The Government Accountability Office (GAO) is flagging flaws in the Treasury Department’s Bureau of the Fiscal Service’s management of system security plans (SSPs) for the Federal government’s central banking account, which it said has limited insight into the accuracy of financial information.
In a letter addressed to Fiscal Service Commissioner Timothy Gribben and sent on March 13, Anne Sit-Williams, director of Financial Management and Assurance at GAO, wrote that the Federal watchdog was unable to verify the accuracy of financial information for the General Fund – which serves as the Federal government’s central account – in part due to limited documentation and maintenance of external system connections for its SSPs.
“Until Fiscal Service enacts processes that reasonably assure complete and accurate information system security documentation, including SSPs and interconnection agreements, the agency increases the risk that (1) controls are not implemented effectively and security requirements have not been met and (2) connected systems and the data they store, process, or transmit, as well as other networks connected to those systems, can be compromised,” wrote Sit-Williams.
SSPs are documents that describe security measures, controls, and procedures used to protect an information system. They also record all connections to external systems in adherence to cybersecurity guidance from the National Institute of Standards and Technology.
GAO’s audit of the Fiscal Service revealed that the bureau failed to fully document the implementation of security controls for 15 of the General Fund’s key systems, which contain between five and more than 300 controls each, and process trillions of dollars worth of Federal payments.
While most SSPs lacked complete details, some controls were either not addressed or marked as not applicable without any explanation for their exclusion, Sit-Williams wrote.
In addition to the security controls, the Fiscal Service also failed to adequately maintain or document its interconnection agreements – which determine how different agencies or external organizations’ IT systems are linked and allowed to share data – for its systems.
Of the 15 systems, nine had discrepancies between their SSPs and the actual agreements, while four SSPs were missing agreements altogether, and seven systems had outdated agreements – with some more than three years old.
Sit-Williams also noted that another flaw in GAO’s 2024 audit – finding that the Fiscal Service lacked proper documentation for most Federal Reserve Banks-initiated transactions – limited insight into the General Fund’s financial information.
GAO recommended that the Fiscal Service “reasonably assure” that agency policy related to SSPs and interconnection agreements is fully implemented. Sit-Williams said the Fiscal Service agreed to do so, and to “develop corrective actions.”
The letter comes as the Department of Government Efficiency (DOGE) combs through the Federal government’s spending records and accounts in its asserted attempt to root out government waste and fraud, which has led to lawsuits and outcry from legislators and officials.
