Comments on the Proposed Federal Information Security Management Act of 2002
GAO-02-677T: Published: May 2, 2002. Publicly Released: May 2, 2002.
The Federal Information Security Management Act of 2002 reauthorizes and expands the information security, evaluation, and reporting requirements enacted in the National Defense Authorization Act for Fiscal Year 2001. Concerned that pervasive information security weaknesses place federal operations at significant risk of disruption, tampering, fraud, and inappropriate disclosures of sensitive information, Congress enacted the Government Security Reform Act (GISRA) for more effective oversight. The Federal Information Security Management Act also changes and clarifies information security issues noted in the first-year implementation of GISRA. In particular, the bill requires the development, promulgation of, and compliance with minimum mandatory management controls for securing information and information systems; requires annual agency reporting to both the Office of Management and Budget and the Comptroller General; and defines the evaluation responsibilities for national security systems. To ensure that information security receives appropriate attention and resources and that known deficiencies are addressed, it will be necessary to delineate the roles and responsibilities of the numerous entities involved; obtain adequate technical expertise to select, implement, and maintain controls; and allocate enough agency resources for information security.