Information Security:

Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements

GAO-05-552: Published: Jul 15, 2005. Publicly Released: Jul 15, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Federal agencies rely extensively on computerized information systems and electronic data to carry out their missions. The security of these systems and data is essential to prevent data tampering, disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. Concerned with accounts of attacks on systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack, Congress passed the Federal Information Security Management Act (FISMA) in 2002. In accordance with FISMA requirements that the Comptroller General report periodically to the Congress, GAO's objectives in this report are to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) the federal government's implementation of FISMA requirements.

Pervasive weaknesses in the 24 major agencies' information security policies and practices threaten the integrity, confidentiality, and availability of federal information and information systems. Access controls were not effectively implemented; software change controls were not always in place; segregation of duties was not consistently implemented; continuity of operations planning was often inadequate; and security programs were not fully implemented at the agencies. These weaknesses exist primarily because agencies have not yet fully implemented strong information security management programs. These weaknesses put federal operations and assets at risk of fraud, misuse, and destruction. In addition, they place financial data at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. Overall, the government is making progress in its implementation of FISMA. To provide a comprehensive framework for ensuring the effectiveness of information security controls, FISMA details requirements for federal agencies and their inspectors general (IG), the National Institute of Standards and Technology (NIST), and OMB. Federal agencies reported that they have been increasingly implementing required information security practices and procedures, although they continue to face major challenges. Further, IGs have conducted required annual evaluations, and NIST has issued required guidance in the areas of risk assessments and recommended information security controls, and has maintained its schedule for issuing remaining guidance required under FISMA. Finally, OMB has given direction to the agencies and reported to Congress as required; however, GAO's analysis of its annual reporting guidance identified opportunities to increase the usefulness of the reports for oversight. While progress has been made in implementing statutory requirements, agencies continue to have difficulty effectively protecting federal information and information systems.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: In revising future FISMA reporting guidance, the Director of OMB should ensure that all aspects of key FISMA requirements are reported on in the annual reports.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: OMB revised its fiscal year 2009 FISMA reporting instructions to request that inspectors general provide information on the quality of the agency?s certification and accreditation (C&A) process. This qualitative information included whether the agency has an adequate C&A policy and whether the C&A process adequately provides appropriate risk categories, testing of controls (covers annual system reviews), and other items. As a result, the usefulness of the review process for management and oversight purposes is enhanced.

    Recommendation: In revising future FISMA reporting guidance, the Director of OMB should require agencies to report FISMA data by risk category.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: In our July 15, 2005 report on federal agencies' implementation of FISMA, we recommended that OMB require agencies to report FISMA data by risk category. For the subsequent reporting cycle (agencies reporting in 2006 on FY 2005 activities) OMB issued reporting instructions and templates that required agencies to list systems by risk category. OMB's actions thereby implement GAO's recommendation.

    Recommendation: In revising future FISMA reporting guidance, the Director of OMB should request the inspectors general to report on the quality of additional agency processes, such as the annual system reviews.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: OMB revised its fiscal year 2009 FISMA reporting instructions to request that inspectors general provide information on the quality of the agency?s certification and accreditation (C&A) process. This qualitative information included whether the agency has an adequate C&A policy and whether the C&A process adequately provides appropriate risk categories, testing of controls (covers annual system reviews), and other items. As a result, the usefulness of the review process for management and oversight purposes is enhanced.

    Recommendation: In revising future FISMA reporting guidance, the Director of OMB should review guidance to ensure clarity of instructions.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: In our July 15, 2005 report on federal agencies' implementation of FISMA, we recommended that OMB review guidance to ensure clarity of instructions. For the subsequent reporting cycle (agencies reporting in 2006 on FY 2005 activities) OMB clarified or deleted comments related to POA&Ms, system inventories, and configuration management. The FY 2005 reporting templates deleted some elements of the POA&M question present in the FY 2004 version. Additionally, the FY 2005 template eliminated the system inventory question for the Inspector General that asked about the IG's involvement in development and verification. Also, the FY 2005 template included a more detailed question on configuration management than the FY 2004 template, requiring agencies to identify which software is addressed in agencywide policy and whether agency systems run the software. OMB's actions thereby implement GAO's recommendation.

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Looking for more? Browse all our products here