Select language

Blog

Australia

Cybersecurity Follow-up Audit

Year Published: 2017

Language: English

Sector: Revenue and Taxation, Personnel Administration and Training, Borders and immigration

Issue: Cybersecurity

Download

In June 2014, ANAO Audit Report No. 50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems was tabled in Parliament. The report examined seven Australian Government entities’1 implementation of the mandatory strategies in the Australian Government Information Security Manual (Top Four mitigation strategies). The Top Four mitigation strategies are: application whitelisting, patching applications, patching operating systems and minimising administrative privileges.2 The audit found that none of the seven entities were compliant with the Top Four mitigation strategies and none were expected to achieve compliance by the Australian Government’s target date of 30 June 2014.

The Joint Committee of Public Accounts and Audit held a public hearing to examine Report No. 50 on 24 October 2014. Three of the seven audited entities—the Australian Taxation Office, the Department of Human Services, and the then Australian Customs and Border Protection Service3—appeared before the hearing to explain their plans and timetables to achieve compliance with the Top Four mitigation strategies. Each of the three entities gave assurance to the Joint Committee of Public Accounts and Audit that compliance with the Top Four mitigation strategies would be achieved during 2016.

In 2015, the ANAO conducted a second performance audit to examine a further four government entities’ compliance with the Top Four mitigation strategies. The four entities were: Australian Federal Police, Australian Transaction Reports and Analysis Centre, Department of Agriculture and Water Resources and the Department of Industry, Innovation and Science. The ANAO Performance Audit Report No. 37 2015–16 Cyber Resilience was tabled in May 2016. In this audit the ANAO found that two entities—Australian Transaction Reports and Analysis Centre, Department of Agriculture and Water Resources—were compliant with the Top Four mitigation strategies. The other two agencies were not compliant with these strategies. The ANAO made three recommendations and all entities agreed with all recommendations

Weblink : https://www.anao.gov.au/work/performance-audit/cybersecurity-follow-audit

Summary/Highlight:

The Australian Government Information Security Manual outlines 35 strategies to assist government entities mitigate the risk of cyber intrusions to their information and communications technology (ICT) systems.6 The Australian Signals Directorate7 advised that if government entities implemented the top four of these 35 strategies (Top Four mitigation strategies), it would prevent 85 percent of targeted cyber intrusions.

The Top Four mitigation strategies are:

  • using application whitelisting8 on desktops and servers to prevent malicious software and unapproved programs from running on a computer;
  • applying application patches9 through sound policies, procedures and practices to help ensure the applications’ security;
  • applying security patches through sound policies, procedures and practices to operating systems to mitigate security risks and reduce system vulnerabilities; and
  • effectively managing access provisions for privileged user accounts across an entity’s ICT environment, including the entity’s network, applications, databases and operating systems.
myGov Digital Services

Year Published: 2017

Language: English

Sector: Cross Government, Revenue and Taxation

Issue: E-Governance

Download

The myGov digital service (myGov) is an entry portal for individuals to access the services of participating government entities. It was launched in May 2013 to provide individuals with secure online access to a range of Australian Government services in one place. It was expected to provide a whole-of-government digital service delivery capability and to improve the experience for individuals who choose to self-manage their interactions with government services. The four year myGov project (2012–13 to 2015–16) was to provide:

  • a single username to access member services;
  • search ability to identify available government services;
  • the ability to notify multiple services about changes of personal contact details;
  • the ability to submit data online to validate facts, including for proof of identity; and
  • lower costs and more timely communications from services via a digital mailbox.

The Digital Transformation Agency is responsible for myGov service strategy, policy and user experience.2The Department of Human Services (Human Services) is responsible for administering and hosting myGov, including processes and procedures for system development and testing, security and operational performance.

By November 2016, myGov supported nearly 11 million active accounts and ten member services.

Weblink : https://www.anao.gov.au/work/performance-audit/mygov-digital-services

Summary/Highlight:

The Department of Human Services’ implementation of myGov as a platform to deliver whole-of-government online services has been largely effective.

Fit-for-purpose strategic and operational governance arrangements operated for the first three years of the myGov project, followed by a one year gap in strategic governance when interim arrangements had a largely operational focus. This gap was addressed in July 2016 with the re-establishment of a strategic governance board.

