From the U.S. Government Accountability Office, www.gao.gov Transcript for: Are Federal Agencies Following Information Security Law? Description: We discuss a GAO report looking into the requirements federal agencies must follow to safeguard information. Related GAO Work: GAO-19-545: Federal Information Security: Agencies and OMB Need to Strengthen Policies and Practices Released: July 2019 [ Background Music ] [ Greg Wilshusen: ] Agencies at OMB need to strengthen the policies and practices of securing information and information systems. [ Matt Oldham: ] Welcome to GAO’s Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. GAO’s High Risk List comes out every two years. It covers areas of the government that are vulnerable to waste, fraud, abuse and mismanagement, or in need of transformation. And for more than two decades, information security has been an area on the High Risk List. Greg Wilshusen is an Information Technology and Cybersecurity director at GAO, and he's going to talk about his report on information security and how agencies are handling their requirements as dictated by law. But first Greg, we've covered cybersecurity on this podcast. We've covered information security. Is there a difference between those two terms? [ Greg Wilshusen: ] Well, there's a slight difference but often they are used interchangeably. According to FISMA, which is the Federal Information Security Modernization Act, information security is protecting the information systems and information from unauthorized access, use, disclosure, modification, disruption, and destruction in order to preserve the confidentiality, integrity, and availability of the information and information systems. OMB has defined cybersecurity as preventing damage to and protecting and restoring computer networks and electronic communication systems and information and services to include like the actual electronic communication or wire communications. So cybersecurity probably focuses more on the communications and the network side perhaps, but often as I mentioned, they are used interchangeably. [ Matt Oldham: ] Could you talk about the agencies that you looked at for this report and those legal requirements? [ Greg Wilshusen: ] We selected 16 agencies, 12 of which were from the 24 CFO Act agencies, which generally are the larger departments and agencies within the federal government. We also selected four non-CFO Act agencies to kind of give us a broader cross-section, if you will. We also, of course, looked at the Office of Management and Budget, the Department of Homeland Security and NIST, or the National Institute of Standards and Technology, for their role in providing government-wide services and oversight to the federal agencies. [ Matt Oldham: ] And what should these agencies be doing? [ Greg Wilshusen: ] And so under FISMA the law, agencies are required to establish a information security program that is intended to provide the appropriate safeguards commensurate with the potential risk or harm that could occur should their systems and information be compromised in some fashion. In addition, back in May 2017, President Trump signed an executive order which also required agencies to manage their cybersecurity risk according to the NIST framework for improving critical infrastructure cybersecurity. So there, agencies really have two major mandates to report under: FISMA and then this executive order. [ Matt Oldham: ] And did you find that the agencies you looked at are working in accordance with their requirements? [ Greg Wilshusen: ] Well to an extent they are but not nearly as often or as well as they need to be. We identified, for example, that most of the 16 agencies that we examined were deficient in most of the core security functions identified through the executive order, the NIST cybersecurity framework. We also found that a majority of those agencies also did not fully implement many of the elements required by the FISMA information security program. Now on the government-wide side, with certain exceptions, we found that OMB, DHS and NIST generally performed their government-wide responsibilities. However, we did note that OMB, for example, has yet to submit its annual report to the Congress on agencies implementation of FISMA. That report was due back in March 1st and OMB has yet to provide that report. [ Background Music ] [ Matt Oldham: ] So it sounds like you found examples of agencies not fully upholding their FISMA or executive order obligations. And OMB is months late, as of the recording of this podcast, on giving its required annual report to Congress. So then where does this leave us, Greg? [ Greg Wilshusen: ] By not taking those actions and improving the security over their systems, they really are putting their operations, assets, and systems at risk. On the part of OMB not issuing the report, well, that limits the information available to the Congress to provide its oversight responsibilities. [ Matt Oldham: ] So how can OMB and the agencies that you looked at improve things? [ Greg Wilshusen: ] Well one, OMB can issue its report to Congress. Also, it can increase the number of agencies with which it holds the CyberStat meetings because they have been proven to be very helpful to those agencies in addressing certain information security related issues. In addition, agencies can for one, implement GAO’s recommendations, the recommendations of their agency inspector general in order to better protect and secure their systems. [ Matt Oldham: ] So wrapping this all up, what is the bottom line with this report? [ Greg Wilshusen: ] Well, the bottom line is agencies and OMB need to strengthen the policies and practices of securing information and information systems throughout the entire federal government. [ Matt Oldham: ] Greg Wilshusen was talking about a GAO report on the information security requirements for federal agencies as laid out by law. Thank you for your time, Greg. [ Greg Wilshusen: ] Thank you. [ Background Music ] [ Matt Oldham: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.