The General Services Administration doesn't lack cybersecurity policies, it just isn't necessarily enforcing them, according to the GSA inspector general.

In an annual review of agency cybersecurity dated Dec. 7, the IG faults the GSA office of chief information officer for not comprehensively testing baseline configuration security requirements. That lack of testing, combined with security officials not applying cybersecurity requirements, resulted in a database and operating system software that was not patched, not securely configured, and which had lax passwords for admin accounts, the review states.

The review also criticizes the OCIO for not consistently implementing a policy on audit logging and monitoring on three of the five systems the IG examined. Due to the lack of logs, security officials "may be unable to identify unauthorized activity or when GSA systems are compromised," auditors say. They attribute log scarcity mainly to lack of priority while GSA is otherwise engaged in standing up enterprisewide continuous monitoring.

Meanwhile, none of the five systems under review had multifactor authentication for remote access--despite National Institute of Standards and Technology guidelines to do so, auditors add. One system had an identified requirement to set up multifactor authentication (the other four didn't), but that requirement wasn't tracked or prioritized on the system's Federal Information Security Management Act plan of action and milestones.

They also find that GSA is not encrypting its laptops, a problem first identified by auditors in 2008. The chosen encryption solution has "experienced significant technical problems" within the GSA network, the review says.

In a terse, 59 word response to the review, GSA CIO Casey Coleman wrote that "my staff has reviewed the draft audit report and we concur with your audit findings and recommendations," with the additional 42 words being mostly administrative in nature.

For more:
- download the GSA IG review, A100085/O/F/F1100 (.pdf)

Related Articles:
GSA moves email to Google cloud
JASON: Cybersecurity not really like the immune system
NASA CIO lacks sense of urgency about hard drive cybersecurity hole, says IG