Twenty-four major federal agencies remain vulnerable to cyber-attack and information theft because they repeatedly have failed to fully implement information security controls, the Government Accountability Office says in an Oct. 3 report. 

In the report, entitled "Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements," GAO says it and agency inspectors general have made hundreds of recommendations over the past two years. The agencies agreed with the recommended actions and said they would implement them, but guidance from the Office of Management and Budget did not always provide targets for measuring improvement, according to the report.

Agencies also had inadequate processes for implementing requirements, GAO says. These included:

• Insufficient training;
• Inadequate monitoring of security controls;
• Failure to remediate weaknesses effectively; and
• Failure to resolve incidents quickly.

The greatest weaknesses were in access controls, configuration management and security management, according to the report.

"Until hundreds of recommendations are implemented and program weaknesses are corrected, agencies will continue to face challenges in securing their information and information systems," GAO says, noting security incidents increased more than six-fold over 5 years, to 41,776 incidents in 2010.

The auditors recommended the OMB director provide performance targets for metrics, but agreed with OMB that the metrics could be issued by the Department of Homeland Security. DHS already issues performance metrics, the summary notes.

For more:
- read the GAO summary
- read the full report, GAO-12-137 (.pdf) 

Related Articles: 
IBM: 12 billion security events a day, for now
Coast Guard CIO continues to lack authority 
NIST releases draft risk assessment guidance 
Majority of DHS financial system vulnerabilities repeats from previous year, says IG