There were 9.5 million user accounts registered in myGov by the end of the four year project—nearly double the business case forecast of 5.1 million. myGov has contributed to improved delivery of government services for individuals by providing three key functionalities—single digital credential, Update Your Details and Inbox—to reduce the time spent transacting with government. Several requirements to improve usability have only recently been implemented and a small number of requirements are yet to be delivered. As at November 2016, there were ten government services available through myGov. While it is not mandatory for member services to participate in myGov, the effectiveness of myGov as a whole-of-government capability has been hampered by government services not joining myGov and not fully adopting the myGov functionalities.

Since late 2015, the myGov platform has been hosted on high-availability infrastructure, which has improved performance, especially during peak demand periods, with performance targets consistently met. Suitable security and privacy measures were in place to control access and protect sensitive data stored in myGov.

In 2012, the Government approved a budget for the myGov project of $29.7 million for 2012–13 to 2015–16based on the functionalities set out in the business case. The myGov project was not delivered within this original agreed funding, with actual expenditure to June 2016 totalling $86.7 million. Over the four years of the project an additional $37.8 million in funding was approved by Government, and Human Services funded the remaining $19.2 million from a pre-approved ICT contingency fund. Departmental records indicate that the increase in operating expenses over the four years of the project—from $8.5 million in 2012–13 to $37.3 million in 2015–16—was primarily driven by the costs associated with supporting the large number of user accounts (nearly double the forecast) and the improved high-availability infrastructure.

Performance metrics to enable the quantification of actual savings in the six areas identified in the business case were not developed. In the absence of such metrics, it is not possible to determine whether the expected savings have been realised in all six areas.

Cyber Resilience

Year Published: 2016

Language: English

Sector: Agriculture, Industry, Science & Technology

Issue: Cybersecurity

Download

In June 2014, the Australian National Audit Office tabled in Parliament ANAO Audit Report No.50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems. The report examined implementation of the mandatory strategies in the Australian Government Information Security Manual (ISM).

The Joint Committee of Public Accounts and Audit (JCPAA) held a public hearing to examine Report No.50 on 24 October 2014. The Committee was concerned that the seven entities audited were not compliant with the ‘Top Four’ strategies in the ISM. And that none of the entities were expected to achieve compliance by the mandated target date of 30 June 2014.

In light of concerns about entities’ shortcomings to achieve compliance, the JCPAA asked the Auditor-General to extend the coverage of the audit to include other entities. In response to the JCPAA, a performance audit was scheduled to assess another four selected entities’ compliance with Australian Government requirements.1 This report is the outcome of the audit.

Weblink : https://www.anao.gov.au/work/performance-audit/cyber-resilience

Summary/Highlight:

All entities made efforts to achieve compliance with the mandated strategies in the ISM. Two of the four selected entities achieved compliance—AUSTRAC and the Department of Agriculture and Water Resources. Two entities did not achieve compliance—Australian Federal Police and the Department of Industry, Innovation and Science.

The ANAO has made three recommendations aimed at achieving compliance with mandated strategies in the ISM. The recommendations are likely to apply to other Australian Government entities not specifically examined in this audit.

Cyber Attacks: Securing Agencies’ ICT Systems

Year Published: 2014

Language: English

Sector: Revenue and Taxation, Personnel Administration and Training, Borders and immigration

Issue: Cybersecurity

Download

Governments, businesses and individuals increasingly rely on information and communications technology (ICT) in their day-to-day activities, with rapid advances continuing to be made in how people and organisations communicate, interact and transact business through ICT and the Internet. In the government sector, ICT is used to deliver services, store and process information, and enable communications, with a consequent need to protect the privacy, security and integrity of information maintained on government systems.

Cyber crime is an international problem, and it is estimated that in 2012, 5.4 million Australians fell victim to such crimes, with an estimated cost to the economy of $1.65 billion.1,2 In the government sector, the Australian Signals Directorate (ASD)3 has estimated that between January and December 2012, there were over 1790 security incidents against Australian Government agencies. Of these, 685 were considered serious enough to warrant a Cyber Security Operations Centre response.4

The protection of Australian Government systems and information from unauthorised access and use is a key responsibility of agencies, having regard to their business operations and specific risks. In the context of a national government, those risks can range from threats to national security through to the disclosure of sensitive personal information. Unauthorised access through electronic means, also known as cyber intrusions, can result from the actions of outside individuals or organisations. Individuals operating from within government may also misuse information which they are authorised to access, or may inappropriately access and use government information holdings.

