Information Security:

Agencies Need to Implement Consistent Processes In Authorizing Systems for Operation

GAO-04-376: Published: Jun 28, 2004. Publicly Released: Jul 28, 2004.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Office of Management and Budget (OMB) requires agencies to certify the security controls of their information systems and to formally authorize and accept the risk associated with their operation (a process known as accreditation). These processes support requirements of the Federal Information Security Management Act of 2002 (FISMA). Further, OMB requires agencies to report the number of systems authorized following certification and accreditation as one of the key FISMA performance measures. In response to the Congressional request, GAO (1) identified existing governmentwide requirements and guidelines for certifying and accrediting information systems, (2) determined the extent to which agencies have reported their systems as certified and accredited, and (3) assessed whether their processes provide consistent, comparable results and adequate information for authorizing officials.

The National Institute of Standards and Technology (NIST) and other agencies, including the Department of Defense, have provided guidance for the certification and accreditation of federal information systems. This guidance includes new guidelines just issued by NIST, which emphasize a model of continuous monitoring, as well as compliance with FISMA-required standards for minimum-security controls. Many agencies report that they have begun to use the new guidance in their certification and accreditation processes. The reported percentage of systems certified and accredited for operation as of the first half of 2004 was 63 percent for 24 major federal agencies. However, the picture is not uniform across the government, with 7 of the agencies reporting greater than 90 percent of their systems certified and accredited but 6 reporting fewer than half. GAO's analyses also highlighted instances in which agencies do not consistently report FISMA performance measurement data, as well as other factors that lessen the usefulness of these data, such as the limited assurance of data reliability and quality. All the agencies GAO surveyed reported that their certification and accreditation processes met criteria consistent with those identified in federal guidance, such as a current risk assessment and security control evaluation. However, our review of documentation for the certification and accreditation of 32 selected systems at four of these agencies showed that these criteria were not always met--results similar to those found by agency inspectors general. Further, three of these four agencies did not have routine quality review processes to determine whether such criteria are met--processes that could help agency accrediting officials receive consistent information on which to base their decisions. Several agencies cited obstacles in implementing their certification and accreditation processes, including resource and staffing limitations. Some agencies have taken actions to improve their processes, such as redefining system boundaries to better manage systems.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In its FY 2007 FISMA reporting template, dated July 25, 2007, OMB required agencies to report on the number of systems that have been certified and accredited by risk category.

    Recommendation: To improve the consistency and reliability of agency FISMA reporting for administration and congressional oversight, the OMB Director should consider changes to OMB's FISMA reporting guidance that would require reporting on key aspects of agencies' certification and accreditation processes and efforts, such as how agencies ensure the quality and consistency of their certifications and accreditations and the status of their efforts according to levels of risk or impact established for their systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: In its FY 2006 FISMA reporting guidance, dated July 17, 2006, OMB added guidance that provided additional clarification that agencies include all agency national security systems when completing the FISMA report and that only systems granted a full and final authorization to operate are to be considered certified and accredited.

    Recommendation: To improve the consistency and reliability of agency FISMA reporting for administration and congressional oversight, the OMB Director should consider changes to OMB's FISMA reporting guidance that would provide additional clarification that national security systems are to be reflected in reporting performance measurement data and that only systems granted full authorization to operate should be considered in reporting the number of systems certified and accredited.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In its FY 2007 FISMA reporting guidance, dated July 25, 2007, OMB added guidance which states that the necessary depth and breadth of an annual FISMA review will vary based on risk and system impact level and, in order to ensure the agencies' certification and accreditation process is dynamic and responsive, agencies should develop an enterprise-wide strategy for selecting subsets of their security controls to be monitored on an ongoing basis to ensure all controls are assessed during the three-year accreditation cycle.

    Recommendation: To help ensure that federal agencies' certification and accreditation processes consistently provide adequate and effective security controls in their information systems, the Director of the Office of Management and Budget should revise policy and guidance on the security of automated information resources to require federal agencies to ensure that periodic testing and evaluation of information security controls, as required by FISMA, include assessing the quality of security certifications and accreditations to facilitate decisions that are based on consistent consideration of key criteria outlined in federal guidance, including a current risk assessment, appropriate control testing and evaluation, a tested contingency plan, and the identification of the specific residual risk being accepted.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: In its FY 2007 FISMA reporting guidance, dated July 25, 2007, OMB added guidance directing federal agencies to implement security certification and accreditation processes consistent with NIST guidance, including NIST Special Publication 800-37 and Federal Information Processing Standards 199.

    Recommendation: To help ensure that federal agencies' certification and accreditation processes consistently provide adequate and effective security controls in their information systems, the Director of the Office of Management and Budget should revise policy and guidance on the security of automated information resources to require federal agencies to continue to implement security certification and accreditation processes consistent with guidance and standards issued by NIST for non-national security systems, including specific reference to the new certification and accreditation guidance as well as FISMA-required standards such as those for system security categorization and minimum security controls.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  5. Status: Closed - Implemented

    Comments: In its FY 2007 FISMA reporting template, dated July 25, 2007, OMB included a question which required agency IGs to evaluate the certification and accreditation process. The qualitative assessments of the process allow the IG to rate its agency's certification and accreditation process using the terms "excellent," "good," "satisfactory," "poor," or "failing".

    Recommendation: To improve the consistency and reliability of agency FISMA reporting for administration and congressional oversight, the OMB Director should consider changes to OMB's FISMA reporting guidance that would encourage the Inspector Generals (IGs) to assess agency FISMA reporting processes and test agency-reported performance data as part of their FISMA-mandated independent evaluations; for example, the IGs could review the quality of agency certifications and accreditations for the subset of systems they evaluate to determine whether they meet appropriate criteria and determine whether such information is accurately reflected in the agencies' compilation of related performance measures.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here