HHS, FDA, VA among the 24 federal agencies with ineffective security, report says
The U.S. Department of Health and Human Services, Food and Drug Administration and the Department of Veterans Affairs are among the 24 federal agencies with widespread security failures due to ineffective security programs, according to a new Government Accountability Office report.
The majority of those organizations are struggling in five control areas: access controls, configuration management, segregation of duties, contingency planning and security management. In fact, the report found that most agencies lacked effective security program functions in the fiscal year 2016.
Specifically, the FDA and HHS have “a significant number of security control weaknesses that jeopardize the confidentiality, integrity and availability of its information systems and industry and public health data.”
The FDA hasn’t fully or consistently implemented access controls, such as those meant to manage security configurations to hardware and software. The report also found the FDA lacks a contingency plan and protection for media to ensure the data on these devices are sanitized before being discarded.
Both GAO and inspectors general have made hundreds of recommendations to these agencies to address “security control deficiencies.” However, many have yet to be fully implemented. Further, no new recommendations were made in the report, as the previous audits have highlighted these vulnerabilities.
“The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security,” the report authors wrote. But “systems used by federal agencies are often riddled with security vulnerabilities -- both known and unknown.”
“The Federal Information Security Modernization Act of 2014 requires federal agencies in the executive branch to develop, document and implement an information security program and evaluate it for effectiveness,” they added.
Every year, the agencies' security programs and practices are reviewed by an inspector general or outside auditors. Last year, 24 agencies were audited, and only seven were found with effective security. Not only that, but the flaws found could easily compromise the systems.
“Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise,” the authors wrote. “We continue to monitor the agencies’ progress on those recommendations.”