For some years, the Australian Government has established both an overarching protective security policy framework, and promulgated specific ICT risk mitigation strategies and related controls, to inform the ICT security posture6 of agencies. In 2013, the Government mandated elements of the framework, in response to the rapid escalation, intensity and sophistication of cyber crime and other cyber security threats.

Weblink : https://www.anao.gov.au/work/performance-audit/cyber-attacks-securing-agencies-ict-systems

Summary/Highlight:

The selected agencies were assessed on their: compliance with the top four mitigation strategies and related controls; maturity to effectively manage logical access and change management as part of normal business processes (IT general controls); observed compliance state as at 30 November 2013; and reported planned compliance state by 30 June 2014.

The ANAO’s summary findings for each of the selected agencies are reported in the context of a matrix, which indicates agencies’ overall level of protection against internal and external threats as a consequence of the steps taken to implement the top four strategies and IT general controls. The matrix, which is referred to as the Agency Compliance Grade, indicates where agencies are positioned in terms of ICT security zones: vulnerable zone; externally secure zone; internally secure zone, and cyber secure zone. The zones are explained further in Table S.2 and illustrated in Figure S.1. An agency’s position indicates its overall ICT security posture—in essence how well the agency is protecting its exposure to external vulnerabilities and intrusions, internal breaches and disclosures, and how well it is positioned to address threats

India

Performance Audit on Crew Management System Union Government, Railways

Year Published: 2015

Language: English

Sector: Transport

Issue: Information Management

Download

Crew Management System (CMS) was introduced over Indian Railways (IR) to manage crew assignments to various trains and to improve efficiency in crew operations, their monitoring and compliance with safety requirements and to improve financial management. CMS project was sanctioned by IR during 2005-06 and was expected to be completed by 2010. In Indian Railways, CMS was planned for implementation at 747 lobbies/locations. It was targeted for integration and implementation as one of the modules of Freight Operations Information System (FOIS) by 2010. As on 31st March 2015, it was rolled out in 372 lobbies which include two training locations and one testing location at CRIS Headquarters. The extent of achievement of the objectives of CMS was evaluated in Audit and the aspects relating to IT application controls, IT security, continuity of the organization’s business, contracting issues, project management/monitoring and change management were also reviewed. The study has revealed that the CMS has failed to fully achieve its objectives

Weblink :
https://www.cag.gov.in/content/report-no-47-2015-performance-audit-crew-management-system-union-government-railways

Summary/Highlight:

The major audit findings are as under:

  • Non-updation/Improper feeding of master data of crew, crew family details, routes, loco holding detail and lack of validation controls led to inaccurate inventory of crew, routes, loco holding, thus, defeating the very purpose of effective monitoring of crew. [Para 2.1.1 to 2.1.8]
  • Crew members were booked without ensuring their competency in all respect of the prescribed criteria. Inconsistencies were noticed in data pertaining to assignment and scheduling of crew. Abnormal delay was noticed in approving crew sign on/off activities. [Para 2.1.9 to 2.1.14]
  • SMS facility was not actively in use for crew booking. Mileage statements generated through CMS were incorrect and could not be directly used for payment. Manual records were being maintained simultaneously at lobbies resulting in non-achievement of objective of making the lobbies paperless. [Para 2.2.1, 2.3.1 & 2.3.2]
  • Data relating to training/tests for crew was not correctly updated. MIS generated for monitoring crew training were not giving actionable information. Dummy loco numbers were used for validating crew competency for loco which raises suspicion as to the deployment of competent crew. Crew members were booked in excess of the prescribed duty hours. [Para 2.4.1 to 2.4.3, 2.4.6]
Audit of e-Procurement

