Two related reports from the General Accounting Office (GAO) point out significant issues with the IT systems involved in managing and servicing more than $22 trillion in federal debt. The reports — one a GAO financial audit of the Bureau of the Fiscal Service, and the other a management report on the Federal Reserve — each conclude that there are problems with the configuration and control systems within IT. And while those problems have not yet resulted in system breaches, according to the reports, they're worthy of immediate attention and remediation.
In the financial audit of the Bureau of the Fiscal Service, auditors include a section in which they underscore the importance of a significant deficiency in information system controls. "These general control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations," they say. In particular, the audit mentions the lack of least privilege access as a security concern for systems.
The audit also lists broad suggestions for remediation, though it doesn't express any great optimism for the implementation of those steps. "We continued to identify instances in which known information system vulnerabilities were not being remediated on a timely basis. We also continued to identify instances in which implemented configuration settings were not effectively monitored against baseline security requirements," they say.
Federal Reserve Banks are charged with implementing many of the practical steps of dealing with the national debt. Although the GAO didn't audit the banks, it did conduct a management review looking at issues similar to those raised in the Bureau of the Fiscal Service audit. The GAO issued a pair of reports, one limited to staff and the board of governors, and the other a high-level public report.
The public management report points out deficiencies in configuration management. "These new and continuing control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs," it says.
Though the deficiencies have not resulted in breaches, the response has not come through improvements to the technology and its use. Rather, the GAO found the deficiencies were "mitigated primarily by Fiscal Service's compensating management and reconciliation controls to detect potential misstatements of the Schedule of Federal Debt."
Each report points out that some of the issues identified in previous audits and reports have been mitigated, while others remain to be dealt with.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.