Federal Agencies Lag On Internet Security

Federal agencies have failed to meet the requirements of an Office of Management and Budget (OMB) initiative aimed at securing Internet traffic coming in and going out of federal IT networks, according to a report from the General Accountability Office (GAO).

As of September 2009, none of the 23 federal agencies had met all of the requirements of the Trusted Internet Connections (TIC) initiative, though most have made some progress, according to the report, released this week.

The report came alongside another report that found Federal agencies also have been slow to adopt the Federal Desktop Core Configuration (FDCC), another OMB initiative aimed at securing government desktops.

The OMB worked with the Department of Homeland Security and unveiled the TIC in November 2007. In addition to securing network connections, it is also aimed at improving the government's incident-response ability by reducing the number of agencies' external network connections and implementing security controls over the connections that remain.

As part of the initiative, agencies also can provide access points, become an access provider, or seek service from another agency that is a provider.

To meet TIC requirements, agencies had to inventory external connections, establish a target number of TIC access points, and develop and implement plans to reduce connections.

If an agency wanted to be an access provider, it needed also to implement security capabilities such as encryption and physical security, as well as show the DHS that it had consolidated connections and was compliant with security requirements.

Most agencies said they have reduced the number of external connections and have begun work to meet security requirements, but they have experienced delays in becoming fully compliant with TIC, according to the report.

Security is one of the top IT priorities for the federal government, which has been working to set government-wide security standards.

However, if the GAO reports are any indication, agencies have some work to do before actual implementations of security initiatives catch up with the government's intentions to secure its networks.

To help increase compliance with the TIC, the GAO recommends that the OMB be more consistent in letting agencies know when there are additional TIC access points, as well as provide agencies with more timely responses to their questions seeking clarification on security requirements.

The OMB also should improve how it validates TIC requirements by including direct testing and evaluation of the critical capabilities at all agency TIC locations, according to the report.