Information Security:

Additional Actions Needed to Fully Implement Reform Legislation

GAO-02-407: Published: May 2, 2002. Publicly Released: May 2, 2002.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In March, GAO testified on the federal government's fiscal-year implementation of legislative provisions for government information security reform. (See GAO-02-470T.) GAO reported that implementation of the reforms addresses serious, pervasive information security weaknesses. GAO also noted the Office of Management and Budget needs to (1) further guide agencies and encourage them to implement the reform provision requirements and (2) provide Congress with the information it needs for overseeing agencies' implementation, compliance, and corrective actions, as well as for its related budget deliberations.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: OMB developed and included high-level management performance measures in its fiscal year 2002 reporting instructions to agencies on Government Information Security Reform, issued July 2, 2002.

    Recommendation: To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of the Office of Management and Budget (OMB) should direct his staff to provide additional guidance on appropriate performance measures to enable the agencies to better determine and report their progress in implementing the security requirements.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: OMB provided guidance to agencies to assist them in determining their security costs in section 53 of Circular A-11, fiscal year 2004 budget guidance, issued June 26, 2002. OMB referred agencies to this guidance in its reporting instructions for Government Information Security Reform, issued July 2, 2002.

    Recommendation: To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of OMB should direct his staff to provide additional guidance on more specific definitions and examples of information-security-related costs to enable the agencies to more consistently identify, track, and report these costs.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In its fiscal year 2002 Government Information Security Reform reporting instructions, OMB provided additional information to agencies on the level of review required for individual systems. This guidance stressed that all systems must be reviewed annually and that the depth and breadth of review depends on factors such as the risk associated with a system and its data, the comprehensiveness of prior review, and the adequacy and successful implementation of their corrective action plan. A performance measure provided in this guidance also asks that agencies report the number of systems for which security controls have been evaluated in the past year.

    Recommendation: To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of OMB should direct his staff to provide additional guidance on a more detailed description of the required scope of the annual management reviews regarding the extent to which (1) systems must be reviewed annually and (2) security controls must be tested and evaluated as part of this review process.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: In its July 2002 Government Information Security Reform guidance on security plans of action and milestones (corrective action plans), OMB authorized agencies to release the following information, as requested, from these plans to the Congress: the type of weakness, key milestones, any milestone changes, the source of the reported weakness, and the status of the weakness. An OMB official stated that agencies should also provide quarterly update information, as requested, to the Congress.

    Recommendation: To enhance oversight of federal information security by Congress and its related budget deliberations, the Director of OMB should authorize the heads of federal departments and agencies to release information from their corrective action plans to the Congress and GAO that would (1) identify specific weaknesses to be addressed, their relative priority, the actions to be taken, and the timeframes for completing these actions and (2) provide their quarterly updates on the status of completing these actions.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  5. Status: Closed - Implemented

    Comments: OMB permits agencies to choose to report required information on national security systems in aggregate with, or separate from, the agencies' non-national security systems. In its annual reports to the Congress on FISMA implementation, OMB combines and summarizes agency reported information for national security and non-national security systems together.

    Recommendation: To enhance oversight of federal information security by Congress and its related budget deliberations, the Director of OMB should provide Congress with appropriate summary information on the results of the audits of the evaluations for information security programs for national security systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  6. Status: Closed - Implemented

    Comments: OMB's July 2002 reporting instructions to the agencies included reporting areas and high-level performance measures that should help ensure agencies consistently report their progress in implementing government information security reform requirements. Issued in May 2003, OMB's fiscal year 2002 report to the Congress provided updates on actions to address previously identified governmentwide weaknesses, identified new challenges, reported results for key performance indicators, and provided individual summaries for large agencies that indicated the status of agencies efforts to implement government information security reform requirements.

    Recommendation: To enhance oversight of federal information security by the Congress and its related budget deliberations, the Director OMB should in addition to the information currently reported, explicitly identify in future OMB reports annual reports to Congress, the overall status of agencies' efforts to implement each of the information security program requirements specified by the reform provisions.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  7. Status: Closed - Implemented

    Comments: OMB's July 2002 reporting instructions to the agencies specifically encourage that inspector general independent evaluations be a representative sampling of agency systems, which would include both financial and nonfinancial systems.

    Recommendation: In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to appropriately consider both financial and nonfinancial systems in selecting the subset of systems for testing information security control techniques during their annual independent evaluations.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  8. Status: Closed - Implemented

    Comments: OMB reporting instructions provided to the agencies in July 2002 ask the inspectors general (IGs) to verify that agency corrective action plans are developed, implemented, and managed. In addition, OMB asked that the IGs verify that agency corrective action plans identify all known security weaknesses in an agency.

    Recommendation: In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to provide an independent assessment of agencies' corrective action plans in their future evaluations.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  9. Status: Closed - Implemented

    Comments: OMB's Government Information Security Reform reporting instructions encouraged the inspectors general to maximize resources by using, where appropriate, other reports, audits, and evaluations conducted during the reporting period; and by partnering with other inspectors general or agency employees to enhance expertise.

    Recommendation: In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to obtain appropriate resources to support these evaluations and their other information security audit needs.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Looking for more? Browse all our products here