GAO has a few ideas for strengthening FISMA
- By William Jackson
- Jul 01, 2009
Information security remains a high-risk endeavor for much of the government, but strengthening the Federal Information Security Management Act of 2002 could help improve the country’s cybersecurity posture, the Government Accountability Office said.
FISMA was intended to provide a comprehensive framework for securing government information technology resources and offer an oversight mechanism for those efforts. FISMA is built on solid risk-management principles that include annual evaluations and reporting. But clarifying and strengthening requirements for testing, reporting and oversight could improve the act, GAO told the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee.
“Since 1997, we have designated federal information security as a governmentwide high-risk area in our biennial reports to Congress,” GAO said in a June 30 letter to the subcommittee. Current reviews of 24 major agencies show continuing weaknesses in security controls and programs for information systems, while reported security incidents have more than tripled in the past three years — from 5,503 in fiscal 2006 to 16,843 in fiscal 2008.
Asked to recommend improvements to FISMA, GAO outlined several changes. Testing and evaluating security controls, now required annually, is not being performed consistently or effectively at many agencies.
“Clarifying or strengthening FISMA and its implementing guidance for determining the frequency, depth and breadth of security control tests and evaluations could help agencies better assess the effectiveness of the controls protecting the information and systems supporting their programs, operations and assets,” the letter states.
Greater accountability is also needed at the highest levels of the agencies, GAO said. Agency leaders should be required to provide written assurance of the adequacy and efficiency of their information security programs. Agencies report annually to Congress on their programs, but the metrics required by the Office of Management and Budget do not adequately measure effectiveness.
“FISMA can be improved by requiring that agency management include in its annual report an assurance statement on the overall adequacy and effectiveness of information security within the agency,” similar to that required for financial controls for agencies and public companies, GAO said.
The independent annual evaluations of IT security now required under FISMA could be enhanced by requiring the use of generally accepted government auditing standards, which many agencies now use. Current annual reporting does not adequately address the quality or effectiveness of security controls and processes, and additional performance metrics are needed to evaluate them.
“We are currently reviewing the use of metrics to guide and monitor information security control activities at federal agencies and at leading nonfederal organizations,” GAO’s letter states.
OMB oversight of information security programs also could be strengthened. OMB does not explicitly approve agencies’ security programs, and “implementation of this mechanism can provide additional oversight,” the letter states.
GAO also identified other measures that it said could help improve the country’s IT security posture. They include:
- Developing a national strategy that clearly articulates strategic objectives, goals and priorities.
- Establishing White House leadership on the issue.
- Publicizing and raising awareness about the seriousness of the cybersecurity problem.
- Focusing more efforts on prioritizing assets, assessing vulnerabilities and reducing them than on developing additional plans.
- Bolstering public/private partnerships through an improved value proposition and use of incentives.
- Focusing greater attention on addressing the global aspects of cyberspace.
- Placing greater emphasis on cybersecurity research and development, including how to better coordinate government and private-sector efforts.
- Increasing the cadre of cybersecurity professionals.
“Until these improvements are considered, our nation’s federal and private-sector infrastructure systems remain at risk of not being adequately protected,” GAO’s letter states.
William Jackson is a Maryland-based freelance writer.