The Government Accountability Office (GAO) has reviewed how 23 civilian federal agencies implemented the Federal Information Security Modernization Act of 2014 (FISMA). Results were mixed in whether and how agencies implemented required security programs.
In May 2021, the Office of Management and Budget (OMB) reported an increased number of cybersecurity incidents at federal agencies, stating that this increase highlights the ever-expanding threats within the digital landscape and the need for the federal government to take action to reduce the impact of cybersecurity incidents. Although not addressed in OMB’s May 2021 report, the SolarWinds Orion incident is a recent example of a breach that resulted in a number of federal agencies receiving software updates that had been compromised with malicious code.
Although agencies have taken steps to respond to these threats, GAO says IT systems are often riddled with security vulnerabilities—both known and unknown.
From 2010 through January 2022, GAO made approximately 3,800 recommendations focused on enhancing the nation’s cybersecurity efforts. As of January 2022, approximately 880 of these recommendations had not been implemented.
FISMA requires federal agencies in the executive branch to develop, document, and implement an information security program to protect the information and systems that support the agencies’ operations and assets. The act also requires agencies to submit Chief Information Officer (CIO) FISMA reports on their agency’s cybersecurity. These reports are to include the metrics that agencies use to assess their progress toward outcomes intended to strengthen federal cybersecurity. In addition to the CIO FISMA reports, the act requires each agency’s Inspector General (IG) or independent external auditor to perform an annual independent evaluation to determine and report on the effectiveness of its agency’s information security program.
FISMA includes a provision for GAO to periodically report to Congress on agencies’ implementation of the act. GAO’s latest review found that agencies reported meeting goals for managing the security of their software assets, as well as for intrusion detection and prevention. However, IGs identified agencies’ uneven performance of cybersecurity practices. For fiscal year 2020, IGs determined that seven of the 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies had effective information security programs. Between fiscal years 2017 and 2020, the percentage of agencies receiving effective ratings has generally been consistent, ranging from 22 to 30 percent.
According to officials at all 24 CFO Act agencies, FISMA and its associated reporting process enabled their agencies to improve their information security programs’ effectiveness. Specifically, CIOs and Chief Information Security Officers at 14 agencies stated that FISMA improved program effectiveness to a great extent, while officials at 10 agencies said it improved effectiveness to a moderate extent.
As required under FISMA, OMB, in partnership with other organizations, provides guidance to IGs on conducting and reporting agency FISMA evaluations. GAO found that this guidance was not always clear, leading to inconsistent application by IGs. Further, GAO found that OMB’s overall IG rating scale of “effective” and “not effective” resulted in imprecise ratings that did not clearly distinguish the differing levels of agencies’ implementation of cybersecurity requirements. As a result, IG ratings may be less useful for cybersecurity oversight.
By clarifying its future ratings guidance and improving its rating scale, GAO believes OMB could help ensure that the reviews provide a more consistent picture of agencies’ cybersecurity performance, enabling Congress to better understand agencies’ relative cybersecurity risks.
GAO is making two recommendations that OMB, in consultation with others, clarify its guidance to IGs and also create a more precise overall rating scale. OMB did not concur with the recommendations and said it wants to provide IGs with the flexibility to adapt their reviews.