Skip to Highlights
Highlights

Information security is a critical consideration for federal agencies, which depend on information systems to carry out their missions. Increases in reports of security incidents demonstrate the urgency of adequately protecting the federal government's data and information systems. Agencies are required to report to the Office of Management and Budget (OMB) on their information security programs, and OMB is to report results to Congress. Agencies have reported progress in carrying out their activities and have used a variety of measures as the basis of that reporting. GAO was asked to (1) describe key types and attributes of performance measures, (2) identify practices of leading organizations for developing and using measures to guide and monitor information security activities, (3) identify the measures used by federal agencies and how they are developed, and (4) assess the federal government's practices for informing Congress on the effectiveness of information security programs. To do this, GAO met with leading organizations, consulted with experts, and reviewed major federal agencies' policies and practices.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget 1. To assist federal agencies in developing and using measures that better address the effectiveness of their information security programs, the Director of the OMB should issue revised information security guidance to agency chief information officers (CIO) reinforcing the existing requirement that agencies follow National Institute of Standards and Technology (NIST) guidance (which correlates with key practices) in developing measures and clarifying the need to develop and use a balanced set of measures that includes compliance, control effectiveness, and program impact measures.
Closed - Implemented
In fiscal year 2012, we verified that OMB took steps to issue revised information security guidance to agency chief information officers to reinforce the requirement that agencies follow NIST guidance in developing measures and clarifying the need to develop and use a balanced set of measures that includes compliance, control effectiveness, and program impact measures. (8/13/2013)
Office of Management and Budget 2. To assist federal agencies in developing and using measures that better address the effectiveness of their information security programs, the Director of the OMB should direct agency CIOs to ensure that all of their measures exhibit the four key attributes of a measure (i.e., that it be measurable, meaningful, repeatable and consistent, and actionable).
Closed - Implemented
In fiscal year 2011, we verified that OMB took steps to direct agency chief information officers to ensure that their measures exhibited the four key attributes (i.e., that it be measurable, meaningful, repeatable and consistent, and actionable). (8/13/2013)
Office of Management and Budget 3. To assist federal agencies in developing and using measures that better address the effectiveness of their information security programs, the Director of the OMB should direct agency CIOs to employ key practices identified by leading organizations in developing their measures (i.e., focusing on risk, involving key stakeholders in development, assigning accountability, and linking measures to business goals).
Closed - Implemented
In fiscal year 2012, we verified that OMB took steps to direct agency chief information officers to employ key practices identified by leading organizations in developing their measures (i.e., focusing on risk, involving key stakeholders in development, assigning accountability, and linking measures to business goals). (8/13/2013)
Office of Management and Budget 4. To improve OMB's process for collecting measures and reporting to Congress on the status of information security programs, the Director of OMB should revise annual reporting guidance to agencies to require (1) reporting on a balanced set of measures, including measures that focus on the effectiveness of control activities and program impact, and (2) inclusion of all key attributes in the development of measures.
Closed - Implemented
In fiscal year 2010, we verified that OMB revised the annual reporting guidance to agencies to require (1) reporting on a more balanced set of measures, including measures that focus on the effectiveness of control activities and program impact, and (2) inclusion of all key attributes in the development of measures. (8/13/2013)
Office of Management and Budget 5. To improve OMB's process for collecting measures and reporting to Congress on the status of information security programs, the Director of OMB should revise the annual report to Congress to provide better status information, including information on the effectiveness of agency information security programs, the extent to which major risks are being addressed, and progress that has been made in improving the security posture of the federal government.
Closed - Implemented
In fiscal year 2012, we verified that OMB took steps to revise its annual report to Congress to provide better status information, including information on the effectiveness of agency information security programs, the extent to which major risks are being addressed, and progress that has been made in improving the security posture of the federal government. (8/17/2013)

Full Report

GAO Contacts