GAO report: CMS, VA need better breach response

Federal agencies continue to struggle with information security and need to improve their response to data breaches, the Government Accountability Office says in a new report.

"The federal government collects large amounts of PII [personally identifiable information]  from the public, including taxpayer data, Social Security information and patient health information. It is critical that federal agencies ensure that this information is adequately protected from data breaches, and that they respond swiftly and appropriately when breaches occur," the report states.

As an example, it points to loss of information on about 26.5 million veterans in the 2006 theft of computer equipment from the home of  a Veterans Affairs employee.

The report points out that between 2009 and 2013:

  • The number of data breaches reported by government has more than doubled to 25,566 incidents.
  • The number of incidents involving personally identifiable information swelled by more than 140 percent.
  • Most were not cyber incidents--16 percent were a result of malware and 19 percent were due to policy violation.

It calls for agencies to more closely follow key guidelines in security protocols established by the Office of Management and Budget and the National Institute of Standards and Technology.

The security protocols on PII call for practices including establishing a breach response team, training employees on roles and responsibilities in breach response, offering assistance to those affected and gleaning lessons learned from the incident.

Despite previous reports pointing out their lagging progress, agencies continue to struggle to address the eight required components of an information security program, specifically in implementing security controls, the report says.

This report specifically looks at security practices within the Army, the Internal Revenue Service, Centers for Medicare & Medicaid Services, the U.S. Department of Veterans Affairs, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Federal Retirement Thrift Investment Board and the Securities and Exchange Commission.

Of them, only the IRS consistently documented both an assigned risk level and how that level was determined for PII-related data breach incidents, according to the report. Only the Army and IRS documented the number of affected people for each incident. None of them consistently offered credit monitoring to those affected by the incidents, nor did they document lessons learned from their responses to the breach.

A GAO report in January criticized CMS and the VA for their inconsistent response to data breaches.

The CMS failed to document both risk levels and rationale for its risk determinations, and both agencies failed to document the number of people affected, that report found.

The VA's systems are vulnerable to cyber attacks, a House subcommittee was told in March. The agency "continues to face long-standing challenges in ... implementing its information security program," Greg Wilshusen, director of information security issues at GAO, told lawmakers.

To learn more:
- find the report (.pdf)