Information Security: Agencies Need to Implement Consistent Processes In Authorizing Systems for Operation
GAO-04-376
Published: Jun 28, 2004. Publicly Released: Jul 28, 2004.
Skip to Highlights
Highlights
The Office of Management and Budget (OMB) requires agencies to certify the security controls of their information systems and to formally authorize and accept the risk associated with their operation (a process known as accreditation). These processes support requirements of the Federal Information Security Management Act of 2002 (FISMA). Further, OMB requires agencies to report the number of systems authorized following certification and accreditation as one of the key FISMA performance measures. In response to the Congressional request, GAO (1) identified existing governmentwide requirements and guidelines for certifying and accrediting information systems, (2) determined the extent to which agencies have reported their systems as certified and accredited, and (3) assessed whether their processes provide consistent, comparable results and adequate information for authorizing officials.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | To help ensure that federal agencies' certification and accreditation processes consistently provide adequate and effective security controls in their information systems, the Director of the Office of Management and Budget should revise policy and guidance on the security of automated information resources to require federal agencies to continue to implement security certification and accreditation processes consistent with guidance and standards issued by NIST for non-national security systems, including specific reference to the new certification and accreditation guidance as well as FISMA-required standards such as those for system security categorization and minimum security controls. |
Closed – Implemented
In its FY 2007 FISMA reporting guidance, dated July 25, 2007, OMB added guidance directing federal agencies to implement security certification and accreditation processes consistent with NIST guidance, including NIST Special Publication 800-37 and Federal Information Processing Standards 199.
|
| Office of Management and Budget | To help ensure that federal agencies' certification and accreditation processes consistently provide adequate and effective security controls in their information systems, the Director of the Office of Management and Budget should revise policy and guidance on the security of automated information resources to require federal agencies to ensure that periodic testing and evaluation of information security controls, as required by FISMA, include assessing the quality of security certifications and accreditations to facilitate decisions that are based on consistent consideration of key criteria outlined in federal guidance, including a current risk assessment, appropriate control testing and evaluation, a tested contingency plan, and the identification of the specific residual risk being accepted. |
Closed – Implemented
In its FY 2007 FISMA reporting guidance, dated July 25, 2007, OMB added guidance which states that the necessary depth and breadth of an annual FISMA review will vary based on risk and system impact level and, in order to ensure the agencies' certification and accreditation process is dynamic and responsive, agencies should develop an enterprise-wide strategy for selecting subsets of their security controls to be monitored on an ongoing basis to ensure all controls are assessed during the three-year accreditation cycle.
|
| Office of Management and Budget | To improve the consistency and reliability of agency FISMA reporting for administration and congressional oversight, the OMB Director should consider changes to OMB's FISMA reporting guidance that would provide additional clarification that national security systems are to be reflected in reporting performance measurement data and that only systems granted full authorization to operate should be considered in reporting the number of systems certified and accredited. |
Closed – Implemented
In its FY 2006 FISMA reporting guidance, dated July 17, 2006, OMB added guidance that provided additional clarification that agencies include all agency national security systems when completing the FISMA report and that only systems granted a full and final authorization to operate are to be considered certified and accredited.
|
| Office of Management and Budget | To improve the consistency and reliability of agency FISMA reporting for administration and congressional oversight, the OMB Director should consider changes to OMB's FISMA reporting guidance that would require reporting on key aspects of agencies' certification and accreditation processes and efforts, such as how agencies ensure the quality and consistency of their certifications and accreditations and the status of their efforts according to levels of risk or impact established for their systems. |
Closed – Implemented
In its FY 2007 FISMA reporting template, dated July 25, 2007, OMB required agencies to report on the number of systems that have been certified and accredited by risk category.
|
| Office of Management and Budget | To improve the consistency and reliability of agency FISMA reporting for administration and congressional oversight, the OMB Director should consider changes to OMB's FISMA reporting guidance that would encourage the Inspector Generals (IGs) to assess agency FISMA reporting processes and test agency-reported performance data as part of their FISMA-mandated independent evaluations; for example, the IGs could review the quality of agency certifications and accreditations for the subset of systems they evaluate to determine whether they meet appropriate criteria and determine whether such information is accurately reflected in the agencies' compilation of related performance measures. |
Closed – Implemented
In its FY 2007 FISMA reporting template, dated July 25, 2007, OMB included a question which required agency IGs to evaluate the certification and accreditation process. The qualitative assessments of the process allow the IG to rate its agency's certification and accreditation process using the terms "excellent," "good," "satisfactory," "poor," or "failing".
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Baseline security controlsCertification and accreditationComputer securityExecutive agenciesInformation resources managementInformation security managementInformation systemsInformation systems accreditationInformation systems certificationInformation technologyInternal controlsIT security certification and accreditationPerformance measuresQuality assuranceReporting requirementsRisk assessmentStandardsSystem security plans