GAO Finds Faults in Security Programs at OPM, NASA, Elsewhere
The Office of Personnel Management and three other federal agencies haven't always “effectively implemented access controls” on high-impact systems under their jurisdiction,” GAO said in a report released Tuesday. It stemmed from GAO's survey of 24 federal agencies, including 18…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
that identified cyberattacks from foreign governments on their systems as their most frequently occurring security threat. OPM, the Department of Veterans Affairs, NASA and Nuclear Regulatory Commission displayed control weaknesses in “protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities,” GAO said. “Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs.” All four agencies had fully implemented risk assessments but were less thorough in implementing security plans, controls assessments and action plans, the GAO said. NASA, NRC, OPM and VA “should all fully implement key elements of their information security programs,” GAO said. The four agencies generally agreed to the GAO recommendations, but OPM said it didn’t concur with the recommendation on evaluating its security control assessments.