Information Security: Additional Oversight Needed to Improve Programs at Small Agencies
Highlights
What GAO Found
The six small agencies GAO reviewed have made mixed progress in implementing elements of information security and privacy programs as required by the Federal Information Security Management Act of 2002, the Privacy Act of 1974, the E-Government Act of 2002, and Office of Management and Budget (OMB) guidance (see figure).
Agencies' Implementation of Information Security and Privacy Elements in Fiscal Year 2013
*Agency 5 was not required to complete a privacy impact assessment.
In a separate report for limited official use only, GAO is providing specific details on the weaknesses in the six selected agencies' implementation of information security and privacy requirements.
OMB and the Department of Homeland Security (DHS) took steps to oversee and assist small agencies in implementing security and privacy requirements. For example, OMB and DHS instructed small agencies to report annually on a variety of metrics that are used to gauge implementation of information security programs and privacy requirements. In addition, OMB and DHS issued reporting guidance and provided assistance to all federal agencies on implementing security and privacy programs. However, 55 of 129 small agencies identified by OMB and DHS are not reporting on information security and privacy requirements. Further, the agencies in GAO's review have faced challenges in using the guidance and services offered. Until OMB and DHS oversee agencies' implementation of information security and privacy program requirements and provide additional assistance, small agencies will continue to face challenges in protecting their information and information systems.
Why GAO Did This Study
Small federal agencies—generally those with 6,000 or fewer employees—are, like larger agencies, at risk from threats to information systems that support their operations and the information they contain, which can include personally identifiably information. Federal law and policy require small agencies to meet information security and privacy requirements and assign responsibilities to OMB for overseeing agencies' activities. OMB has assigned several of these duties to DHS.
GAO was asked to review cybersecurity and privacy at small agencies. The objectives of this review were to determine the extent to which (1) small agencies are implementing federal information security and privacy laws and policies and (2) OMB and DHS are overseeing and assisting small agencies in implementing their information security and privacy programs. GAO selected six small agencies with varying characteristics for review; reviewed agency documents and selected systems; and interviewed agency, OMB, and DHS officials.
Recommendations
GAO recommends that OMB report on all small agencies' implementation of security and privacy requirements. GAO also recommends that DHS develop services and guidance targeted to small agencies' environments. GAO is making recommendations to the six agencies reviewed to address their information security and privacy weaknesses in a separate, restricted report. OMB and DHS generally concurred with the recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | The Secretary of Homeland Security should, as part of the department's Small & Micro-Agency Cybersecurity Support Initiative, develop services and guidance targeted to small and micro agencies' environments. |
In 2015 we verified that DHS, in response to our recommendation, developed services and guidance targeted to small and micro agencies' environments. For example, DHS established a collaboration portal for agency representatives, provided cybersecurity briefings, hosted regular conference calls, coordinated with the CISO Council, and increased the number of agency representatives for the US-CERT federal customer service.
|
Office of Management and Budget | To improve the consistency and effectiveness of government-wide implementation of information security programs and privacy requirements at small agencies, the Director of OMB should include in the annual report to Congress on agencies' implementation of the Federal Information Security Management Act (FISMA): a list of agencies that did not report on implementation of their information security programs. |
OMB concurred with the recommendation but has not implemented the recommendation. In its most recent annual report issued in March 2018, OMB did not identify the agencies that did not submit a report on implementation of their information security programs. OMB gave no indication that it intends to include such a list of agencies in its future annual reports.
|
Office of Management and Budget | To improve the consistency and effectiveness of government-wide implementation of information security programs and privacy requirements at small agencies, the Director of OMB should include in the annual report to Congress on agencies' implementation of FISMA: information on small agencies' implementation of privacy requirements. |
In 2016 we verified that OMB, in response to our recommendation, included information on small agencies' implementation of privacy requirements in its annual report to Congress.
|