GAO cites information security weaknesses

Recommends Office of Management and Budget revise FISMA guidance

Despite indications that agencies have improved their compliance with parts of the Federal Information Security Management Act, many major agencies still consider their information security controls a significant deficiency or material weakness, according to the Government Accountability Office.

Gregory Wilshusen, director of information-security issues for GAO, told the House Oversight and Government Reform Government Committee's Management, Organization and Procurement Subcommittee today many agencies had not fully or effectively implemented key elements of an agencywide information-security program, as required by FISMA. Meanwhile, GAO recommended that the Office of Management and Budget improve its guidance for FISMA reporting.

GAO’s findings come as lawmakers consider reforming the FISMA law that critics say relies too much on paper compliance reports and doesn’t fully address information-technology vulnerabilities. Sen. Thomas Carper (D-Del.) on April 28 introduced legislation designed to improve FISMA .

“Six years after FISMA was enacted, we continue to report that poor information security is a widespread problem with potentially devastating consequences,” Wilshusen said in prepared remarks based on a draft GAO report. That draft analyzed reports on government information security from agencies, inspectors general, OMB, Congress and the GAO.

GAO found that out of 24 major agencies:

  • Thirteen said controls over financial systems and information were a “significant deficiency” and seven said it was a “material weakness” in performance and accountability reports for fiscal 2008.
  • Twenty-two of the agencies’ IGs identified information security as a “major management challenge” for their agency.
  • Twenty-three had weaknesses in access controls reported and 23 had weaknesses in their agencywide information security programs.

Wilshusen said OMB’s annual instructions for FISMA reporting weren’t always clear and didn’t cover key security activities. In addition, he said, OMB didn’t include key information about findings and significant deficiencies identified by IGs in its report to Congress on agencies’ FISMA compliance.

Vivek Kundra, the federal chief information officer and the top IT official in OMB, said the administration wanted to make security compliance more automatic and ongoing. FISMA “has raised the level of awareness in the agencies and in the country at large, but we’re not where we need to be,” he said.

Kundra said the administration’s initial review of government information security showed the performance data currently collected under FISMA doesn’t reflect the security posture of agencies and the current collection process is cumbersome and takes time away from meaningful analysis. He also said there is too much focus on compliance and not enough on outcomes.

“While the current reporting metrics have made sense, or may have made sense when FISMA was enacted, they’re largely compliance based; they are trailing — rather than leading — indicators,” Kundra said. “We need metrics give us insight into agencies’ security postures and possible vulnerabilities on an ongoing basis.”

Agencies need to adopt a “risk-based approach” to IT security, Kundra said, including for cloud computing which President Barack Obama endorsed in his fiscal 2010 budget request.

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group