Skip to main content

ACT-IAC: Where government and industry leaders collaborate.

You are here

GAO Reports Information Security Weaknesses Continue


GAO first designated federal information security as a governmentwide high-risk area 20 years ago. First enacted in 2002, FISMA required federal agencies to develop, document, and implement information security programs and have independent evaluations of those programs and practices. As amended in 2014, FISMA assigns responsibilities to OMB, DHS, and NIST.

FISMA also includes a provision for GAO to periodically report to Congress on agencies’ information security. The objectives of this review are to evaluate (1) the adequacy and effectiveness of agencies’ information security policies and practices and (2) the extent to which agencies with governmentwide responsibilities have implemented their requirements under FISMA. GAO categorized information security-related weaknesses reported by the 24 CFO Act agencies, their IGs, and OMB according to the control areas defined in the Federal Information System Controls Audit Manual; reviewed prior GAO work; examined OMB, DHS, and NIST documents; and interviewed agency officials.

What GAO Recommends

GAO recommends that OMB, in consultation with DHS and others, develop a plan and schedule to evaluate whether the full implementation of the capability maturity model developed by the Council of the Inspectors General on Integrity and Efficiency ensures that consistent and comparable results are achieved across all federal agencies. OMB generally concurred with our recommendation


Events and Forums

Tuesday, November 28, 2017 - 10:00am to 11:00am

Wednesday, November 29, 2017 - 9:30am to 11:30am

Wednesday, November 29, 2017 - 3:30pm to 7:00pm

Tuesday, December 12, 2017 - 9:00am to 10:00am