[ISN] GAO finds information security compliance is sporadic
isn at c4i.org
Thu Jul 29 02:52:03 EDT 2004
By David McGlinchey
dmcglinchey at govexec.com
July 28, 2004
Agency compliance with federal information security standards is
irregular and the process that measures compliance is unreliable, the
Government Accountability Office said in a report released Wednesday.
A GAO survey of 24 federal agencies found that 63 percent of
information systems met security guidelines issued by the National
Institute of Standards and Technology, including the minimum security
controls mandated by the 2002 Federal Information Security Management
Act. The GAO report determined, however, that compliance and
accreditation varied greatly. Seven of the 24 agencies said more than
90 percent of their systems were certified and accredited as secure
while, six reported less than half of their systems were accredited as
The survey was completed for House Government Reform Committee
Chairman Tom Davis, R-Va., who has been critical of the government's
information security. In March, Davis warned of a "cyber Pearl Harbor"
if IT security measures were not improved.
The Housing and Urban Development and Agriculture departments reported
that none of their systems are certified or accredited to meet the
NIST guidelines. Officials at both agencies said concerns over the
certification process caused them to report that their systems were
not in compliance.
The top compliance levels were at the Social Security Administration
and the Nuclear Regulatory Commission, which both registered 100
percent accreditation and certification. NASA reported 98 percent
compliance and the National Science Foundation told GAO that 95
percent of its information systems met the guidelines. At the Defense
Department, 77 percent of systems meet the guidelines, according to
GAO. The study was conducted between September 2003 and June 2004.
The NIST compliance guidelines are an update to its previous security
guidance. They are tailored to "reflect today's more distributed
computing environment in which systems are constantly evolving and
require real-time, ongoing monitoring," according to the report
[GAO-04-376]. The guidelines do not apply to information systems that
deal with intelligence issues, the management of military forces and
other national security subjects.
Every agency surveyed reported that its process for certification and
accreditation met the federal guidelines, but a closer GAO
investigation of four agencies showed that the standards were not
More information about the ISN