Computer security at the FBI has been slammed in a report from the US Government Accountability Office (GAO) which investigates taxpayer spending.

The GAO Information Security Report (PDF) found that the FBI suffered from critical security flaws, and did not have enough staff trained in computer security.

The agency was also accused of failing to authenticate users accessing sensitive information. 

"Shortcomings exist with certain elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialised security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning," the report stated.

"Without a fully implemented programme, certain security controls will likely remain inadequate or inconsistently applied."

The report found that network hardware was not configured correctly to withstand attack, and not all the devices were logged or correctly updated. It also called for more use of encryption to protect valuable data.

The GAO found that general patch management for network operating systems was lacking, and claimed that the agency did not have complete security planning.

"The FBI concurs with many of the GAO's technical recommendations and the programmatic recommendation to continue the implementation of information security activities in order to fully establish a comprehensive Information Assurance Program," said the FBI in a statement.

"The FBI does not agree that it has placed sensitive information at an unacceptable risk for unauthorised disclosure, modification or insider threat."