Information Security: Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements

OMB revised its fiscal year 2009 FISMA reporting instructions to request that inspectors general provide information on the quality of the agency?s certification and accreditation (C&A) process. This qualitative information included whether the agency has an adequate C&A policy and whether the C&A process adequately provides appropriate risk categories, testing of controls (covers annual system reviews), and other items. As a result, the usefulness of the review process for management and oversight purposes is enhanced.

In our July 15, 2005 report on federal agencies' implementation of FISMA, we recommended that OMB require agencies to report FISMA data by risk category. For the subsequent reporting cycle (agencies reporting in 2006 on FY 2005 activities) OMB issued reporting instructions and templates that required agencies to list systems by risk category. OMB's actions thereby implement GAO's recommendation.

OMB revised its fiscal year 2009 FISMA reporting instructions to request that inspectors general provide information on the quality of the agency?s certification and accreditation (C&A) process. This qualitative information included whether the agency has an adequate C&A policy and whether the C&A process adequately provides appropriate risk categories, testing of controls (covers annual system reviews), and other items. As a result, the usefulness of the review process for management and oversight purposes is enhanced.

In our July 15, 2005 report on federal agencies' implementation of FISMA, we recommended that OMB review guidance to ensure clarity of instructions. For the subsequent reporting cycle (agencies reporting in 2006 on FY 2005 activities) OMB clarified or deleted comments related to POA&Ms, system inventories, and configuration management. The FY 2005 reporting templates deleted some elements of the POA&M question present in the FY 2004 version. Additionally, the FY 2005 template eliminated the system inventory question for the Inspector General that asked about the IG's involvement in development and verification. Also, the FY 2005 template included a more detailed question on configuration management than the FY 2004 template, requiring agencies to identify which software is addressed in agencywide policy and whether agency systems run the software. OMB's actions thereby implement GAO's recommendation.