What GAO Found
In fiscal year 2012, 24 major federal agencies had established many of the components of an information security program required by The Federal Information Security Management Act of 2002 (FISMA); however, they had partially established others. FISMA requires each federal agency to establish an information security program that incorporates eight key components, and each agency inspector general to annually evaluate and report on the information security program and practices of the agency. The act also requires the Office of Management and Budget (OMB) to develop and oversee the implementation of policies, principles, standards, and guidelines on information security in federal agencies and the National Institute of Standards and Technology to develop security standards and guidelines.
The extent to which agencies implemented security program components showed mixed progress from fiscal year 2011 to fiscal year 2012. For example, according to inspectors general reports, the number of agencies that had analyzed, validated, and documented security incidents increased from 16 to 19, while the number able to track identified weaknesses declined from 20 to 15. GAO and inspectors general continue to identify weaknesses in elements of agencies' programs, such as the implementation of specific security controls. For instance, in fiscal year 2012, almost all (23 of 24) of the major federal agencies had weaknesses in the controls that are intended to limit or detect access to computer resources.
OMB and the Department of Homeland Security (DHS) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, such as conducting risk assessments and developing security plans; are focused mainly on compliance rather than effectiveness of controls; and in many cases did not identify specific performance targets for determining levels of implementation. Enhancements to these metrics would provide additional insight into agency information security programs.
Why GAO Did This Study
FISMA requires the Comptroller General to periodically report to Congress on agency implementation of the act's provisions. To this end, this report summarizes GAO's evaluation of the extent to which agencies have implemented the requirements of FISMA, including the adequacy and effectiveness of agency information security policies and practices. To do this, GAO analyzed its previous information security reports, annual FISMA reports and other reports from the 24 major federal agencies, reports from inspectors general, and OMB's annual reports to Congress on FISMA implementation. GAO also interviewed agency officials at OMB, DHS, NIST, and 6 agencies selected using the total number of systems the agencies reported in fiscal year 2011.
GAO and inspectors general have previously made numerous recommendations to improve agencies' information security programs. The agencies generally agreed with GAO's recommendations. In addition, GAO previously recommended that OMB revise annual reporting guidance to require performance targets to which OMB generally agreed. GAO is also recommending that the Director of OMB ensure that metrics are incorporated that assess the effectiveness of information security programs in OMB's annual FISMA reporting instructions to agencies and inspectors general.
Recommendations for Executive Action
|Office of Management and Budget||The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, to enhance the usefulness of the annual FISMA reports and to provide additional insight into agencies' information security programs, should develop compliance metrics related to periodic assessments of risk and development of subordinate security plans.|
|Office of Management and Budget||The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, to enhance the usefulness of the annual FISMA reports and to provide additional insight into agencies' information security programs, should develop metrics for inspectors general to report on the effectiveness of agency information security programs.|