Oversight

GAO: Mixed results thus far implementing FISMA

concept cybersecurity art

Federal agencies have improved compliance with information security requirements under the Federal Information Security Act , but checking all the boxes has not translated into taking full advantage of the enhancements that are available,  according to a Government Accountability Office report issued to Congress Sept. 26.

The report suggests that most of the 24 major federal agencies established many of the eight key information security program components laid forth by FISMA in fiscal 2012, but only partially fulfilled others. GAO evaluated its previous information security reports, the Office of Management and Budget's annual reports to Congress on FISMA implementation, reports from inspectors general and individual agency reports during the course of its review.

IG reports show the number of agencies that analyzed, validated and documented security incidents increased from 16 to 19 in the past fiscal year, but the number of agencies able to track identified weaknesses actually declined.

GAO states that all but one of the 24 major federal agencies had weaknesses in security controls intended to limit or detect access to computer resources.

In the report, OMB attributed the decline to "agencies not updating their policies and procedures after new federal requirements are established or new technologies are deployed."

In summary, agencies have seen some progress in FISMA implementation, but major weaknesses persist.

"Notwithstanding the mixed progress made, GAO and inspectors general continue to identify weaknesses in agencies' information security programs and make recommendations to mitigate the weaknesses identified," the GAO report states. "In addition, OMB and (the Department of Homeland Security) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, focused mainly on compliance rather than effectiveness of controls, and in many cases did not identify specific performance targets for determining levels of implementation."

GAO's report culminates with recommendations to OMB and DHS to "develop compliance metrics related to periodic assessments of risk and development of subordinate security plans" and to develop better metrics for IGs to report on the effectiveness of agency information security programs.

OMB agreed with the recommendations but did not provide any comment, while DHS provided a written response indicating action it plans to take.

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.