GAO report sheds light on federal agencies' cybersecurity flaws

September 30, 2015

James Bach

A U.S. Government Accountability Office report released Tuesday revealed that federal agencies are struggling to implement effective cybersecurity measures and policies, a notion that will surprise few.

The report highlighted deficiencies across agencies in cybersecurity controls including: limiting unwanted access to agency systems, limiting software and hardware vulnerabilities, dispersing responsibilities and access to computer operations away from just one person, protecting the continuous operation of systems and implementing systemwide policies in compliance with federal cybersecurity guidelines.

Anywhere from 15 to 24 agencies were deficient in each of those categories during fiscal 2013 and fiscal 2014.

The report reinforces what was already known. Coincidentally, I had spoken Tuesday with Samuel Visner, senior vice president of Fairfax-based ICF International, just before this report was released.

“There is an uneven distribution of this capability across the government,” Visner told me — some agencies have it, others don’t.

In conversations I have had with cybersecurity experts and large defense companies, the Department of Defense tends to be mentioned as one of the agencies that has been doing this for decades.

“In the Department of Defense, there’s a concept called ‘information dominance,’ where you understand that the information component of warfare is as important as anything else if not in some cases more important,” Visner said. “The ability to secure a network to ensure that our networks function — and perhaps an adversary's don’t — is part of the mission.”

But he added, “For most agencies, cybersecurity isn’t part of the mission, cybersecurity is something you have to do in support of the mission.”

This GAO report is another reminder that cybersecurity is no longer in the domain of just the Defense Department.

Read Full Article