Summary: Evaluations of computer security published since July 1999 continue to show that federal computer security is plagued by weaknesses that put critical operations and assets at risk. Significant weaknesses were identified in each of the 24 agencies covered by this review. These weaknesses place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. For example, weaknesses at the Department of the Treasury increase the risk of fraud associated with billions of dollars of federal payments and collections. Weaknesses at the Department of Defense increase the vulnerability of various military operations that support its war-fighting capability. Information security weaknesses place confidential data at risk of inappropriate disclosure, such as the case of a Social Security Administration employee who pled guilty to unauthorized access of the administration's systems. The related investigation determined that the employee had made unauthorized queries, including obtaining earnings information for members of the local business community. Weaknesses cover the full range of computer security controls. They include inadequate security program planning and management, ineffective physical and logical access controls, ineffective software change controls, inadequate segregation of staff duties to reduce the risk of unauthorized transactions or software changes, and inadequate control over sensitive operating system software and insufficient planning to ensure continuity of computerized operations. Although most agencies have taken at least some corrective actions based on recommendations by GAO and agency inspectors general, more needs to be done, especially in the area of security program planning and management.