|
|
High Risk Series: An Update
January 2003
[…]
Protecting Information Systems Supporting the Federal Government and
the Nation’s Critical Infrastructures
We have designated information security as a high-risk area across government since 1997 because of continuing evidence indicating significant, pervasive weaknesses in the controls over computerized federal operations. Moreover, related risks continue to escalate, in part due to the government’s increasing reliance on the Internet and on commercially available information technology. In addition, we continue to report significant information security weaknesses in 24 major federal agencies.5
______________________________
5. U.S. General Accounting Office, Computer Security: Improvements
Needed to Reduce Risk to Critical Federal Operations and Assets, GAO-02-231T
(Washington, D.C.: Nov. 9, 2001); and Computer Security: Progress Made, but
Critical Federal Operations and Assets Remain at Risk, GAO-03-303T (Washington,
D.C.: Nov. 19, 2002).
______________________________
Since our last high-risk report, efforts to correct information security
weaknesses and improve federal information security have accelerated both
at individual agencies and at the government wide level, including implementing
government information security reform legislation enacted by the Congress
in October 2000, implementing a related annual reporting process, and developing
guidance and tools for agencies to self-assess their information security
programs.
On December 17, 2002, the Federal Information Security Management Act of 2002
was enacted, to permanently authorize and strengthen the information security
program, evaluation, and reporting requirements established by government
information security reform legislation. This legislation is an essential
step to sustaining agency efforts to identify and correct significant weaknesses.
Nonetheless, further information security improvement efforts are needed at
the agency level and government wide. It is important that these efforts be
guided by a comprehensive strategy and that this strategy address certain
key issues including:
• delineating the roles and responsibilities of the numerous entities
involved in federal information security;
• providing more specific guidance to agencies on the controls that
they need to implement;
• having agencies’ performance monitored by the agencies themselves,
as well as by the Congress and the executive branch;
• providing adequate technical expertise and allocating sufficient resources;
and
• expanding research in the area of information systems protection.
In our January 2001 high-risk update report, we also began to highlight the
increasing importance of the federal government’s efforts to protect
our nation’s critical public and private computer-dependent infrastructure
(such as national defense, power distribution, and water supply), as outlined
in Presidential Decision Directive 63. This year, we are broadening this high-risk
issue to highlight the increased importance of protecting the information
systems that support these critical infrastructures, referred to as cyber
critical infrastructure protection or cyber CIP. Since our 2001 report, terrorist
attacks and threats have further underscored the need to manage CIP activities
that enhance the security of the cyber and physical public and private infrastructures
that are essential to national security, national economic security, and/or
national public health and safety. At the federal level, cyber CIP activities
are perhaps the most critical component of a department or agency’s
overall information security program.
Since 2001, a number of significant actions have occurred to better position
the nation to protect its critical infrastructures, including the following:
• In October 2001, the President established the President’s Critical
Infrastructure Protection Board to coordinate cyber-related federal efforts
for protecting our nation’s critical infrastructures.
• In July 2002, the President and his Office of Homeland Security issued
the National Strategy for Homeland Security, which identifies protecting critical
infrastructures and intelligence and warning as critical components.
• In September 2002, the Protection Board released a comment draft of
a National Strategy to Secure Cyberspace. The board issued this draft because
the National Strategy for Homeland Security states that the administration
will complete cyber and physical infrastructure protection plans to serve
as the baseline for a future comprehensive national infrastructure protection
plan.
• On November 25, 2002, the President signed the Homeland Security Act
of 2002, which established the Department of Homeland Security and, within
it, the Directorate of Information Analysis and Infrastructure Protection.
Although these actions taken are major steps to more effectively protect
our nation’s critical infrastructures, further actions are needed to
fully address our recommendations concerning CIP challenges, including
• completing a comprehensive and coordinated national CIP strategy,
• improving analysis and warning capabilities, and
• improving information sharing on threats and vulnerabilities.
(See “Highlights of High-Risk Areas.”)
[...]
