GAO: Mixed results thus far implementing FISMA

Federal agencies have improved compliance with information security requirements under the Federal Information Security Act , but checking all the boxes has not translated into taking full advantage of the enhancements that are available,  according to a Government Accountability Office report issued to Congress Sept. 26.

The report suggests that most of the 24 major federal agencies established many of the eight key information security program components laid forth by FISMA in fiscal 2012, but only partially fulfilled others. GAO evaluated its previous information security reports, the Office of Management and Budget's annual reports to Congress on FISMA implementation, reports from inspectors general and individual agency reports during the course of its review.

IG reports show the number of agencies that analyzed, validated and documented security incidents increased from 16 to 19 in the past fiscal year, but the number of agencies able to track identified weaknesses actually declined.

GAO states that all but one of the 24 major federal agencies had weaknesses in security controls intended to limit or detect access to computer resources.

In the report, OMB attributed the decline to "agencies not updating their policies and procedures after new federal requirements are established or new technologies are deployed."

In summary, agencies have seen some progress in FISMA implementation, but major weaknesses persist.

"Notwithstanding the mixed progress made, GAO and inspectors general continue to identify weaknesses in agencies' information security programs and make recommendations to mitigate the weaknesses identified," the GAO report states. "In addition, OMB and (the Department of Homeland Security) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, focused mainly on compliance rather than effectiveness of controls, and in many cases did not identify specific performance targets for determining levels of implementation."

GAO's report culminates with recommendations to OMB and DHS to "develop compliance metrics related to periodic assessments of risk and development of subordinate security plans" and to develop better metrics for IGs to report on the effectiveness of agency information security programs.

OMB agreed with the recommendations but did not provide any comment, while DHS provided a written response indicating action it plans to take.