Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements
Highlights
For many years, GAO has reported on the widespread negative impact of poor information security within federal agencies and has identified it as a governmentwide high-risk issue since 1997. Legislation designed to improve information security was enacted in October 2000. It was strengthened in December 2002 by new legislation, the Federal Information Security Management Act of 2002 (FISMA), which incorporated important new requirements. This testimony discusses (1) the Office of Management and Budget's (OMB) recent report to the Congress required by FISMA on the government's overall information security posture, (2) the reported status of efforts by 24 of the largest agencies to implement federal information security requirements, (3) opportunities for improving the usefulness of performance measurement data, and (4) progress by the National Institute of Standards and Technology (NIST) to develop related standards and guidance.