The Government Accountability Office released two reports last week that detailed security weaknesses in two federal agencies responsible for large chunks of the country’s financial information.
A GAO report released Thursday found that the Federal Deposit Insurance Corporation has weaknesses in its information security controls that “place the confidentiality, integrity, and availability of financial systems and information at unnecessary risk.” The GAO released a similar report on Friday saying the Treasury Department’s Bureau of the Fiscal Service — which is responsible for oversight of the federal debt — has a “significant deficiency” in internal controls related to financial reporting.
In the FDIC report, GAO measured a number of security recommendations the office made as part of its yearly audit for 2012. Among the recommendations the FDIC did not fully implement in 2013 were controls for identifying and authenticating users’ identity, restricting access or encrypting sensitive systems and data, completing background reinvestigations for employees and auditing system access.
The report on the Bureau of Fiscal Service found 14 new information system control deficiencies, with half of those related to access controls, which are tied to user passwords or limits placed on what files or resources users are allowed to access. The GAO said a number of these deficiencies have been unresolved since its 2012 audit.
Both reports were couched, with the GAO saying shortcomings did not amount to a “material weakness” in either agency’s system. However, GAO said both agencies are open to unnecessary risk or abuse by not fixing the problems in a timely manner.
Both agencies concurred with the GAO findings, with the commissioner of the Bureau of the Fiscal Service made aware of the weaknesses in a separately-issued, official-use-only report.
The GAO will follow up on the vulnerabilities in each agency with its 2014 audit.