The extent to which agencies implemented security program components showed mixed progress from fiscal 2011 – 2012, GAO has said, citing weaknesses in the controls that are intended to limit or detect access to computer resources.
It said inspectors general reports – evaluating compliance with the Federal Information Security Management Act of 2002 — show that most of the major federal agencies had access control weaknesses that can jeopardize the long hours and considerable expense of hardening systems.
For example, 21 of 24 agencies had weaknesses in their ability to appropriately identify and authenticate system users, such as allowing users to share accounts for multiple systems.
Some agencies had weak password controls, including systems with passwords that had not been changed from the easily guessable default passwords supplied by the vendor, while nearly all had weaknesses in the process used to grant or restrict user access to IT resources.
For example, one agency had not disabled 363 user accounts for individuals who were no longer employed by the agency (another failed to deactivate physical access cards for contractors that no longer worked at the agency), despite a department policy of disabling these accounts within 48 hours of an employee’s departure. Another agency had established a program for remote access to agency systems, but failed to ensure that authentication mechanisms for remote access met NIST guidelines, GAO found.