Summary: The proposed Government Information Security Act of 1999--S. 1993--seeks to strengthen information security practices throughout the federal government. GAO's work has shown that almost all government agencies are plagued by poor computer security. The dramatic rise in computer interconnectivity has increased the risk of severe disruptions to government operations. Government officials are increasingly worried about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare. S.1993 would update the legal framework that supports federal information security requirements and would address widespread federal information security weaknesses. In particular, the bill would prescribe a risk-based approach to information security and independent audits of security controls. It also would approach security from a governmentwide perspective, taking steps to accommodate the varying information needs of both national security and civilian agency operations. This testimony discusses how this proposal could substantially improve the federal government's efforts to address its computer security problems. GAO also raises two additional issues--the need for better-defined control standards and centralized leadership--that, if addressed, could further strengthen security practices and oversight.
