Information Security:
Additional Actions Needed to Fully Implement Reform Legislation
GAO-02-407: Published: May 2, 2002. Publicly Released: May 2, 2002.
Additional Materials:
- Full Report:
- Accessible Text:
Contact:
(202) 512-3317
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
In March, GAO testified on the federal government's fiscal-year implementation of legislative provisions for government information security reform. (See GAO-02-470T.) GAO reported that implementation of the reforms addresses serious, pervasive information security weaknesses. GAO also noted the Office of Management and Budget needs to (1) further guide agencies and encourage them to implement the reform provision requirements and (2) provide Congress with the information it needs for overseeing agencies' implementation, compliance, and corrective actions, as well as for its related budget deliberations.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: OMB developed and included high-level management performance measures in its fiscal year 2002 reporting instructions to agencies on Government Information Security Reform, issued July 2, 2002.
Recommendation: To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of the Office of Management and Budget (OMB) should direct his staff to provide additional guidance on appropriate performance measures to enable the agencies to better determine and report their progress in implementing the security requirements.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: OMB provided guidance to agencies to assist them in determining their security costs in section 53 of Circular A-11, fiscal year 2004 budget guidance, issued June 26, 2002. OMB referred agencies to this guidance in its reporting instructions for Government Information Security Reform, issued July 2, 2002.
Recommendation: To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of OMB should direct his staff to provide additional guidance on more specific definitions and examples of information-security-related costs to enable the agencies to more consistently identify, track, and report these costs.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: In its fiscal year 2002 Government Information Security Reform reporting instructions, OMB provided additional information to agencies on the level of review required for individual systems. This guidance stressed that all systems must be reviewed annually and that the depth and breadth of review depends on factors such as the risk associated with a system and its data, the comprehensiveness of prior review, and the adequacy and successful implementation of their corrective action plan. A performance measure provided in this guidance also asks that agencies report the number of systems for which security controls have been evaluated in the past year.
Recommendation: To facilitate more efficient and effective agency management of and reporting on the implementation of information security requirements of the reform provisions, the Director of OMB should direct his staff to provide additional guidance on a more detailed description of the required scope of the annual management reviews regarding the extent to which (1) systems must be reviewed annually and (2) security controls must be tested and evaluated as part of this review process.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: In its July 2002 Government Information Security Reform guidance on security plans of action and milestones (corrective action plans), OMB authorized agencies to release the following information, as requested, from these plans to the Congress: the type of weakness, key milestones, any milestone changes, the source of the reported weakness, and the status of the weakness. An OMB official stated that agencies should also provide quarterly update information, as requested, to the Congress.
Recommendation: To enhance oversight of federal information security by Congress and its related budget deliberations, the Director of OMB should authorize the heads of federal departments and agencies to release information from their corrective action plans to the Congress and GAO that would (1) identify specific weaknesses to be addressed, their relative priority, the actions to be taken, and the timeframes for completing these actions and (2) provide their quarterly updates on the status of completing these actions.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: OMB permits agencies to choose to report required information on national security systems in aggregate with, or separate from, the agencies' non-national security systems. In its annual reports to the Congress on FISMA implementation, OMB combines and summarizes agency reported information for national security and non-national security systems together.
Recommendation: To enhance oversight of federal information security by Congress and its related budget deliberations, the Director of OMB should provide Congress with appropriate summary information on the results of the audits of the evaluations for information security programs for national security systems.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: OMB's July 2002 reporting instructions to the agencies included reporting areas and high-level performance measures that should help ensure agencies consistently report their progress in implementing government information security reform requirements. Issued in May 2003, OMB's fiscal year 2002 report to the Congress provided updates on actions to address previously identified governmentwide weaknesses, identified new challenges, reported results for key performance indicators, and provided individual summaries for large agencies that indicated the status of agencies efforts to implement government information security reform requirements.
Recommendation: To enhance oversight of federal information security by the Congress and its related budget deliberations, the Director OMB should in addition to the information currently reported, explicitly identify in future OMB reports annual reports to Congress, the overall status of agencies' efforts to implement each of the information security program requirements specified by the reform provisions.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: OMB's July 2002 reporting instructions to the agencies specifically encourage that inspector general independent evaluations be a representative sampling of agency systems, which would include both financial and nonfinancial systems.
Recommendation: In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to appropriately consider both financial and nonfinancial systems in selecting the subset of systems for testing information security control techniques during their annual independent evaluations.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: OMB reporting instructions provided to the agencies in July 2002 ask the inspectors general (IGs) to verify that agency corrective action plans are developed, implemented, and managed. In addition, OMB asked that the IGs verify that agency corrective action plans identify all known security weaknesses in an agency.
Recommendation: In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to provide an independent assessment of agencies' corrective action plans in their future evaluations.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: OMB's Government Information Security Reform reporting instructions encouraged the inspectors general to maximize resources by using, where appropriate, other reports, audits, and evaluations conducted during the reporting period; and by partnering with other inspectors general or agency employees to enhance expertise.
Recommendation: In addition, to help ensure that annual independent evaluations appropriately consider all agency systems as intended by the reform provisions, the Director of OMB, through its budgetary and reform provision oversight responsibilities, should encourage agencies' inspectors general to obtain appropriate resources to support these evaluations and their other information security audit needs.
Agency Affected: Executive Office of the President: Office of Management and Budget
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Oct 9, 2020
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
