The GAO reviewed wireless network security at 24 federal agencies, concluding that the application of measures to improve security and limit vulnerability to attack “was inconsistent among agencies”.
Among other things, the government watchdog found “gaps” in security measures for “dual-connected laptops and mobile devices taken on international travel”.
“Several agency officials stated that they were aware of the risks posed to mobile devices during international travel, but that agencies had not yet developed policies to address these risks….By not having documented policies, agencies may be at increased risk that sensitive information could be compromised while a device is in another country, or that malware obtained during an international trip could be inadvertently introduced onto agency networks, placing sensitive data and systems at risk”, the GAO warned.
The GAO reached a number of conclusions about federal agencies’ wireless network security: “gaps exist in policies, network management was not always centralized, and numerous weaknesses existed in configurations of laptops and smartphones….[Until] agencies take steps to fully implement leading security practices, federal wireless networks will remain at increased vulnerability to attack, and information on these networks is subject to unauthorized access, use, disclosure, or modification.”
To beef up wireless security, the GAO offered recommendations to the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). For OMB, the government watchdog recommended that it include metrics related to wireless security as part of the Federal Information Security Management Act reporting process and develop the “scope and time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs”.
For NIST, the watchdog recommended that it develop and issue guidelines in the following areas: technical steps agencies can take to mitigate the risk of dual-connected laptops; government-wide secure configurations for wireless functionality on laptops and for smartphones; ways agencies can centralize their management of wireless technologies; and criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and monitoring of wireless networks.