Agencies have made progress in implementing requirements to shore up information security but significant weaknesses remain, GAO told the House government management subcommittee recently.
It said its own audits and reviews by inspectors general note significant information security control deficiencies that place agency operations and assets at risk.
In their fiscal year 2008 performance and accountability reports, 20 of 24 major agencies noted that the information system controls over their financial systems and information were either a significant deficiency or a material weakness, according to GAO-09-701T.
It said most agencies have yet to implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information.
An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agency-wide information security program, as required by the Federal Information Security Management Act.
Agencies report increases in the number and percentage of employees and contractors receiving security awareness training, the number and percentage of systems with tested contingency plans, and the number and percentage of systems that were certified and accredited, according to GAO.
However, it said the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly and the number and percentage of systems that had been tested and evaluated at least annually decreased slightly.
