The Federal Information Security Management Act of 2002 set a precedent for agencies to establish an information security program with a set of eight components and an annual evaluation of their progress. FISMA also requires the National Institute of Standards and Technology to develop security standards and guidelines, and the Office of Management and Budget to oversee those standards and implement them.
By fiscal year, 24 major federal agencies had established many of the requirements mandated by FISMA, but GAO’s report found many vulnerabilities.
In FY 2012, 23 of the major 24 agencies had weaknesses in the controls that limit or detect access to computer resources. For example, according to inspectors general reports, the number of agencies that had analyzed, validated and documented security incidents increased from 16 to 19, while the number able to track identified weaknesses declined from 20 to 15.
“As the number of cyber-related attacks and information breaches continue to grow, it is critical that our federal agencies do all that they can to not only comply with the law but to ensure that sensitive information is properly secured,” Sen. Tom Carper, D-Del., chairman of the homeland security and governmental affairs committee said in a statement. “This Government Accountability Office report makes it clear that while some progress has been made, federal agencies still have important work to do when it comes to enhancing the federal government’s information security efforts.”
In its report, GAO recommended OMB and the Department of Homeland Security apply more pressure to agencies lagging behind and establish clearer guidelines. Furthermore, metrics used to evaluate FISMA requirements do not cover all components. For example, conducting the risk assessments and developing security plans are more focused on compliance rather than effectiveness of controls. Agencies are also lacking in identifying specific performance targets to measure levels of implementation.
GAO also recommends the OMB director make sure metrics are incorporated into the assessment of information security programs in OMB’s annual FISMA-reporting instructions to agencies and inspectors general.