In its FY 2010 audit under the Federal Information Security Management Act, the GSA inspector general acknowledged that the agency’s chief information officer (CIO) had taken steps to improve cybersecurity, including updating the GSA’s IT security policy, publishing guidance on information security topics, and expanding the security program to include cloud computing.
At the same time, the inspector general warned that the CIO needs to strengthen cybersecurity in four areas: secure monitoring of agency systems, oversight of audit logging and monitoring practices, implementation of multifactor authentication for systems processing sensitive information, and encryption of data on laptops.
The audit noted that “numerous” cybersecurity weaknesses were identified in five GSA systems reviewed by the inspector general. These weaknesses result form “security misconfigurations of database or operating system software”.
According to the audit, “these weaknesses included database and operating system software that was not patched or securely configured and lax password management practices for database administrator accounts. As a result, these systems and their sensitive data were placed at an increased risk of inappropriate access, modification, or destruction.”
Regarding the lack of laptop encryption, the inspector general explained: “GSA laptops are not encrypted because GSA has experienced significant technical problems in integrating the chosen encryption solution in the GSA’s network.”
The inspector general recommended that the CIO take the following actions to improve the cybersecurity situation at the agency: strengthen configuration management practices for GSA systems; work with system security officials to prioritize the implementation of audit logging and monitoring controls; ensure that all systems remotely accessed implement multi-factor authentication; and implement encryption for agency laptops.
The CIO, Casey Coleman, had a terse response to the inspector general’s audit. In a Nov. 23 letter to the inspector general, Casey wrote: “My staff has reviewed the draft audit report and we concur with your audit findings and recommendations.”