The majority of US government offices still have major weaknesses in their information security controls, a report by the US Government Accountability Office has warned.
The confidentiality, integrity and availability of critical information systems are in jeopardy as a result of these weaknesses, according to the grim assessment of US government IT security.
"Almost all of the major federal agencies had weaknesses in one or more areas of information security controls," said Gregory Wilshusen, the Government Accountability Office’s director of information security. "Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems or information."
The 33-page report was based on the state of security in 2006 in 24 government offices. Several agencies reported making progress in certain areas, such as security awareness training for employees and contractors.
The percentage of systems that were being tested and evaluated on an annual basis has also increased, as has the number of systems with tested contingency plans and which have been certified and accredited as being secure.
But these achievements were overshadowed by several major holes. These included access controls for ensuring that only authorised staff had access to critical data, as well as ensuring that there were configuration management controls, segregation of duties and business continuity planning.
The "persistent weaknesses" in each of these areas contributed to a spate of serious security breaches across US government offices last year. The breaches mentioned in the report included the compromise at the US Department of Veterans Affairs which resulted in the potential exposure of data on 26 million forces veterans.
Another breach was a laptop theft from the US Centres for Medicare and Medicaid Services, which could have exposed personal records of nearly 50,000 individuals. Elsewhere, the US Department of Agriculture accidentally posted on a public website personal data of 39,700 people, and the US Transportation Security Administration nearly saw 100,000 employee records exposed.
"The breakthrough at yesterday's hearing was the end of resistance to the idea that the Federal Information Security Management Act is fatally flawed," commented Alan Paller, director of research at the SANS Institute, a security research and education organisation.
The act, which specifies controls that all major federal agencies are required to follow, has been receiving increasing criticism since many see it as only a bureaucratic exercise that adds little substance to US government information security efforts.