Government officials are increasingly concerned about attacks on computer networks from individuals and groups with malicious intentions. Twenty-two of the largest Federal agencies have computer security weaknesses, such as insufficient understanding of risks and technical staff shortages. The National Plan for Information Systems Protection recognizes the need for the Federal Government to take the lead in addressing critical infrastructure risks. But the GAO believes the plan should place more emphasis on providing agencies with incentives to implement the controls necessary to assure comprehensive computer security as opposed to implementing intrusion detection capabilities. A Federal strategy needs to delineate roles and responsibilities of the numerous Federal entities involved in information security. The proliferation of organizations with overlapping oversight responsibilities is a source of potential confusion. The plan recognizes the need for risk-based standards for information systems that would help agencies ensure that their most critical operations and assets are protected at the highest levels. There is no mechanism for routinely testing and evaluating the effectiveness of agency information security programs. The plan's provisions for testing agency controls may not be rigorous enough. However, the plan does a good job to develop skilled computer security personnel. It is important that spending be targeted to reduce the most significant risks with future funding based on risk-based results. More needs to be done to monitor responses to viruses. The plan relies too much on the outmoded and inadequate Computer Security Act of 1987. This is a fundamental problem for several reasons, including focusing too much attention on individual security systems rather than taking an organization-wide perspective. It is reasonable for the plan to seek to establish a Partnership for Critical Infrastructure Security and a National Infrastructure Assurance Council because the Federal Government is limited in its ability to protect critical infrastructures. Table, footnotes