Federal Chief Information Security Officers:

Opportunities Exist to Improve Roles and Address Challenges to Authority

GAO-16-686: Published: Aug 26, 2016. Publicly Released: Sep 15, 2016.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Under the Federal Information Security Modernization Act of 2014 (FISMA 2014), the agency chief information security officer (CISO) has the responsibility to ensure that the agency is meeting the requirements of the law, including developing, documenting, and implementing the agency-wide information security program. However, 13 of the 24 agencies GAO reviewed had not fully defined the role of their CISO in accordance with these requirements. For example, these agencies did not always identify a role for the CISO in ensuring that security controls are periodically tested; procedures are in place for detecting, reporting, and responding to security incidents; or contingency plans and procedures for agency information systems are in place. Thus, CISOs' ability to effectively oversee these agencies' information security activities can be limited.

The 24 CISOs GAO surveyed identified challenges that limited their authority to carry out their responsibilities to oversee information security activities. These challenges can impact agencies' ability to effectively manage information security risk. The table below shows the factors that CISOs reported as being the most challenging to their authority.

Extent to Which 24 Chief Information Security Officers Reported Factors as Challenging to Their Authority

Factor

Large extent

Moderate extent

Small extent

Not at all

No response

Competing priorities between operations and security

6

12

4

2

0

Coordination with component organizations

5

8

4

5

2

Coordination with other offices

3

9

3

9

0

Availability of information from contractors

4

8

10

2

0

Oversight of indirect reports

6

6

6

6

0

Oversight of IT contractors

4

8

6

6

0

Placement in organizational hierarchy

5

5

5

9

0

Availability of information from component organizations

5

4

10

5

0

Source: GAO analysis of survey data. | GAO-16-686

The 24 CISOs also reported that other factors posed challenges to their abilities to carry out their responsibilities effectively, including difficulties related to having sufficient staff; recruiting, hiring, and retaining security personnel; ensuring that security personnel have appropriate expertise and skills; and a lack of sufficient financial resources. Several government-wide activities are under way to address many of these challenges. However, while the Office of Management and Budget (OMB) has a statutory responsibility under FISMA 2014 to provide guidance on information security in federal agencies, it has not issued such guidance addressing how agencies should ensure that officials carry out their responsibilities and personnel are held accountable for complying with the agency-wide information security program. As a result, agencies lack clarity on how to ensure that their CISOs have adequate authority to effectively carry out their duties in the face of numerous challenges.

Why GAO Did This Study

Federal agencies face an ever-increasing array of cyber threats to their information systems and information. To address these threats, FISMA 2014 requires agencies to designate a CISO—a key position in agency efforts to manage information security risks.

GAO was asked to review current CISO authorities. This report identifies (1) the key responsibilities of federal CISOs established by federal law and guidance and the extent to which federal agencies have defined the role of the CISO in accordance with law and guidance and (2) key challenges of federal CISOs in fulfilling their responsibilities. GAO reviewed agency security policies, administered a survey to 24 CISOs, interviewed current CISOs, and spoke with officials from OMB.

What GAO Recommends

GAO is making 33 recommendations to 13 agencies to fully define the role of their CISOs in accordance with FISMA 2014. Twelve of the 13 agencies concurred with the recommendations addressed to them. One agency partially concurred or did not concur with the recommendations directed to it. GAO continues to believe that these recommendations are valid and should be implemented as discussed in this report. GAO also recommends that OMB issue guidance for clarifying CISOs' roles in light of identified challenges. OMB partially concurred with the recommendation. GAO maintains that action is needed as discussed further in the report.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: In comments on a draft of our report, OMB partially concurred with our recommendation. We plan to follow up.

    Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency Affected: Department of Commerce

  3. Status: Open

    Comments: In comments on a draft of our report, the Department did not concur with our recommendation. In its response to our final report, the Department stated that its overall position on the report had not changed, and indicated that the Department would continue to review and update the responsibilities of the DOD Senior Information Security Officer as appropriate. We plan to follow up.

