Agencies Need to Correct Weaknesses and Fully Implement Security Programs GAO-15-714: Published: Sep 29, 2015.
From the webpage:
Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively applying information security policies and practices. Most agencies continue to have weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer resources; (2) managing the configuration of software and hardware; (3) segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation; (4) planning for continuity of operations in the event of a disaster or disruption; and (5) implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis (see fig.). These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies’ efforts to fully implement effective information security programs. In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented.
Can you guess why “…may of these recommendations remain unimplemented?”
The first and foremost reason is that disregarding a recommendation by the GAO or inspectors general has no consequences, none.
Can you imagine being in charge of maintaining your corporate firewall and when it is breached telling your boss, “yeah, I know you said to fix the old one but I got busy and just never did it.”
What do you think the consequences for you personally would be? (You have only one guess.)
It doesn’t appear to work like that at federal agencies. The same people make the same mistakes, over and over again, with no consequences whatsoever.
The only way to change the current cybersecurity state of federal agencies is to provide consequences for failure to improve.
The GAO and inspectors general should be given day to day control over agency spending and personnel decisions as they relate to cybersecurity priorities. And empowered to hire and fire staff as they see fit.
Any other remedy is a recipe for federal security that barely test script kiddies, much less more serious international opponents.