Federal Chief Information Security Officers: Opportunities Exist to Improve Roles and Address Challenges to Authority
Highlights
What GAO Found
Under the Federal Information Security Modernization Act of 2014 (FISMA 2014), the agency chief information security officer (CISO) has the responsibility to ensure that the agency is meeting the requirements of the law, including developing, documenting, and implementing the agency-wide information security program. However, 13 of the 24 agencies GAO reviewed had not fully defined the role of their CISO in accordance with these requirements. For example, these agencies did not always identify a role for the CISO in ensuring that security controls are periodically tested; procedures are in place for detecting, reporting, and responding to security incidents; or contingency plans and procedures for agency information systems are in place. Thus, CISOs' ability to effectively oversee these agencies' information security activities can be limited.
The 24 CISOs GAO surveyed identified challenges that limited their authority to carry out their responsibilities to oversee information security activities. These challenges can impact agencies' ability to effectively manage information security risk. The table below shows the factors that CISOs reported as being the most challenging to their authority.
Extent to Which 24 Chief Information Security Officers Reported Factors as Challenging to Their Authority
Factor |
Large extent |
Moderate extent |
Small extent |
Not at all |
No response |
Competing priorities between operations and security |
6 |
12 |
4 |
2 |
0 |
Coordination with component organizations |
5 |
8 |
4 |
5 |
2 |
Coordination with other offices |
3 |
9 |
3 |
9 |
0 |
Availability of information from contractors |
4 |
8 |
10 |
2 |
0 |
Oversight of indirect reports |
6 |
6 |
6 |
6 |
0 |
Oversight of IT contractors |
4 |
8 |
6 |
6 |
0 |
Placement in organizational hierarchy |
5 |
5 |
5 |
9 |
0 |
Availability of information from component organizations |
5 |
4 |
10 |
5 |
0 |
Source: GAO analysis of survey data. | GAO-16-686
The 24 CISOs also reported that other factors posed challenges to their abilities to carry out their responsibilities effectively, including difficulties related to having sufficient staff; recruiting, hiring, and retaining security personnel; ensuring that security personnel have appropriate expertise and skills; and a lack of sufficient financial resources. Several government-wide activities are under way to address many of these challenges. However, while the Office of Management and Budget (OMB) has a statutory responsibility under FISMA 2014 to provide guidance on information security in federal agencies, it has not issued such guidance addressing how agencies should ensure that officials carry out their responsibilities and personnel are held accountable for complying with the agency-wide information security program. As a result, agencies lack clarity on how to ensure that their CISOs have adequate authority to effectively carry out their duties in the face of numerous challenges.
Why GAO Did This Study
Federal agencies face an ever-increasing array of cyber threats to their information systems and information. To address these threats, FISMA 2014 requires agencies to designate a CISO—a key position in agency efforts to manage information security risks.
GAO was asked to review current CISO authorities. This report identifies (1) the key responsibilities of federal CISOs established by federal law and guidance and the extent to which federal agencies have defined the role of the CISO in accordance with law and guidance and (2) key challenges of federal CISOs in fulfilling their responsibilities. GAO reviewed agency security policies, administered a survey to 24 CISOs, interviewed current CISOs, and spoke with officials from OMB.
Recommendations
GAO is making 33 recommendations to 13 agencies to fully define the role of their CISOs in accordance with FISMA 2014. Twelve of the 13 agencies concurred with the recommendations addressed to them. One agency partially concurred or did not concur with the recommendations directed to it. GAO continues to believe that these recommendations are valid and should be implemented as discussed in this report. GAO also recommends that OMB issue guidance for clarifying CISOs' roles in light of identified challenges. OMB partially concurred with the recommendation. GAO maintains that action is needed as discussed further in the report.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report. |
The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2024, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.
|
Department of Commerce | To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. |
The Department of Commerce concurred with the recommendation. In fiscal year 2020, we confirmed that Commerce, in response to our recommendation, had defined the CISO's responsibilities for contingency planning in its Information Technology Security Baseline Policy. As a result, Commerce has greater assurance that its CISO can effectively ensure that information system contingency planning plans and procedures are in place, thereby increasing the likelihood that the department will be able to successfully recover its systems in a timely manner in the event of a service disruption.
|
Department of Defense | To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained. |
In 2018, we confirmed that the Department of Defense (DOD) developed guidance that defines the role of the senior information security officer (SISO) in ensuring that information security policies and procedures were developed and maintained. Specifically, the policy requires the SISO to develop and publish implementation guidance and validation procedures for relevant security controls. This requirement provides the department with increased assurance that its SISO can effectively reduce information security risks through consistently applied security practices.
|
Department of Defense | To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting. |
In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation. In October 2023, we confirmed that DOD, in response to our recommendation, had defined the SISO's role for ensuring that the department has procedures for incident detection, response, and reporting. Specifically, it issued its Cyber Incident Response policy, which states that the SISO-now called the Chief Information Security Officer (CISO)-is responsible for developing and maintaining the department's cyber incident response policy and providing cyber incident response implementation guidance and procedures, among other things. As a result, DOD has helped its CISO better ensure that the department's information and information systems are adequately protected from cyber attacks.
