Skip to main content

Information Security: Agencies Make Progress in Implementation of Requirements, but Significant Weaknesses Persist

GAO-09-701T Published: May 19, 2009. Publicly Released: May 19, 2009.
Jump To:
Skip to Highlights


Without proper safeguards, federal agencies' computer systems are vulnerable to intrusions by individuals and groups who have malicious intentions and can obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. Concerned by reports of significant weaknesses in federal systems, Congress passed the Federal Information Security Management Act (FISMA), which permanently authorized and strengthened information security program, evaluation, and annual reporting requirements for federal agencies. GAO was asked to testify on its draft report on (1) the adequacy and effectiveness of federal agencies' information security policies and practices and (2) their implementation of FISMA requirements. To prepare for this testimony, GAO summarized its draft report where it analyzed agency, inspectors general, Office of Management and Budget (OMB), congressional, and GAO reports on information security.

Full Report

GAO Contacts

Office of Public Affairs


AccountabilityAgency evaluationClassified defense informationComputer securityFraudIdentity theftInformation securityInformation systemsInternal controlsOperational testingPerformance appraisalProgram evaluationRegulatory agenciesReporting requirementsRisk managementStandardsStrategic information systems planningSystems evaluationPolicies and procedures