Skip to main content

Information Security: Review of GAO's Program and Practices for Fiscal Years 2016 and 2017

OIG-18-4 Published: Jul 17, 2018. Publicly Released: Jul 17, 2018.
Jump To:
Skip to Highlights



This is a publication by GAO's Office of Inspector General (OIG) that concerns internal GAO operations. This report addresses GAO's fiscal year 2016 and 2017 compliance with Federal Information Security Modernization Act of 2014 (FISMA) requirements.

What OIG Found

During the period reviewed, GAO continued efforts to improve upon existing capabilities and strengthen its information security controls, particularly in the areas of identity and access management, security training, and continuous monitoring. Our report identifies specific areas, such as configuration management and contingency planning, where additional efforts are needed to further strengthen GAO's information security consistent with FISMA requirements. The issues we identified in this report also highlight how gaps in GAO's implementation of an enterprise-wide risk management program may have contributed to the challenges and heightened risks identified during our audit.

Due to the sensitive nature of our findings, a full report on the results of our audit was prepared for internal GAO use only.

What OIG Recommends

The OIG is making three recommendations to the Comptroller General intended to help the GAO more fully implement federal information security requirements. Specifically, we recommend that GAO document (1) a process to evaluate current and future enterprise IT investment portfolio assets, including risks, and ensure alignment with GAO's IT Strategy for fiscal years 2017-2019 and (2) its plans, policies, and procedures for identifying, prioritizing, and mitigating operational risk related to establishing full failover capabilities at the agency's alternate computing facility in the event of a disaster and preparing for end-of-support upgrades for Windows 7. In addition, we recommend that GAO document and implement a process to identify and track hardware and software interdependencies for GAO's system inventory including vendor support data.

GAO agreed with our recommendations and described actions planned to mitigate the control risks identified in our work. The agency also provided technical comments that we incorporated, as appropriate. 

For more information, contact Adam R. Trzeciak at (202) 512-5748 or

Full Report

GAO Contacts


Audit objectivesCompliance oversightCybersecurityInformation securityInformation systemsIT infrastructureRisk managementSoftwareGAO's fiscal yearContinuous monitoring