For 22 years, the Government Accountability Office (GAO) has designated information security as a government-wide high-risk area. The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement information security programs and have independent evaluations of those programs and practices. It also assigns government-wide responsibilities for information security to the Office of Management and Budget (OMB), the Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST).
FISMA includes a provision for GAO to periodically report to Congress on agencies’ implementation of the act. In its latest review, the results of which were published July 26, GAO found most of the agencies it assessed had weaknesses in most security control areas. It also found that Inspectors General had reported ineffective programs at 18 of 24 major agencies. A further concern was that OMB coordinated cybersecurity review meetings with three agencies in fiscal year 2018, compared to 24 meetings in 2016.
The review found that, with certain exceptions, OMB, DHS and NIST were generally implementing their government-wide FISMA requirements, including issuing guidance and implementing programs that are intended to improve agencies’ information security. However, OMB has not submitted its required FISMA report to Congress for fiscal year 2018. Also, OMB, in collaboration with the Council of Inspectors General for Integrity and Efficiency (CIGIE), did not include a metric for system security plans, one of the required information security program elements, in its guidance on FISMA reporting. As a result, oversight of agencies’ information security programs was diminished.
GAO is making three recommendations to OMB, first that it should submit the statutorily required report to Congress on the effectiveness of agencies’ information security policies and practices during the preceding year. Second, that it should expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security. Finally, GAO says the Director of OMB should collaborate with CIGIE to ensure that the inspector general reporting metrics include the FISMA-required information security program element for system security plans.
According to OMB officials, the office plans to issue its fiscal year 2018 report to Congress on the effectiveness of agencies’ information security policies and practices in the near future. In addition, the office plans to continue to collaborate with DHS to identify information security gaps at agencies and work with agencies to address those gaps in CyberStat meetings or by other means. With regard to GAO’s third recommendation, the officials expressed concern with the wording of the recommendation in the draft report, which related to OMB updating the IG metrics. They noted that CIGIE, rather than OMB, is responsible for updating these metrics. Accordingly, GAO revised the recommendation to emphasize the need for OMB to collaborate with CIGIE.