The General Services Administration’s inspector general says the agency needs to shore up its cybersecurity.
However, the issue is not one of new regulations and policies, but of enforcing the ones already on the books, according to a year-end IG report.
The Dec. 8 review, mandated under the Federal Information Security Management Act, found that database and operating systems were not securely configured and that some administrator accounts had lax passwords.
The IG’s verdict was that baseline configuration security requirements were not properly tested and that cybersecurity policies already in place were not implemented, according to a FierceGovernmentIT report.
The report noted that GSA is making progress on applying “continuous monitoring,” which is the near real-time guarding of networks as opposed to periodic paper-driven reports filed weeks down the road.
But in the meantime, there are not proper safeguards in place, the report found, for logging unauthorized use of the networks.
The IG also found that GSA failed to securely encrypt its laptops, which was first brought to attention in 2008. Laptops remain un-encrypted because, up to now, the agency has “experienced significant technical problems in integrating the chosen encryption solution in the GSA’s network.”
The report recommends the agency undertake better oversight of monitoring and better planning to implement requirements.
In a written reply to the report, GSA Chief Information Officer Casey Coleman, in what FierceGovernmentIT called a “terse” response, said that GSA staff “has reviewed the draft audit report and we concur with your audit findings and recommendations.”