|
Department of Defense | To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf. |
In response to our report, the Department of Defense (DOD) partially concurred with our recommendation; however DOD subsequently concurred with the recommendation, stating that the department's SISO developed and maintains issuances providing direction to DOD components on oversight of contractor system security. In December 2019, we confirmed that DOD, in response to our recommendation, had defined the SISO's role in oversight of security for information systems that are operated by contractors on the department's behalf. Specifically, it updated DOD Instruction 8582.01, "Security of Non-DOD Systems Processing Unclassified Information," to specify that the DOD SISO is responsible for overseeing the implementation of the instruction.
|
Department of Energy | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems. |
In fiscal year 2020, we confirmed that the Department of Energy (DOE), in response to our recommendation, had updated its Cybersecurity Program policy to define the role of the department's Chief Information Security Officer (CISO) in ensuring that subordinate security plans are documented for its information systems. As a result, DOE has greater assurance that its CISO can effectively ensure that the agency's officials are aware of system security requirements and whether controls are in place.
|
Department of Energy | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training. |
In fiscal year 2020, we confirmed that the Department of Energy (DOE), in response to our recommendation, had updated its Cybersecurity Program policy to define the role of the department's Chief Information Security Officer (CISO) in ensuring that all users receive information security awareness training. By taking this action, DOE has greater assurance that the CISO is well equipped to ensure that agency personnel have a basic understanding of information security requirements to protect the systems they use.
|
Department of Energy | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions. |
In fiscal year 2020, we confirmed that the Department of Energy (DOE), in response to our recommendation, had updated its Cybersecurity Program policy to define the role of the department's Chief Information Security Officer (CISO) in ensuring that the department has a process for planning, implementing, evaluating, and documenting remedial actions. By defining the CISO's role in ensuring that the agency has remediation processes, DOE has increased assurance that its CISO can ensure that control weaknesses affecting the agency's information and information systems are being corrected and addressed in a timely manner.
|
Department of Energy | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. |
In fiscal year 2020, we confirmed that the Department of Energy (DOE), in response to our recommendation, had updated its Cybersecurity Program policy to define the role of the department's Chief Information Security Officer (CISO) in ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. As a result, DOE has greater assurance that its CISO can effectively ensure that information system contingency planning plans and procedures are in place, thereby increasing the likelihood that the department will be able to successfully recover its systems in a timely manner in the event of a service disruption.
|
Department of Energy | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf. |
The Department of Energy (DOE) concurred with the recommendation. In fiscal year 2020, we confirmed that DOE, in response to our recommendation, had updated its Enterprise Cybersecurity Program Plan to define the role of the department's CISO for oversight of security for information systems that are operated by contractors on the department's behalf. As a result, DOE has greater assurance that weaknesses in contractor-operated systems will be detected and resolved.
|
Department of Energy | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems. |
In fiscal year 2020, we confirmed that the Department of Energy (DOE), in response to our recommendation, had updated its Cybersecurity Program policy to define the role of the department's Chief Information Security Officer (CISO) in the periodic authorization of the department's information systems. As a result, DOE has greater assurance that system authorization decisions appropriately consider the information security risks affecting the department.
|
Department of Health and Human Services | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. |
The Department of Health and Human Services (HHS) concurred with our recommendation. In fiscal year 2020, we confirmed that HHS had defined the role of the agency chief information security officer (CISO) with respect to ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. As a result, HHS has greater assurance that its CISO can effectively ensure that information system contingency planning plans and procedures are in place, increasing the likelihood that the department will be able to successfully recover its systems in a timely manner in the event of a service disruption.
|
Department of the Interior | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems. |
In fiscal year 2017, we verified that Interior, in response to our recommendation, defined the Chief Information Security Officer's (CISO's) role in department policy for ensuring that subordinate security plans are documented for the department's information systems.
|
Department of the Interior | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. |
In fiscal year 2017, we verified that Interior, in response to our recommendation, defined the Chief Information Security Officer's (CISO's) role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.
|
Department of the Interior | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf. |
In fiscal year 2017, we verified that Interior, in response to our recommendation, defined the Chief Information Security Officer's (CISO's) role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.
|
Department of the Interior | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy in the periodic authorization of the department's information systems. |
In fiscal year 2017, we verified that Interior, in response to our recommendation, defined the Chief Information Security Officer's (CISO's) in department policy in the periodic authorization of the department's information systems.
|
Department of Justice | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that information security policies and procedures are developed and maintained. |
In 2017, we confirmed that Department of Justice (DOJ), in response to our recommendation, updated its DOJ Order 0904 to include the Chief Information Security Officer's (CISO) role in developing, implementing, and maintaining DOJ-wide cyber security policy and procedures.
|
Department of Justice | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. |
In 2017, we confirmed that Department of Justice (DOJ), in response to our recommendation, updated its DOJ Order 0904 to include the Chief Information Security Officer?s CISO) role in reviewing and approving DOJ system contingency plans and test results.
