GAO recommends improvements to FISMA reporting guidance

The title of the latest IT security report from the Government Accountability Office tells a familiar tale: 'Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements.'

The report found problems across all 24 major executive-branch agencies in implementing the requirements of the Federal Information Security Management Act. The problems were identified as managerial rather than technical.

'These weaknesses exist primarily because agencies have not yet fully implemented strong information security management programs,' the study concluded.

GAO recommended that the Office of Management and Budget, which is charged with FISMA oversight, improve its guidance for annual FISMA reporting.

Nearly all of the agencies reviewed lacked adequate access controls, software change controls, continuity of operations planning and agencywide security programs. Segregation of duties was not adequately implemented in more than half of the agencies.

Although GAO found that progress is being made in meeting FISMA requirements, direct year-to-year comparisons are not always possible because OMB's reporting requirements vary from year to year. GAO recommended that OMB require all aspects of key FISMA requirements be reported annually.

OMB disagreed with this recommendation, saying that its current guidance satisfies all FISMA requirements and that much of the information is covered in certification and accreditation processes required for all agency IT systems.

Other recommendations for improving OMB guidance, with which OMB agreed, are:
  • Request inspectors general to report on the quality of additional agency processes, such as the annual system reviews, each year. OMB pointed out that this information now is optional.

  • Require agencies to report FISMA data by IT system risk category. This has been included in the fiscal 2005 guidance issued last month.

  • Review guidance to ensure the clarity of instructions. OMB pointed out that reporting guidance is under constant evaluation.

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, said in response to the report that the FISMA process is not perfect.

"I think it provides the agencies with a strong management framework, but I recognize that it is not a panacea,' he said in a statement. 'There may be a need for amendments to facilitate implementation of the security concepts that drive FISMA. The FISMA process is still a young one; as it matures, the guidance will go through growing pains and require further changes.'

He went on to warn against complacency by agencies and oversight officials.

'We want to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law,' he said. 'We don't want them filling out forms to simply fill out forms."

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.