Year Published: 2014

Language: English

Sector: Cross Government , Public Administration

Issue: E-Governance

Download

Government of Karnataka (GoK) envisaged a project to provide unified end-to-end e-Procurement solution to cover all procurement processes from preparation of estimate/indents to final payment of bills to the contractors. The main objective of the e-Procurement project (project) was smart governance, improvement of efficiency, cost saving, ensuring consistency in cost of goods, providing fair competitive platform, arresting cartel formation of suppliers/ contractors/bidders etc. All the departments of the State Government whose tender value is more than ` five lakh are mandated to float tenders through the e-Procurement portal. The work relating to e-Procurement was awarded (December 2006) to M/s. Hewlett Packard Sales India Private Ltd (Partner) as Application Service Provider adopting Public Private Partnership model where the bidder pays for using the services. The revenue earned is shared between the Partner and the Centre for e-Governance, Department of Personnel and Administrative Reforms (DPAR), the implementing agency as per agreed rates. The project went live during March 2011.

Weblink : https://www.cag.gov.in/sites/default/files/audit_report_files/Chapter_3_Information_Systems_Audit.pdf

Summary/Highlight:

Delay and poor implementation led to the government not deriving full benefit of the unified e-Procurement solution. The off-the-shelf e-Procurement application was not adequately customised to suit the specific user requirements and KTPP provisions. Opportunities for using IT for improving efficiencies has not been utilised fully. Inadequate testing had lead to incomplete supplier history and incorrect management information system reports. The application suffered from four out of the OWASP Top Ten security vulnerabilities. Although the Government had intended to implement an end-to-end procurement solution with benefits of transparency and smart governance, the e-Procurement portal had no information about contracts concluded, works in progress, works completed, goods supplies done, expenditure progress, abandoned works, letters of intent and works yet to be started. Thus, the project failed in achieving its intended benefits of transparency and smart governance, leading to a situation where the envisaged end-to-end procurement solution for Government of Karnataka was used only as a tender processing website even after eight years of its implementation.

UK

Protecting information across government

Year Published: 2106

Language: English

Sector: Cross-government, Public administration

Issue: Information Security

Download

Five years ago, we highlighted the importance of three major themes in tackling government’s challenges:

  • taking a structured approach to reducing costs;
  • improving financial management; and
  • using information effectively.

We argued that without significant progress in all three areas, government would not be able to transform services and achieve sustainable improvements and savings. Our work over the last five years has identified some improvements in these areas. Across government, there is a much deeper understanding of the challenges and opportunities of transformation. But our work also shows that attempts to transform government have had mixed success. Many public services appear increasingly unsustainable. Those responsible for major programmes have continued to exhibit over-optimism and make slow progress towards their objectives.

Government’s recent experience has highlighted several important building blocks for transformation:

  • Strategic business planning and management: Our report Government’s management of its performance: progress with single departmental plans found that a strong planning framework is needed to counter problems in delivering new services successfully.
  • Building and deploying capabilities: Our report Capability in the civil service highlighted the importance of getting the right skills and experience to support new ways of working
  • Improving the use of technology and data: Our work on major transformation programmes has shown how difficult it is to use technology effectively to enable transformation.
  • Managing evolving programmes and portfolios Our work on major programmes has also shown how difficult it can be to assure and manage major transformation programmes, balancing more iterative approaches with robust programme and project management disciplines.

These building blocks will help to counter tendencies to make decisions for tactical reasons without addressing wider considerations. They allow departments to balance short-term spending targets with long-term strategies. At the same time, better information and access to expertise will help to support and assure complex programmes.

Weblink : https://www.nao.org.uk/report/digital-transformation-in-government/

Summary/Highlight:

Government faces significant challenges in providing public services. Continuing austerity has put additional demands on departments, which are already trying to tackle complex reforms with fewer staff and smaller budgets. Our work across government has highlighted the problems this can create for financial sustainability and the need to transform public services. 2 In 2011, the Coalition Government launched its Government ICT Strategy and set up Government Digital Service (GDS) as a centre of digital expertise within the Cabinet Office. Since then, GDS has worked to improve the quality of online information and help transform services so that they meet users’ needs. 3 Transformation has not been straightforward. While many government services are now available online, departments and GDS have struggled to manage more complicated programmes and to improve the complex systems and processes that support public services. 4 In February 2017, the government published its Government Transformation Strategy. The strategy sets out GDS’s new approach to supporting transformation across government and its aims for the current spending review period. 5 In this report, we review the role of GDS in supporting transformation and the use of technology across government. Our report is structured as follows: • Part One describes how GDS has evolved and sets out some of the questions that a central technology function needs to consider. • Part Two considers GDS’s role in coordinating and setting strategy across government. • Part Three looks at how GDS has supported other departments, including by promoting new technologies and uses of data. • Part Four examines how GDS has developed a more common approach to digital development across government through setting standards, establishing reusable central systems and controlling spending.

