and improve the current U.S. approach to cybersecurity, such as:
- updating the national strategy for securing the information and communications infrastructure,
- developing a comprehensive national strategy for addressing global cybersecurity and governance,
- creating a prioritized national and federal research and development agenda for improving cybersecurity,
- implementing the near- and mid-term actions recommended by the cybersecurity policy review directed by the president,
- enhancing cyber analytical and technical capabilities to protect against cyber threats,
- strengthening the effectiveness of the public-private sector partnerships in securing cyber critical infrastructure, and
- overcoming shortcomings and challenges associated with the implementation of several of the governmentwide security initiatives.
Further, agencies have not consistently implemented effective controls to prevent, limit, and detect unauthorized access or manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
Agencies also have not yet fully or effectively implemented an agencywide information security program.
^ Back to topWhat Needs to Be Done
Federal efforts are needed to
- update and implement national strategies and plans for securing cyber critical infrastructures
- address global cybersecurity and governance
- prioritize cybersecurity research and development, and
- complete near- and mid-term cybersecurity actions recommended by a presidentially-directed review.
Additionally, executive branch agencies, in particular DHS, need to
- improve and expand their cyber analytical and technical capabilities,
- demonstrate progress in strengthening the effectiveness of public-private sector partnerships in securing cyber critical infrastructures, and
- expand oversight of federal agencies' implementation of information security.
To enhance security over federal systems and information, agencies need to
- develop and implement remedial action plans for resolving known security deficiencies of government systems,
- fully develop and effectively implement agencywide information security programs, as required by the Federal Information Security Management Act of 2002 and
- demonstrate measurable, sustained progress in improving security over federal systems.
^ Back to topKey Reports
Information Security
GAO-11-43, Nov 30, 2010
Cyberspace Policy
GAO-11-24, Oct 6, 2010
Information Security
GAO-10-916, Sep 15, 2010
Critical Infrastructure Protection
GAO-10-628, Jul 15, 2010
Cyberspace
GAO-10-606, Jul 2, 2010
Information Management
Cybersecurity
Information Security
GAO-10-513, May 27, 2010
Cybersecurity
GAO-10-834T, Jun 16, 2010
Information Security
GAO-10-237, Mar 12, 2010
Information Security
Cybersecurity
GAO-10-338, Mar 5, 2010