    Recommendation: To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency Affected: Department of Defense

  4. Status: Open

    Comments: In comments on a draft of our report, the Department partially concurred with our recommendation. In its response to our final report, the Department stated that its overall position on the report had not changed, and indicated that the Department would continue to review and update the responsibilities of the DOD Senior Information Security Officer as appropriate. We plan to follow up.

    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency Affected: Department of Defense

  5. Status: Open

    Comments: In comments on a draft of our report, the Department partially concurred with our recommendation. In its response to our final report, the Department stated that its overall position on the report had not changed, and indicated that the Department would continue to review and update the responsibilities of the DOD Senior Information Security Officer as appropriate. We plan to follow up.

    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency Affected: Department of Defense

  6. Status: Open

    Comments: In comments on a draft of our report, the Department stated that it concurred in principle with our recommendation. We plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency Affected: Department of Energy

  7. Status: Open

    Comments: In comments on a draft of our report, the Department stated that it concurred in principle with our recommendation. We plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency Affected: Department of Energy

  8. Status: Open

    Comments: In comments on a draft of our report, the Department stated that it concurred in principle with our recommendation. We plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions.

    Agency Affected: Department of Energy

  9. Status: Open

    Comments: In comments on a draft of our report, the Department stated that it concurred in principle with our recommendation. We plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency Affected: Department of Energy

  10. Status: Open

    Comments: In comments on a draft of our report, the Department stated that it concurred in principle with our recommendation. We plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency Affected: Department of Energy

  11. Status: Open

    Comments: In comments on a draft of our report, the Department stated that it concurred in principle with our recommendation. We plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency Affected: Department of Energy

  12. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency Affected: Department of Health and Human Services

  13. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency Affected: Department of the Interior

  14. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency Affected: Department of the Interior

  15. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency Affected: Department of the Interior

  16. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Interior should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency Affected: Department of the Interior

  17. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency Affected: Department of Justice

  18. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency Affected: Department of Justice

  19. Status: Open

    Comments: In comments on a draft of our report, State said it concurred with our finding and planned to correct agency guidance. We intend to follow up on this.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency Affected: Department of State

  20. Status: Open

    Comments: In its response to our final report, the Department concurred with our recommendation and stated that it plans to complete actions to address our recommendation by June 30, 2017. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency Affected: Department of Transportation

  21. Status: Open

    Comments: In its response to our final report, the Department concurred with our recommendation and stated that it plans to complete actions to address our recommendation by June 30, 2017. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency Affected: Department of Transportation

  22. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency Affected: Department of the Treasury

  23. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency Affected: Department of the Treasury

  24. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency Affected: Department of the Treasury

  25. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency Affected: Department of the Treasury

  26. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency Affected: Department of the Treasury

  27. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency Affected: Department of the Treasury

  28. Status: Open

    Comments: In commenting on a draft of our report, the Department concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of the Treasury should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency Affected: Department of the Treasury

  29. Status: Open

    Comments: In commenting on a draft of our report, EPA concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the senior agency information security officer (SAISO) is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency Affected: Environmental Protection Agency

  30. Status: Open

    Comments: In commenting on a draft of our report, EPA concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency Affected: Environmental Protection Agency

  31. Status: Open

    Comments: In commenting on a draft of our report, EPA concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy in the periodic authorization of the department's information systems.

    Agency Affected: Environmental Protection Agency

  32. Status: Open

    Comments: In commenting on a draft of our report, the agency concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency Affected: National Aeronautics and Space Administration

  33. Status: Open

    Comments: In its response to our final report, SBA stated that it plans to complete actions to address our recommendation by March 2017. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency Affected: Small Business Administration

  34. Status: Open

    Comments: In commenting on a draft of our report, the agency concurred with our recommendation. Subsequent to agency implementation actions, we plan to follow up.

    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the U.S. Agency for International Development should define the CISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency Affected: United States Agency for International Development

 

Explore the full database of GAO's Open Recommendations »

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Feb 14, 2017

Sep 29, 2016

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Looking for more? Browse all our products here