Despite some progress in recent years, most US federal agencies still have significant gaps in their information security controls, according to Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO). In testimony before the House Committee on Oversight and Government Reform, Wilshusen said that continued security problems in several key areas — including access control and configuration management — pose a clear danger to the confidentially, integrity and availability of critical government systems and data. In an interview, Wilshusen said the problem may have to do with the way agencies are dealing with the Federal Information Security Management Act (FISMA).

Excerpts from that interview follow:

What should US federal agencies take away from your testimony?

The key message to take away from my testimony is that agencies need to move away from mere compliance with the FISMA requirement and focus on effective security. One of the things we found is that while agencies are increasingly performing a number of different types of control activities on a greater percentage of their systems and personnel, many of these controls are not effectively implemented. What we got are information security reviews. For example, under FISMA agencies are reporting that an increasing number of their systems have been certified and accredited. For 2006, I think it increased up to 88 percent of all US federal systems.

But the IGs [inspectors general] at 10 of the agencies reported that the quality of the agency certification and accreditation process was either poor or failing. When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect. Whether agencies are focusing on just performing those activities and taking more of a checklist approach in order to get a higher FISMA grade is one issue. If that is what they are doing, they are not going to enjoy the benefits of implementing the processes that result in stronger security.

What does certification and accreditation entail?

Certification is a process where an agency conducts a risk assessment, identifies controls that should be implemented to mitigate those risks and develops a plan to test those controls to see if they are operating effectively. It is a process where they provide training for users of the system and have a plan for continuity of operations for that system. All of this should be done before a system is placed into operation. Once that certification process is gone through, a senior high-ranking official at the agency is supposed to review the certification package and then either authorize the system for operation or not.

Every agency has to go through a certification and accreditation process, not only at initial deployment, but also every three years thereafter or whenever there is a major change of the system. But what we are finding is that agency security testing and evaluation procedures are not very effective. A lot of times, they are not identifying the vulnerabilities that we do when we are testing and evaluating the security controls an agency has implemented. In part, that may be because of the scope of their testing or the type of testing they do. Or maybe their testing is interview-based versus actually going out to check the configuration on specific devices. What we found is that agencies are increasingly implementing FISMA controls, but the performance metrics that are being used for the most part don't really measure the effectiveness of the controls - just merely whether or not the agency implemented it.

In your testimony, you mentioned the need for a common framework that agency inspectors general could use to evaluate and report on the state of security within that agency. Why is there a need for this?

There are two parts to each agency's annual FISMA report. One is what the agency CIO submits, and one is what the agency IG submits. Our analysis showed that the IGs do not really have a common framework for conducting these independent evaluations required by FISMA. One of the things we found is that the scope of some IG [evaluations] were very detailed and identified a number of vulnerabilities and reported on those. Some of the other agency IGs evidently did not do as detailed a review. That kind of makes it a little harder to have a meaningful comparison across agencies and over time. So that is one of the reasons why we are proposing a common framework [that] would identify the type of testing that should be performed and the level and the detail those tests should be performed at. There is a precedent for this. The GAO and the PCIE [President's Council on Integrity and Efficiency] came up together with a common methodology for conducting financial statement audits of the federal government. Something similar might be appropriate for assessing the information security at these agencies.

Soon after the breach at the US Department of Veterans Affairs last year, the Office of Management and Budget (OMB) asked agencies to implement measures to protect personal data. How have agencies responded?

We have a couple of ongoing jobs right now where we are assessing agency efforts at protecting personally identifiable information. We also have another engagement looking at an agency's use of encryption. The objective of those reviews is to determine what policies exist that agencies are implementing to protect personally identifiable information. I cannot get into the results right now because the work is ongoing. What we can say is that agencies have taken note of those [OMB memos] and are working towards implementation.

Another initiative that the OMB is now requiring agencies to undertake, which I think is a very positive step, is the use of common security configurations [on all agency systems]. It is based on an initiative started by the US Air Force in which they worked with Microsoft to ship what they called "secure configurations" on each issue of Microsoft Windows that was shipped to the US Air Force. Now they are trying to do that on a government-wide basis. I think that's a very positive thing. Many of the vulnerabilities we identify are because the operating systems are not securely configured. Usually, vendors set their operating system configurations in the least secure manner in order to facilitate installation and implementation. So if you are able to have these common security configurations implemented on your systems at the point of installation, that's going to help.

Many of the concerns raised in your testimony are the same as those raised in previous GAO reports over the years. Are you surprised at all?

Am I surprised? No. Implementing information security is a very challenging endeavour these days — particularly with the increased demand for interconnectivity and information sharing, the complexity of the computing environment, and the changing nature of threats and vulnerabilities at many agencies. While I won't say I am surprised, I will say this has been a government-wide high-risk area since 1997 and remains so today.