Information Security: Additional Actions Needed to Fully Implement Reform Legislation
GAO-02-407
Published: May 02, 2002. Publicly Released: May 02, 2002.
Skip to Highlights
Highlights
In March, GAO testified on the federal government's fiscal-year implementation of legislative provisions for government information security reform. (See GAO-02-470T.) GAO reported that implementation of the reforms addresses serious, pervasive information security weaknesses. GAO also noted the Office of Management and Budget needs to (1) further guide agencies and encourage them to implement the reform provision requirements and (2) provide Congress with the information it needs for overseeing agencies' implementation, compliance, and corrective actions, as well as for its related budget deliberations.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of the Office of Management and Budget (OMB) should direct his staff to provide additional guidance on appropriate performance measures to enable the agencies to better determine and report their progress in implementing the security requirements. |
OMB developed and included high-level management performance measures in its fiscal year 2002 reporting instructions to agencies on Government Information Security Reform, issued July 2, 2002.
|
Office of Management and Budget | To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of OMB should direct his staff to provide additional guidance on more specific definitions and examples of information-security-related costs to enable the agencies to more consistently identify, track, and report these costs. |
OMB provided guidance to agencies to assist them in determining their security costs in section 53 of Circular A-11, fiscal year 2004 budget guidance, issued June 26, 2002. OMB referred agencies to this guidance in its reporting instructions for Government Information Security Reform, issued July 2, 2002.
|
Office of Management and Budget | To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of OMB should direct his staff to provide additional guidance on a more detailed description of the required scope of the annual management reviews regarding the extent to which (1) systems must be reviewed annually and (2) security controls must be tested and evaluated as part of this review process. |
In its fiscal year 2002 Government Information Security Reform reporting instructions, OMB provided additional information to agencies on the level of review required for individual systems. This guidance stressed that all systems must be reviewed annually and that the depth and breadth of review depends on factors such as the risk associated with a system and its data, the comprehensiveness of prior review, and the adequacy and successful implementation of their corrective action plan. A performance measure provided in this guidance also asks that agencies report the number of systems for which security controls have been evaluated in the past year.
|
Office of Management and Budget | To enhance oversight of federal information security by Congress and its related budget deliberations, the Director of OMB should authorize the heads of federal departments and agencies to release information from their corrective action plans to the Congress and GAO that would (1) identify specific weaknesses to be addressed, their relative priority, the actions to be taken, and the timeframes for completing these actions and (2) provide their quarterly updates on the status of completing these actions. |
In its July 2002 Government Information Security Reform guidance on security plans of action and milestones (corrective action plans), OMB authorized agencies to release the following information, as requested, from these plans to the Congress: the type of weakness, key milestones, any milestone changes, the source of the reported weakness, and the status of the weakness. An OMB official stated that agencies should also provide quarterly update information, as requested, to the Congress.
|
Office of Management and Budget | To enhance oversight of federal information security by Congress and its related budget deliberations, the Director of OMB should provide Congress with appropriate summary information on the results of the audits of the evaluations for information security programs for national security systems. |
OMB permits agencies to choose to report required information on national security systems in aggregate with, or separate from, the agencies' non-national security systems. In its annual reports to the Congress on FISMA implementation, OMB combines and summarizes agency reported information for national security and non-national security systems together.
|
Office of Management and Budget | To enhance oversight of federal information security by the Congress and its related budget deliberations, the Director OMB should in addition to the information currently reported, explicitly identify in future OMB reports annual reports to Congress, the overall status of agencies' efforts to implement each of the information security program requirements specified by the reform provisions. |
OMB's July 2002 reporting instructions to the agencies included reporting areas and high-level performance measures that should help ensure agencies consistently report their progress in implementing government information security reform requirements. Issued in May 2003, OMB's fiscal year 2002 report to the Congress provided updates on actions to address previously identified governmentwide weaknesses, identified new challenges, reported results for key performance indicators, and provided individual summaries for large agencies that indicated the status of agencies efforts to implement government information security reform requirements.
|
Office of Management and Budget | In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to appropriately consider both financial and nonfinancial systems in selecting the subset of systems for testing information security control techniques during their annual independent evaluations. |
OMB's July 2002 reporting instructions to the agencies specifically encourage that inspector general independent evaluations be a representative sampling of agency systems, which would include both financial and nonfinancial systems.
|
Office of Management and Budget | In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to provide an independent assessment of agencies' corrective action plans in their future evaluations. |
OMB reporting instructions provided to the agencies in July 2002 ask the inspectors general (IGs) to verify that agency corrective action plans are developed, implemented, and managed. In addition, OMB asked that the IGs verify that agency corrective action plans identify all known security weaknesses in an agency.
|
Office of Management and Budget | In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to obtain appropriate resources to support these evaluations and their other information security audit needs. |
OMB's Government Information Security Reform reporting instructions encouraged the inspectors general to maximize resources by using, where appropriate, other reports, audits, and evaluations conducted during the reporting period; and by partnering with other inspectors general or agency employees to enhance expertise.
|
Full Report
GAO Contacts
Gregory C. Wilshusen
Director
Information Technology and Cybersecurity
Topics
Computer securityInformation resources managementInformation securityStrategic planningGovernment reformNational securityChief information officersCritical infrastructure protectionFederal agenciesCongressional oversight