Skip to Highlights
Highlights

Agencies rely extensively on computerized information systems and electronic data to carry out their missions. To ensure the security of the information and information systems that support critical operations and infrastructure, federal law and policy require agencies to periodically test and evaluate the effectiveness of their information security controls at least annually. GAO was asked to evaluate the extent to which agencies have adequately designed and effectively implemented policies for testing and evaluating their information security controls. GAO surveyed 24 major federal agencies and analyzed their policies to determine whether the policies address important elements for periodic testing. GAO also examined testing documentation at 6 agencies to assess the quality and effectiveness of testing on 30 systems.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget Because of the governmentwide weaknesses in the design and implementation of agencies' policies for periodically testing and evaluating security controls, the Director of the Office of Management and Budget should instruct federal agencies to develop and implement policies on periodic testing and evaluation.
Closed - Implemented
In fiscal year 2011, we verified that OMB's fiscal year 2010 FISMA guidance instructed federal agencies to develop and implement policies on periodic testing and evaluation.
Office of Management and Budget Because of the governmentwide weaknesses in the design and implementation of agencies' policies for periodically testing and evaluating security controls, the Director of the Office of Management and Budget should revise instructions for future Federal Information Security Management Act reporting by requesting Inspectors General to report on the quality of agencies' periodic testing processes.
Closed - Implemented
In fiscal year 2011, we verified that OMB's fiscal year 2010 FISMA reporting guidance to the IGs requested that they report on the status of several program areas at their agency, including periodically testing and evaluating systems, which are covered under the continuous monitoring section.
Department of Commerce The Secretary of Commerce should direct the Director, National Institute of Standards and Technology, to strengthen guidance on determining the depth and breadth of testing security controls.
Closed - Implemented
In fiscal year 2011, we verified that the Secretary of Commerce directed the Director, National Institute of Standards and Technology (NIST), to strengthen guidance on determining the depth and breadth of testing security controls through the issuance of NIST's Special Publication 800-53A, guide for conducting security assessments, which provides information on determining the depth and breadth of testing security controls.

Full Report

GAO Contacts