Seven of 24 meet security requirements

A recent audit of 24 of the largest federal agencies found only seven agencies in compliance with a law requiring that they certify and accredit their information systems' security.

The audit report released this week by the Government Accountability Office prompted Rep. Adam Putnam (R-Fla.) to issue a statement chastising federal agencies for not complying with security policies and guidelines issued by Office of Management and Budget officials.

Among the 24 agencies reviewed by GAO auditors, six reported having fewer than half of their information systems accredited and certified. Two agencies, the Agriculture and Housing and Urban Development departments, have no accredited and certified systems.

The best performers were the Social Security Administration and Nuclear Regulator Commission, which reported having 100 percent of their critical information systems certified and accredited to operate.

Officials at 18 of the agencies surveyed said they struggled to find funds to enact the mandatory certifications.

The review looked at agencies' certification and accreditation procedures to determine whether they provided consistent and comparable results. It also looked at whether the certification procedures provide sufficient information for senior agency officials to understand the risks of operating those systems.

GAO's analysis found inconsistencies in the way agencies report certification and accreditation data, which lessened the usefulness of the data. Auditors further questioned the reliability and quality of the data.

The auditors reviewed end-of-year data reported to OMB officials in fiscal 2002 and 2003, in addition to quarterly data submitted to the agency in March. Most of the systems covered in the review were not national security systems.

The audit report recommends that OMB officials amend their reporting guidelines to require agencies to submit additional information on the quality and consistency of their certification and accreditation data.

In addition, it recommends that agency inspectors general examine the quality of agency-reported certification data as part of independent security evaluations that IGs are required to perform under the Federal Information Security Management Act of 2002.

Putnam, who is head of the House subcommittee that oversees federal information technology policies, expressed his disappointment with the report's findings. "The current information security threat environment that exists in the world today demands that the federal government lead by example," he said.

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.