Cybersecurity: OMB Should Update Inspector General Reporting Guidance to Increase Rating Consistency and Precision
Fast Facts
We reviewed how 23 civilian federal agencies implemented the Federal Information Security Modernization Act of 2014.
Results were mixed in whether and how agencies implemented required security programs. For example, most reported meeting goals for detecting and preventing incidents. However, inspectors general found that only 7 of 23 agencies had effective security programs in FY 2020.
We also found that the guidance provided for inspectors general reviews was not always clear and resulted in imprecise effectiveness ratings. Our 2 recommendations address this issue.
Ensuring the cybersecurity of the nation is a topic on our High Risk List.
Highlights
What GAO Found
In fiscal year 2020, the effectiveness of federal agencies' implementation of requirements set by the Federal Information Security Modernization Act of 2014 (FISMA) was mixed. For example, more agencies reported meeting goals for managing the security of their software assets, as well as for intrusion detection and prevention. Nevertheless, inspectors general (IG) identified agencies' uneven performance of cybersecurity practices. For fiscal year 2020, IGs determined that seven of the 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies had effective information security programs. Between fiscal years 2017 and 2020, the percentage of agencies receiving effective ratings has generally been consistent, ranging from 22 to 30 percent.
Number of the 23 Civilian Chief Financial Officers Act of 1990 Agencies with Effective and Not Effective Agency-Wide Information Security Programs, as Reported by Inspectors General for Fiscal Years 2017-2020
According to officials at all 24 CFO Act agencies, FISMA and its associated reporting process enabled their agencies to improve their information security programs' effectiveness. Specifically, Chief Information Officers and Chief Information Security Officers at 14 agencies stated that FISMA improved program effectiveness to a great extent, while officials at 10 agencies said it improved effectiveness to a moderate extent.
As required under FISMA, the Office of Management and Budget (OMB), in partnership with other organizations, provides guidance to IGs on conducting and reporting agency FISMA evaluations. GAO found that this guidance was not always clear, leading to inconsistent application by IGs. Further, GAO found that OMB's overall IG rating scale of “effective” and “not effective” resulted in imprecise ratings that did not clearly distinguish the differing levels of agencies' implementation of cybersecurity requirements. As a result, IG ratings may be less useful for cybersecurity oversight. By clarifying its future ratings guidance and improving its rating scale, OMB could help ensure that the reviews provide a more consistent picture of agencies' cybersecurity performance, enabling Congress to better understand agencies' relative cybersecurity risks.
Why GAO Did This Study
Since 1997, GAO has designated information security as a government-wide high-risk area. To protect federal information and systems, FISMA requires federal agencies to develop, document, and implement information security programs. Congress included a provision in FISMA for GAO to periodically report on agencies' implementation of the act.
GAO's objectives in this report were to (1) describe the reported effectiveness of federal agencies' implementation of cybersecurity policies and practices and (2) evaluate the extent to which relevant officials at federal agencies consider FISMA to be effective at improving the security of agency information systems.
To do so, GAO reviewed the 23 civilian CFO Act agencies' FISMA reports, agency reported performance data, past GAO reports, and OMB documentation and guidance. GAO also interviewed agency officials from the 24 CFO Act agencies (i.e., the 23 civilian CFO Act agencies and the Department of Defense), the Council of IGs on Integrity and Efficiency, and OMB.
Recommendations
GAO is making two recommendations that OMB, in consultation with others, clarify its guidance to IGs and create a more precise overall rating scale. OMB did not concur with our recommendations, stating, in part, that they want to provide IGs with the flexibility to adapt their reviews. Nevertheless, GAO believes that the recommendations are warranted in order to provide a more consistent and accurate picture of agencies' cybersecurity performance.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget |
Priority Rec.
The Director of OMB should collaborate with its partners in DHS and CIGIE to clarify the IG FISMA metrics guidance to specify when IGs should use OMB's recommended methodology and when they should use another method to determine agencies' overall effectiveness ratings. (Recommendation 1)
|
OMB did not concur with our recommendation at the time of report issuance. In December 2023, OMB informed us that they agreed with our recommendation, and they were working on an action related to the recommendation. In OMB's March 2024 update, the agency noted that its actions were ongoing. Nevertheless, we have yet to receive OMB's related documentation. We will continue to monitor OMB's implementation of our recommendation.
|
Office of Management and Budget |
Priority Rec.
The Director of OMB should collaborate with its partners in DHS and CIGIE to create a more precise overall effectiveness rating scale for IG FISMA reports. (Recommendation 2)
|
OMB did not concur with our recommendation at the time of report issuance. OMB did not agree that the existing rating scale for IG FISMA reports lacks necessary precision. However, we continue to believe that it is important for OMB to create a more precise overall effectiveness rating scale to provide greater clarity to the ratings by more accurately reflecting agencies' implementation of their security programs to both Congress and other oversight bodies. As of March 2024, OMB had not taken any actions to address this recommendation and has indicated that it does not plan to take any action, but GAO will continue to monitor this issue.
|