GAO Shines Light on FISMA's Failings ... Again

The Government Accountability Office once again shined a glaring spotlight on the failings of the Federal Information Security Act, reporting Friday that "significant weaknesses in information security policies and practices threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies."

This comes as no surprise. As noted in the report, GAO and inspectors general have made "hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls." In fact, there were too many related reports on information security for GAO to even list as footnotes in this latest report -- instead advising the reader to "See related GAO products" recent reports on information security. The list is that extensive.

This report was in many ways a repeat of those earlier ones, pointing to widespread weaknesses in "user identification and authentication, authorization, boundary protections, cryptography, audit and monitoring, physical security, configuration management, segregation of duties, and continuity of operations planning" -- to name a few. GAO also pointed to repeated recommendations that agencies fully implement comprehensive, agencywide information security programs by "correcting weaknesses in risk assessments, information security policies and procedures, security planning, security training, system tests and evaluations, and remedial actions."

And yet, these deficiencies remain, despite the fact that federal agencies continue to report progress in implementing key information security requirements. How can that be? Because according to the standards of FISMA, agencies are making progress.

For that reason, GAO took aim not at individual agencies, but at the Office of Management and Budget, recommending the following:

• OMB ask inspectors general to include in their annual reports details on the effectiveness of agencies' processes for developing inventories of computer systems, monitoring contractor operations, and providing specialized security training. (In other words, inspectors general would for the first time need to report on whether the information security efforts are actually working.)
• OMB clarify and enhance how inspectors general are to evaluate agencies' process for certifying and accrediting computer systems as secure, providing them with guidance on the specific requirements under FISMA for doing so.
• OMB include in its report to Congress, a summary of the findings from annual independent evaluations, as well as a list of all significant deficiencies, in information security practices.
• OMB approve or disapprove agency information security programs after review.

Federal CIO Vivek Kundra agreed with the first two recommendations, but didn't even address the notion of including a summary of information security evaluations or a list of significant security deficiencies in its report to Congress. He also "did not concur" with GAO's conclusion that OMB does not approve or disapprove agencies' information security management programs on an annual basis -- arguing that OMB "reviews all agency and IG FISMA reports annually; reviews quarterly information on the major agencies' security programs; and uses this information, and other reporting, to evaluate agencies security programs."

Is the problem with agencies' failure to address security weaknesses, the law guiding how they go about doing so, or inept oversight by the agency charged with ensuring compliance? Many might argue both, which is why a bill that would replace FISMA has gained so much traction on the Hill.