The Government Accountability Office (GAO) has released a report indicating that the implementation of the Federal Information Security Modernization Act of 2014 (FISMA) by federal agencies remains largely ineffective. While some improvement was noted from 2021 to 2022, inspectors general (IG) from 15 out of 23 civilian agencies found information security programs to be lacking in effectiveness. The report identifies management accountability issues and gaps in standards and quality control as key causes of this ineffectiveness, emphasizing that addressing these issues is crucial to bolster the federal government’s cybersecurity posture.
Causes of Ineffectiveness and Improvement Practices
Inspectors generally cited various reasons for the ineffective information security programs, with management accountability issues and quality control gaps topping the list. Recognizing the need for improvement, agency officials have identified key practices that contribute to enhancing the effectiveness of their information security programs. Internal communication, organizational characteristics like leadership commitment, and the implementation of centralized policies and procedures were identified as crucial elements for successful FISMA implementation.
OMB Metrics Evaluation and Challenges
The Office of Management and Budget (OMB), in collaboration with oversight groups, provides metrics to assess federal information security programs and FISMA implementation. However, agencies and IGs voiced concerns that some FISMA metrics are not consistently useful in evaluating information security programs. The report suggests that metrics should be more closely tied to performance goals, consider workforce issues and agency size, and incorporate risk factors. Aligning metrics with the key causes of ineffective programs could significantly enhance their utility. The GAO recommends that OMB modify FISMA metrics accordingly to provide a more accurate reflection of agencies’ information security performance.
GAO’s Objectives and Methodology
The GAO, mandated by FISMA to periodically assess agencies’ implementation of the act, had three main objectives for this report. Firstly, to identify the reported effectiveness of agencies’ FISMA implementation; secondly, to uncover the key practices used by agencies to meet FISMA requirements; and thirdly, to explore how FISMA metrics could be improved to better measure the effectiveness of federal agency information security programs.
To achieve these objectives, GAO reviewed FISMA reports from 23 civilian Chief Financial Officers Act of 1990 (CFO Act) agencies, along with performance data and OMB documentation. Notably, the Department of Defense (DOD) was excluded from the analysis due to the classification of its information. Additionally, GAO sought perspectives from the 24 CFO Act agencies, including DOD, and conducted interviews with officials from the Council of Inspectors General on Integrity and Efficiency, the Cybersecurity and Infrastructure Security Agency, and OMB.
As cybersecurity threats continue to evolve, the GAO’s recommendations aim to fortify federal agencies against potential vulnerabilities, ensuring a robust and effective information security framework. The report serves as a call to action for agencies and oversight bodies to collaboratively address the identified challenges and elevate the overall cybersecurity resilience of the federal government.
Read the full GAO report here.
