US federal agencies have over the past five years experienced a 650 percent increase in malware infections and other security incidents.
Figures reported to the US Government Accountability Office (GAO) state that 41,776 security incidents in 2010 – such as virus and worm outbreaks, unauthorised access ,and denial of service – compared to just 5,503 in 2006.
The GAO audits uncovered government-wide weaknesses in information security controls that increased risk to IT systems.
Assessments conducted last year found each of the 24 US major federal agencies had deficient access controls and problems in configuration and security management.
“Weakness in [agencies'] information security policies and practices compromised their efforts to protect against threats,” the report said.
Most of the hundreds of security improvement recommendations made by GAO to agencies over the last two years were not implemented.
The US Internal Revenue Service (IRS) had not sufficiently restricted employee access to databases, or remediated many other previously reported security issues, the office said.
“As a result, financial and taxpayer information remain unnecessarily vulnerable to insider threats and at increased risk of unauthorised disclosure, modification or destruction.”
And the IRS isn't alone.
The GAO report slammed the US Federal Deposit Insurance Corp. and the US National Archives and Records Administration.
None of the 24 agencies fully implemented an agency-wide information security program required by the US Federal Information Security Management Act (FISMA).
Despite the grim report card, the GAO noted that some progress has been made. It pointed to the CyberScope tool and risk metrics administered by the White House Office of Management and Budget that were used to encourage agencies to improve information security.