Information Security:

Opportunities for Improved OMB Oversight of Agency Practices

AIMD-96-110: Published: Sep 24, 1996. Publicly Released: Sep 24, 1996.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided a general overview of the adequacy of information security at 15 major federal agencies, focusing on: (1) recent reviews and self-audits of information security at these agencies; (2) the most significant information security weaknesses and their causes; and (3) the Office of Management and Budget's (OMB) oversight of federal agency practices and opportunities for improvement.

GAO found that: (1) recent audits and reviews indicate that weak information security is a serious governmentwide problem, with serious weaknesses reported for over two-thirds of the agencies reviewed; (2) commonly reported weaknesses include information access control problems and inadequate disaster planning; (3) at half of the agencies reviewed, information security problems remained uncorrected for 5 years or longer; (4) many agencies lack a well-managed information security program with senior management support; (5) although OMB has improved federal information security guidance and its monitoring of agency efforts to address identified weaknesses, the scope and depth of its oversight efforts varies considerably among agencies; (6) information that OMB obtains on federal information security programs varies significantly in terms of the quality, quantity, and usefulness of the information; (7) OMB could use expanded requirements under the Chief Financial Officers Act to further monitor agencies' information security programs and weaknesses; and (8) the recently established Chief Information Officers (CIO) Council can serve as a forum for addressing governmentwide information security issues.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In late 1997, the CIO Council formally declared information security as one of six priority areas and established a Security Committee to coordinate its plans to address some of the most prominent governmentwide problems--insufficient awareness of risks, inadequate technical training, and poor incident response capabilities. In addition, in May 1998, the President issued Presidential Decision Directive 63, which addresses federal information security from a national security perspective and imposes some new reporting requirements on federal agencies. As of late 1998, it was not clear how the new requirements specified in the Directive would be coordinated with ongoing CIO Council efforts. The other aspects of this recommendation have been subsumed under a new recommendation in GAO/AIMD-98-92, September 23, 1998.

    Recommendation: The Director, OMB, should advocate and promote the CIO Council's adoption of information security as one of its top priorities and development of a strategic plan for increasing awareness of the importance of information security, especially among senior agency executives and improving information security program management governmentwide. Initiatives the CIO Council should consider incorporating in its strategic plan include: (1) developing information on the existing security risks associated with nonclassified systems currently in use; (2) developing information on the risks associated with evolving practices, such as Internet use; (3) identifying best practices regarding information security programs so that they can be adopted by federal agencies; (4) establishing a program for reviewing the adequacy of individual agency information security programs using interagency teams of reviewers; (5) ensuring adequate review coverage of agency information security practices by considering the scope of various types of audits and reviews performed and acting to address any identified gaps in coverage; (6) developing or identifying training and certification programs that can be shared among agencies; and (7) identifying proven security tools and techniques.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: OMB has encouraged program examiners in its Resource Management Offices to make use of financial audit findings related to information security and other IRM issues. However, neither OMB nor the CIO Council, which OMB chairs, has taken steps to monitor: (1) the scope of information security audits performed; or (2) improvements or declines in security program effectiveness. These remaining aspects of this recommendation have been subsumed under a new recommendation issued in GAO/AIMD-98-92, September 23, 1998.

    Recommendation: The Director, OMB, should direct the Office of Information and Regulatory Affairs, the Office of Federal Financial Management, and the Resource Management Offices to: (1) supplement their current reviews of audit reports to include reviewing audits conducted under the Chief Financial Officers Act in order to identify any findings related to information security; and (2) use this information, in conjunction with reports on agency self assessments, to assist in proactively monitoring the scope of such reviews and the effectiveness of agency information security practices.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: OMB continues to focus its monitoring efforts on individual agency projects rather than general compliance with A-130. This is likely to continue, since OMB now views the CIO Council's security committee, of which OMB is an active participant, as the focal point for addressing governmentwide deficiencies. Also, OMB has encouraged the NIST-sponsored Federal Security Managers Forum to develop a standard format for agency security plans, which could make it somewhat easier for OMB and others to evaluate these plans, if agencies comply with the guidance. Future GAO efforts to evaluate oversight of agency practices and compliance with Circular A-130 will focus on both OMB and CIO Council efforts.

    Recommendation: The Director, OMB, should encourage the development of improved sources of information with which to monitor compliance with OMB guidance and the effectiveness of agency information security programs. This could include engaging assistance from private contractors or others with appropriate expertise, such as federally funded research and development centers.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: Since September 1996, OMB's annual training for program examiners has included some expanded emphasis on information technology issues, including information security. However, the emphasis is primarily on major investments in technology (new systems or enhancements) and the requirements of the Clinger-Cohen Act. OMB has not specifically encouraged its program examiners to examine agencies' overall security programs.

    Recommendation: The Director, OMB, should direct the Office of Information and Regulatory Affairs to develop and implement a program for increasing program examiners' understanding of information security management issues so that they can readily identify and understand the implications of information security weaknesses on agency programs.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here