Skip to Highlights
Highlights

For many years, GAO has reported that weaknesses in information security are a widespread problem with potentially devastating consequences--such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information--and has identified information security as a governmentwide high-risk issue. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the information security program, evaluation, and reporting requirements for federal agencies. As required by FISMA to report periodically to Congress, in this report GAO discusses the adequacy and effectiveness of agencies' information security policies and practices and agencies' implementation of FISMA requirements. To address these objectives, GAO analyzed agency, inspectors general (IG), Office of Management and Budget (OMB), congressional, and GAO reports on information security.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget Because annual reporting is critical to monitoring agencies' implementation of information security requirements, in revising future FISMA reporting guidance the Director of OMB should develop additional performance metrics that measure the effectiveness of FISMA activities.
Closed - Implemented
In fiscal year 2011, we verified that OMB revised its FISMA reporting instructions to incorporate, for fiscal year 2010, additional metrics that expanded coverage of the areas agencies and their IGs use to measure the effectiveness of agencies' security postures and efforts to implement FISMA activities.
Office of Management and Budget Because annual reporting is critical to monitoring agencies' implementation of information security requirements, in revising future FISMA reporting guidance the Director of OMB should request inspectors general to report on the quality of additional agency information security processes, such as system test and evaluation, risk categorization, security awareness training, and incident reporting.
Closed - Implemented
In fiscal year 2011, we verified that OMB revised its FISMA reporting instructions to request, for fiscal year 2010, that IGs report on the status of several program areas at their agencies, including system test and evaluation, covered in the continuous monitoring section; risk, covered in the certification and accreditation section (security authorization); security training; and incident response and reporting.
Office of Management and Budget Because annual reporting is critical to monitoring agencies' implementation of information security requirements, in revising future FISMA reporting guidance the Director of OMB should require agencies to report on a key activity--patch management.
Closed - Implemented
In fiscal year 2011, we verified that OMB revised its FISMA reporting instructions to request, for fiscal year 2010, that the IGs report on agencies' configuration management process, which included agencies' processes for the installation of software patches.

Full Report

GAO Contacts