Because of the explosion in computer interconnectivity, there are risks to computer systems, telecommunications, power distribution, emergency services, law enforcement, national defense and other government services. GAO audits show that 22 of the largest Federal agencies have computer security weaknesses. For example, in testing the computer system at the National Aeronautics and Space Administration, GAO penetrated several mission-critical systems and could have disrupted NASA's ongoing command. The fundamental underlying problem is poor security program management. Agencies have responded to recommendations, but they have not implemented a management framework for overseeing information security on an agency-wide basis. Non-Federal organizations known for their superior security programs have a management process that involves assessing risk to determine information security needs; developing policies that meet those needs; promoting awareness to ensure that risks, roles and responsibilities are understood; and instituting an ongoing program of tests and evaluations to ensure that policies are effective. While these steps can better prepare agencies to detect attacks and protect their systems, other actions are needed to improve oversight. It is important that the Federal strategy delineate the roles of the many entities involved in Federal information security. Agencies need more specific guidance on the controls that they need to implement. Routine periodic audits must be implemented to allow for meaningful performance measurement. The executive branch and Congress must effectively use audit results and performance measures to monitor agency performance and take whatever action is deemed advisable to remedy identified problems. Agencies need the technical expertise to protect their computer systems, and they need the resources to support computer security. Agencies should more comprehensively monitor and develop responses to intrusions, viruses and other incidents that threaten Federal systems. Notes