Skip to main content

Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses

GAO-09-546 Published: Jul 17, 2009. Publicly Released: Jul 17, 2009.
Jump To:
Skip to Highlights

Highlights

For many years, GAO has reported that weaknesses in information security are a widespread problem that can have serious consequences--such as intrusions by malicious users, compromised networks, and the theft of intellectual property and personally identifiable information--and has identified information security as a governmentwide high-risk issue since 1997. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which authorized and strengthened information security program, evaluation, and reporting requirements for federal agencies. In accordance with the FISMA requirement that the Comptroller General report periodically to Congress, GAO's objectives were to evaluate (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) federal agencies' implementation of FISMA requirements. To address these objectives, GAO analyzed agency, inspectors general, Office of Management and Budget (OMB), and GAO reports.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of the Office of Management and Budget should update annual reporting instructions to request inspectors general to report on the effectiveness of agencies' processes for developing inventories, monitoring contractor operations, and providing specialized security training.
Closed – Implemented
In fiscal year 2013, we verified that OMB updated its annual FISMA reporting instructions to request that inspectors general report on the effectiveness of agencies' processes for developing inventories, monitoring contractor operations, and providing specialized security training. (3/1/2013)
Office of Management and Budget The Director of the Office of Management and Budget should clarify and enhance reporting instructions to inspectors general for certification and accreditation evaluations by providing them with guidance on the requirements for each rating category.
Closed – Implemented
In fiscal year 2013, we verified that OMB clarified and enhanced reporting instructions to inspectors general for evaluating certifications and accreditations by removing the rating categories and providing additional guidance for assessing certifications and accreditations, which are now known as security assessments and authorizations. (3/1/2013)
Office of Management and Budget The Director of the Office of Management and Budget should include in OMB's report to Congress, a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices.
Closed – Implemented
In fiscal year 2013, we verified that OMB included in its annual FISMA report to Congress, a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices. (3/1/2013)
Office of Management and Budget The Director of the Office of Management and Budget should approve or disapprove agency information security programs after review.
Closed – Not Implemented
In fiscal year 2013, OMB did not provide support to demonstrate that it approves or disapproves agencies' information security programs through the approval of agencies' budgets. (3/1/2013)

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Computer networksComputer securityConfidential communicationsData storageEvaluation methodsInformation disclosureInformation managementInformation securityInformation security managementInformation security regulationsInformation systemsInspectors generalInternal controlsPrivacy policy violationReporting requirementsRisk assessmentRisk managementSystems evaluationUnauthorized accessCompliancePolicies and proceduresProgram implementation