Sens. Lieberman, Collins, Carper React to Report on Security of Nation’s Information Systems

GAO report finds major weaknesses in agencies' FISMA implementation

WASHINGTON – Today, Sens. Joe Lieberman (ID-Conn.), Chairman of the Committee on Homeland Security and Governmental Affairs, Susan Collins (R-Maine), Ranking Member of the Committee on Homeland Security and Governmental Affairs, and Tom Carper (D-Del.), Chairman of the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, reacted to a Government Accountability Office (GAO) report on the implementation of the Federal Information Security Management Act of 2002 (FISMA). The GAO report, which is mandated by FISMA, identified a number of troubling findings, including: 24 federal agencies studied still have major weaknesses in their cyber security policies and practices; a select number of agencies have failed to fully implement information security programs compliant with FISMA requirements; and federal agencies’ cyber networks have significant weaknesses that continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk of attack or compromise.

Under FISMA, the Office of Management and Budget (OMB) – which oversees and annually reports to Congress on agency information security policies and practices – along with other federal agencies and the National Institute of Standards and Technology, have taken steps to improve federal agencies’ security requirements. Despite these efforts, the GAO found that more work needs to be done to improve guidance and outcomes for federal agencies’ information security efforts. In this most recent report, the GAO recommends that OMB further reform its reporting requirements and guidelines to better address real security performance.

“GAO reports that the federal government must do a whole lot more to ensure the integrity of its information and information systems,” said Sen. Lieberman. “Reports of security incidents have risen 650 percent in the past five years – an increase that demonstrates that federal systems will remain prime targets for the foreseeable future. IT officials throughout the government need to implement their security programs to the fullest extent and take whatever additional steps are necessary – GAO has made hundreds of recommendations – if federal information and networks are to be protected against attack or compromise.”

“There is perhaps no greater vulnerability that Congress has yet to address through legislation than the insecurity of cyberspace,” said Sen. Collins. “Today’s report points out too many serious vulnerabilities. We must fortify the government’s efforts to safeguard its own cyber networks from attack and build a public/private partnership to promote stronger national cyber-security. Unfortunately, the government’s work on this issue continues to be disjointed, ineffective, and uncoordinated. Reform legislation continues to languish. This simply cannot continue because the stakes are far too high.”

“As the number of cyber-related attacks and information breaches continue to grow, it is disturbing that the Government Accountability Office found repeated weaknesses and vulnerabilities in the security of our federal information systems,” said Sen. Carper. “These findings are all the more troubling given that GAO has been telling us for some time that these are areas of vulnerability and must be addressed, yet we still haven’t made enough progress in shoring up these obvious weaknesses. Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future, and they need the proper oversight and guidance to accomplish that goal. The implementation of FISMA was a good start, but it is clear more steps need to be taken to enhance the federal government’s information security. Legislation that I introduced with Senators Lieberman and Collins earlier this year will help strengthen FISMA requirements and provide more tools to combat cyber attacks. It is my hope that we can pass this much needed cyber security legislation as soon as possible so we can improve our efforts to keep Americans’ valuable personal information – and our nation’s information infrastructure – secure.”

The Cybersecurity and Internet Freedom Act of 2011, introduced by Sens. Lieberman, Collins and Carper would address many of the issues identified in the report by modernizing the government’s ability to safeguard the nation’s cyber networks and strengthening DHS authorities to establish situational awareness for federal networks and develop tools to improve resilience of federal government systems and networks.