Digital Britain 2: Putting users at the heart of government’s digital services

Year Published: 2013

Language: English

Sector: Cross Government

Issue: E-Governance

Download

This report is about the government’s strategy for moving public services to ‘digital by default’, published in November 2012. The strategy incorporated data on 1,298 users from a government survey in August 2012 as data on citizens and small and medium-sized businesses use of, and willingness to engage with, public services online was limited.1 To give the Committee of Public Accounts assurance about the digital strategy, and that its approach to assisting those who are offline to use digital services is based on sound assumptions about the preferences, capabilities and needs of users in England, we commissioned independent research. This included a face-to-face survey of over 3,000 people, an online survey of 130 businesses and eight focus groups in England. 2 The government started to move to online public services in 2000. In December 2011, we reported on the key developments over the previous decade.2 While we found progress in making it easier for people to find government information and services online, we did not find robust data on the costs or benefits of spending. Therefore we could not conclude that the government had achieved value for money in working towards its objectives. 3 When we last reported, the Cabinet Office had set up the Government Digital Service (‘GDS’) to accelerate the move towards digital public services. We made several recommendations for the GDS that they progressed in 2012. In particular, we recommended that it should lead on integrating digital plans across government and improve its analysis of the costs and benefits of going digital. We also recommended that the GDS should have the authority to set and implement policy and work closely with stakeholders to provide digital services that put users first. 4 The GDS is working to make services ‘digital by default’. Digital by default is defined as “digital services that are so straightforward and convenient that all those who can use them will choose to do so while those who can’t are not excluded”.3 However, the strategy also highlights the savings that can come from switching to digital channels. The GDS has identified more than 650 public services that central government provides (excluding the NHS, local councils and the police). These could yield total potential annual savings of £1.7 billion to £1.8 billion if they were provided digitally. In 2011-12, according to GDS, these services cost between £6 billion and £9 billion to operate and more than 300 have no digital channel.4 The savings estimate does not include the costs that may be required to create or redesign digital services. However, it also does not take into account the government’s new approach to becoming digital, set out in its strategy, which could lead to greater savings being achieved more quickly.

In this report we have tested the assumptions made about users in the government digital strategy. Our future audits will evaluate value for money as government redesigns services and moves them online.

Weblink : https://www.nao.org.uk/report/digital-britain-2-putting-users-at-the-heart-of-governments-digital-services/

Summary/Highlight:
6 The government has made more ambitious plans over the last year, for making public services digital. It is 13 years since the government first announced that it would move public information and transaction services online; a move it initially intended to complete by 2005. Since we last reported in December 2011, the government’s interest has broadened from consolidation of government websites to the more fundamental need to redesign public services with users at the heart. In July 2012, the Civil Service Reform Plan committed the government to becoming digital wherever possible.5 In November 2012, the Government Digital Strategy was published, which includes ways to help those who are not online to engage with government online (paragraphs 1.1, 1.7 and 1.9). 7 Set up in 2011, the Government Digital Service established firm leadership of this digital agenda. In particular it has: • started to improve the Cabinet Office’s digital capacity, and establish digital leaders in departments; • replaced the Directgov and Business.gov portals to public services with a single website – GOV.UK a single point of entry to online public services; • analysed and published cost and performance information on online public services; and • published the Government Digital Strategy (paragraphs 2.2 to 2.9). 8 The Government Digital Strategy is based on sound evidence that many people and small- and medium-sized businesses can access and have the skills to use online public services. From our surveys we found that 83 per cent of people use the internet. Whether people live in a rural or urban area appears to make little difference to their internet use. Age, socio-economic group and disability do affect internet use. Over 90 per cent of those we surveyed who were online were experienced internet users who felt confident about completing online tasks without help. However, 7 per cent of those online lack confidence and may need help to use the internet (paragraphs 3.2, 3.3, 3.8 and 3.11)

