Federal Information Security:

Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

GAO-13-776: Published: Sep 26, 2013. Publicly Released: Sep 26, 2013.

Multimedia:

  • GAO: AskGAOLive Chat on Federal Information SecurityVIDEO: AskGAOLive Chat on Federal Information Security
    Online video chat with Greg Wilshusen, Director, Information Technology

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

In fiscal year 2012, 24 major federal agencies had established many of the components of an information security program required by The Federal Information Security Management Act of 2002 (FISMA); however, they had partially established others. FISMA requires each federal agency to establish an information security program that incorporates eight key components, and each agency inspector general to annually evaluate and report on the information security program and practices of the agency. The act also requires the Office of Management and Budget (OMB) to develop and oversee the implementation of policies, principles, standards, and guidelines on information security in federal agencies and the National Institute of Standards and Technology to develop security standards and guidelines.

The extent to which agencies implemented security program components showed mixed progress from fiscal year 2011 to fiscal year 2012. For example, according to inspectors general reports, the number of agencies that had analyzed, validated, and documented security incidents increased from 16 to 19, while the number able to track identified weaknesses declined from 20 to 15. GAO and inspectors general continue to identify weaknesses in elements of agencies' programs, such as the implementation of specific security controls. For instance, in fiscal year 2012, almost all (23 of 24) of the major federal agencies had weaknesses in the controls that are intended to limit or detect access to computer resources.

OMB and the Department of Homeland Security (DHS) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, such as conducting risk assessments and developing security plans; are focused mainly on compliance rather than effectiveness of controls; and in many cases did not identify specific performance targets for determining levels of implementation. Enhancements to these metrics would provide additional insight into agency information security programs.

Why GAO Did This Study

FISMA requires the Comptroller General to periodically report to Congress on agency implementation of the act's provisions. To this end, this report summarizes GAO's evaluation of the extent to which agencies have implemented the requirements of FISMA, including the adequacy and effectiveness of agency information security policies and practices. To do this, GAO analyzed its previous information security reports, annual FISMA reports and other reports from the 24 major federal agencies, reports from inspectors general, and OMB's annual reports to Congress on FISMA implementation. GAO also interviewed agency officials at OMB, DHS, NIST, and 6 agencies selected using the total number of systems the agencies reported in fiscal year 2011.

What GAO Recommends

GAO and inspectors general have previously made numerous recommendations to improve agencies' information security programs. The agencies generally agreed with GAO's recommendations. In addition, GAO previously recommended that OMB revise annual reporting guidance to require performance targets to which OMB generally agreed. GAO is also recommending that the Director of OMB ensure that metrics are incorporated that assess the effectiveness of information security programs in OMB's annual FISMA reporting instructions to agencies and inspectors general.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, to enhance the usefulness of the annual FISMA reports and to provide additional insight into agencies' information security programs, should develop compliance metrics related to periodic assessments of risk and development of subordinate security plans.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, to enhance the usefulness of the annual FISMA reports and to provide additional insight into agencies' information security programs, should develop metrics for inspectors general to report on the effectiveness of agency information security programs.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here