Skip to main content

You are here

Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices

 

You must be logged in to view and download documents.

You must be logged in to view and download documents.

  • Government employees:  If you have an account, log in by clicking on login button at top of page.  If you don’t have an account, click here to create your free account.
  • Industry employees:
    • If your company is an IAC member and you have an account, log in by clicking on login button at top of page.
    • If your company is an IAC member and you don't have an account, click here to create an account.
    • If your company is not an IAC member, contact April Davis for information about membership ([email protected] or 703-208-4800 ext. 202).
 

Abstract

GAO first designated federal information security as a governmentwide high-risk area 20 years ago. First enacted in 2002, FISMA required federal agencies to develop, document, and implement information security programs and have independent evaluations of those programs and practices. As amended in 2014, FISMA assigns responsibilities to OMB, DHS, and NIST.

FISMA also includes a provision for GAO to periodically report to Congress on agencies’ information security. The objectives of this review are to evaluate (1) the adequacy and effectiveness of agencies’ information security policies and practices and (2) the extent to which agencies with governmentwide responsibilities have implemented their requirements under FISMA. GAO categorized information security-related weaknesses reported by the 24 CFO Act agencies, their IGs, and OMB according to the control areas defined in the Federal Information System Controls Audit Manual; reviewed prior GAO work; examined OMB, DHS, and NIST documents; and interviewed agency officials.

What GAO Recommends

GAO recommends that OMB, in consultation with DHS and others, develop a plan and schedule to evaluate whether the full implementation of the capability maturity model developed by the Council of the Inspectors General on Integrity and Efficiency ensures that consistent and comparable results are achieved across all federal agencies. OMB generally concurred with our recommendation

Document Date: 
Nov 1, 2017
 
Author (organization): 
Government Accountability Office (GAO)
 
Document type: 
Report
 
Interests: 
Cybersecurity