USA

Federal Information Security: Actions Needed to Address Challenges

Year Published: 2016

Language: English

Sector: Law and order

Issue: Cybersecurity

Download

The dependence of federal agencies on computerized information systems and electronic data makes them potentially vulnerable to a wide and evolving array of cyber-based threats. Securing these systems and data is vital to the nation’s safety, prosperity, and well-being. Because of the significance of these risks and long-standing challenges in effectively implementing information security protections, GAO has designated federal information security as a government-wide high-risk area since 1997. In 2003 this area was expanded to include computerized systems supporting the nation’s critical infrastructure, and again in February 2015 to include protecting the privacy of personally identifiable information collected, maintained, and shared by both federal and non-federal entities. GAO was asked to provide a statement on laws and policies shaping the federal IT security landscape and actions needed for addressing longstanding challenges to improving the nation’s cybersecurity posture. In preparing this statement, GAO relied on previously published work. Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls. As of September 16, 2016, about 1,000 have not been implemented.

Weblink : https://www.gao.gov/key_issues/ensuring_security_federal_information_systems/issue_summary#t=1

Summary/Highlight:

What GAO Found Cyber incidents affecting federal agencies have continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015. Several laws and policies establish a framework for the federal government’s information security and assign implementation and oversight responsibilities to key federal entities, including the Office of Management and Budget, executive branch agencies, and the Department of Homeland Security (DHS). However, implementation of this framework has been inconsistent, and additional actions are needed:

  • Effectively implement risk-based information security programs. Agencies have been challenged to fully and effectively establish and implement information security programs. They need to enhance capabilities to identify cyber threats, implement sustainable processes for securely configuring their computer assets, patch vulnerable systems and replace unsupported software, ensure comprehensive testing and evaluation of their security on a regular basis, and strengthen oversight of IT contractors.
  • Improve capabilities for detecting, responding to, and mitigating cyber incidents. Even with strong security, organizations can continue to be victimized by attacks exploiting previously unknown vulnerabilities. To address this, DHS needs to expand the capabilities and adoption of its intrusion detection and prevention system, and agencies need to improve their practices for responding to cyber incidents and data breaches.
  • Expand cyber workforce and training efforts. Ensuring that the government has a sufficient cybersecurity workforce with the right skills and training remains an ongoing challenge. Government-wide efforts are needed to better recruit and retain a qualified cybersecurity workforce and to improve workforce planning activities at agencies.
Agencies Need to Improve Controls over Selected High-Impact Systems

Year Published: 2016

Language: English

Sector: Cross-government

Issue: Cybersecurity

Download

Federal systems categorized as high impact—those that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm—warrant increased security to protect them. In this report, GAO (1) describes the extent to which agencies have identified cyber threats and have reported incidents involving high-impact systems, (2) identifies government-wide guidance and efforts to protect these systems, and (3) assesses the effectiveness of controls to protect selected high-impact systems at federal agencies. To do this, GAO surveyed 24 federal agencies; examined federal policies, standards, guidelines and reports; and interviewed agency officials. In addition, GAO tested and evaluated the security controls over eight high-impact systems at four agencies.

Weblink : https://www.gao.gov/products/GAO-16-501

Summary/Highlight:

In GAO’s survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting their high-impact systems, with almost 500 of the incidents involving the installation of malicious code.

Government entities have provided guidance and established initiatives and services to aid agencies in protecting their systems, including those categorized as high impact. The National Institute of Standards and Technology has prescribed federal standards for minimum security requirements and guidance on security and privacy controls for high-impact systems, including 83 controls specific to such systems. The Office of Management and Budget (OMB) is developing plans for shared services and practices for federal security operations centers but has not issued them yet. In addition, agencies reported that they are in the process of implementing various federal initiatives, such as tools to diagnose and mitigate intrusions on a continuous basis and stronger controls over access to agency networks.

The National Aeronautics and Space Administration (NASA), Nuclear Regulatory Commission (NRC), Office of Personnel Management (OPM), and Department of Veterans Affairs (VA) had implemented numerous controls over the eight high-impact systems GAO reviewed. For example, all the agencies reviewed had developed a risk assessment for their selected high-risk systems. However, the four agencies had not always effectively implemented access controls. These control weaknesses included those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities. Weaknesses also existed in patching known software vulnerabilities and planning for contingencies.