Thirteen of 24 agencies a recent Government Accountability Office (GAO) audit reviewed found these agencies “had not fully defined the role of their chief information security officer’s (CISO) in accordance with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA 2014).
CISOs’ are responsible for ensuring their agencies are meeting the requirements of the law, including developing, documenting and implementing the agency-wide information security program.
“Federal agencies face an ever-increasing array of cyber threats to their information systems and information. To address these threats, FISMA 2014 requires agencies to designate a CISO—a key position in agency efforts to manage information security risks,” GAO emphasized.
However, GAO’s 88-page audit report stated, “these agencies didnot always identify a role for the CISO in ensuring that security controls are periodically tested; procedures are in place for detecting, reporting and responding to security incidents; or contingency plans and procedures for agency information systems are in place. Thus, CISOs’ ability to effectively oversee these agencies’ information security activities can be limited.”
According to GAO, the 24 CISOs it surveyed “identified challenges that limited their authority to carry out their responsibilities to oversee information security activities. These challenges can impact agencies’ ability to effectively manage information security risk.”
The 24 CISOs “also reported that other factors posed challenges to their abilities to carry out their responsibilities effectively, including difficulties related to having sufficient staff; recruiting, hiring and retaining security personnel; ensuring that security personnel have appropriate expertise and skills; and a lack of sufficient financial resources,” GAO reported.
“Several government-wide activities are under way to address many of these challenges,” GAO said, noting, however, that “while the Office of Management and Budget (OMB) has a statutory responsibility under FISMA 2014 to provide guidance on information security in federal agencies, it has not issued such guidance addressing how agencies should ensure that officials carry out their responsibilities and personnel are held accountable for complying with the agency-wide information security program. As a result, agencies lack clarity on how to ensure that their CISOs have adequate authority to effectively carry out their duties in the face of numerous challenges.
GAO made 33 recommendations to 13 agencies to fully define the role of their CISOs in accordance with FISMA 2014. Twelve of the 13 agencies concurred with the recommendations addressed to them, and one agency partially concurred or did not concur with the recommendations directed to it.
GAO responded, saying it “continues to believe that these recommendations are valid and should be implemented as discussed in this report. GAO also recommends that OMB issue guidance for clarifying CISOs’ roles in light of identified challenges. OMB partially concurred with the recommendation. GAO maintains that action is needed as discussed further in the [audit] report.