|
Department of State | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting. |
The Department of State (State) concurred with this recommendation. In April 2023, we confirmed that State, in response to our recommendation, had defined the CISO's role for ensuring that the department has procedures for incident detection, response, and reporting. Specifically, it documented that its Enterprise CISO in the Bureau of Information Resource Management is responsible for overseeing the department's agency-wide information security program and for ensuring the department's compliance with the provisions of the Federal Information Security Modernization Act of 2014, which includes incident detection, response, and reporting. As a result, State has helped its CISO better ensure that the department's information and information systems are adequately protected from cyber attacks.
|
Department of Transportation | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems. |
The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to complete actions to address this recommendation by December 31, 2021. As of June 2024, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.
|
Department of Transportation | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically. |
The Department of Transportation (DOT) concurred with the recommendation and updated its Cybersecurity Policy. In June 2024, we confirmed that DOT, in response to our recommendation, had defined the Chief Information Security Officer's (CISO) role in department policy for ensuring that security controls are tested periodically.
|
Department of the Treasury | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems. |
In fiscal year 2017, we verified that Treasury, in response to our recommendation, defined the role for the Chief Information Security Officer (CISO) in ensuring that plans for providing security for information systems were in place.
|
Department of the Treasury | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that all users receive information security awareness training. |
In fiscal year 2017, we verified that Treasury, in response to our recommendation, defined the role for the Chief Information Security Officer (CISO) in ensuring that all employees received security awareness training.
|
Department of the Treasury | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that security controls are tested periodically. |
In fiscal year 2017, we verified that Treasury, in response to our recommendation, defined the role for the Chief Information Security Officer (CISO) in ensuring that security controls are tested periodically in accordance with FISMA and NIST guidance.
|
Department of the Treasury | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. |
In fiscal year 2017, we verified that Treasury, in response to our recommendation, defined the role for the Chief Information Security Officer (CISO) in ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.
|
Department of the Treasury | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that personnel with significant security responsibilities receive appropriate training. |
In fiscal year 2017, we verified that Treasury, in response to our recommendation, defined the role for the Chief Information Security Officer (CISO) in ensuring that personnel with significant information security responsibilities were trained.
|
Department of the Treasury | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf. |
In fiscal year 2017, we verified that Treasury, in response to our recommendation, defined the role for the Chief Information Security Officer (CISO) in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.
|
Department of the Treasury | To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy in the periodic authorization of the department's information systems. |
In fiscal year 2017, we verified that Treasury, in response to our recommendation, defined the role for the Chief Information Security Officer (CISO) in ensuring that information systems are authorized to operate in accordance with federal requirements.
|
Environmental Protection Agency | To ensure that the role of the senior agency information security officer (SAISO) is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that subordinate security plans are documented for the department's information systems. |
In fiscal year 2017, we verified that the Environmental Protection Agency (EPA), in response to our recommendation, defined the Senior Agency Information Security Officer's (SAISO) role in agency policy for ensuring that subordinate security plans are documented for the department's information systems.
|
Environmental Protection Agency | To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. |
The Environmental Protection Agency (EPA) concurred with our recommendation. In fiscal year 2020, we confirmed that EPA, in response to our recommendation, had updated its Security Assessment and Authorization Procedures to define the role of the department's Senior Agency Information Security Officer (SAISO) in ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption. As a result, EPA has greater assurance that its SAISO can effectively ensure that information system contingency planning plans and procedures are in place, thereby increasing the likelihood that the department will be able to successfully recover its systems in a timely manner in the event of a service disruption.
|
Environmental Protection Agency | To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy in the periodic authorization of the department's information systems. |
In 2017, we confirmed that the Environmental Protection Agency (EPA), in response to our recommendation, updated its Security Assessment and Authorization Procedures to include roles for the Senior Agency Information Security Officer's (SAISO's) in the authorization process. Specifically, it requires that assessments be conducted in accordance with the latest version of NIST SP 800-53. Further, the policy requires the SAISO to determine the frequency of security controls assessments under Continuous Monitoring guidelines beyond agency standards, as well as any controls which may need additional attention for improving effectiveness.
|
National Aeronautics and Space Administration | To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf. |
The National Aeronautics and Space Administration (NASA) concurred with our recommendation. In September 2022, we confirmed that NASA, in response to our recommendation, had defined the SAISO's role for overseeing security of information systems that are operated by contractors on the department's behalf. Specifically, it updated NASA Procedural Requirement 2810.1, "Security of Information and Information Systems," to indicate that the NASA SAISO is responsible for establishing and the agency's Cybersecurity and Privacy Program, which includes all unclassified NASA information and information systems, including contractor-operated systems.
|
Small Business Administration | To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training. |
The Small Business administration (SBA) concurs with our recommendation and updated its Information Technology Security Policy to require the SBA CISO to ensure that individuals with significant security responsibilities receive applicable privacy and security awareness training to carry out their duties.
|
U.S. Agency for International Development | To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the U.S. Agency for International Development should define the CISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf. |
In fiscal year 2017, we verified that the United States Agency for International Development (USAID), in response to our recommendation, defined the role of the Chief Information Security Officer's (CISO's) to include contractor system security oversight in its CISO appointment letter.
|