GAO: Departments lag on FISMA controls

Some of the agencies most critically involved with the country’s security still have not fully implemented key provisions of the Federal Information Security Management Act five years after the act was passed. The Defense, Homeland Security, Justice and State departments especially face challenges in establishing information security control activities that FISMA and the Office of Management and Budget require, the Government Accountability Office said.

The challenges for these agencies arose from various weaknesses, such as inadequate tools and gaps and inconsistencies in guidance, GAO said.

For example, DOD has difficulty developing a complete inventory of major systems because it has different definitions of what constitutes a system. DHS cannot be sure all users have received the appropriate security training because its application counts the number of security courses completed but does not indicate whether someone has taken a specialized course, GAO said in the Oct. 1 report.

These agencies also had problems correcting deficiencies and weaknesses, ensuring that employees receive information security training, and testing security controls. Of the four agencies, only Justice had accomplished full certification and accreditation of systems, and only State had implemented a common security configuration.

“Until the departments address their challenges and fully implement effective departmentwide information security programs, increased risk exists that they will not be able to effectively protect the confidentiality, integrity and availability of their information and information systems,” said Gregory Wilshusen, GAO’s director of information security issues, in his report.

DHS, Justice and State generally agreed with GAO’s recommendations. DOD, however, disagreed with three of six recommendations.

“In general, this office does not believe the draft report accurately reflects the current security posture of the Department of Defense nor does it consider initiatives undertaken and progress the department has made in implementing the provisions of the Federal Information Security Management Act of 2002 over the last five years,” said Robert Lentz, deputy assistant secretary of Defense for information and identity assurance.

Examples of GAO’s recommendations include:

  • For DOD, to develop and apply a plan with milestones to finalize and implement a departmentwide definition of a major information system.

  • For DHS, to coordinate with its workforce office to finalize deployment of the centralized online learning management system for tracking the IT security training of employees.

  • For Justice, to reconcile duplications in its remediation plan tracking tool.

  • For State, to strengthen its security control testing policies and ensure that its component agencies complete the required annual security control and contingency plan testing on all systems.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.