Oversight

GAO: Mixed results thus far implementing FISMA

concept cybersecurity art

Federal agencies have improved compliance with information security requirements under the Federal Information Security Act , but checking all the boxes has not translated into taking full advantage of the enhancements that are available,  according to a Government Accountability Office report issued to Congress Sept. 26.

The report suggests that most of the 24 major federal agencies established many of the eight key information security program components laid forth by FISMA in fiscal 2012, but only partially fulfilled others. GAO evaluated its previous information security reports, the Office of Management and Budget's annual reports to Congress on FISMA implementation, reports from inspectors general and individual agency reports during the course of its review.

IG reports show the number of agencies that analyzed, validated and documented security incidents increased from 16 to 19 in the past fiscal year, but the number of agencies able to track identified weaknesses actually declined.

GAO states that all but one of the 24 major federal agencies had weaknesses in security controls intended to limit or detect access to computer resources.

In the report, OMB attributed the decline to "agencies not updating their policies and procedures after new federal requirements are established or new technologies are deployed."

In summary, agencies have seen some progress in FISMA implementation, but major weaknesses persist.

"Notwithstanding the mixed progress made, GAO and inspectors general continue to identify weaknesses in agencies' information security programs and make recommendations to mitigate the weaknesses identified," the GAO report states. "In addition, OMB and (the Department of Homeland Security) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, focused mainly on compliance rather than effectiveness of controls, and in many cases did not identify specific performance targets for determining levels of implementation."

GAO's report culminates with recommendations to OMB and DHS to "develop compliance metrics related to periodic assessments of risk and development of subordinate security plans" and to develop better metrics for IGs to report on the effectiveness of agency information security programs.

OMB agreed with the recommendations but did not provide any comment, while DHS provided a written response indicating action it plans to take.

About the Author

Frank Konkel is a former staff writer for FCW.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group