Report finds OMB must have bigger role in agency infosec

Share this article:
A new government report contends that the federal Office of Management and Budget (OMB) should hold more of an oversight role on the information security programs of U.S. agencies.

The U.S. Government Accountability Office (GAO) studied how the agencies were responding to the regulations described in the Federal Information Security Management Act of 2002 (FISMA). The mandate requires government entities to develop and implement agencywide information security programs and calls for inspectors general (IG) to conduct annual reviews of agency progress.

The 66-page GAO report, released Friday, found that OMB has not included information on key deficiencies in agencies' information security programs in its reports to Congress. Nor does it approve -- or disapprove -- agency information security programs, Gregory Wilshusen, director of information security issues at the GAO told on Monday.

The GAO report recommends the OMB should report on how effectively certain controls are being met. In addition, certain reporting instructions should be clarified, and the OMB's report to Congress should include areas where information security programs fall short. The report also recommends that, in the future, the director of the OMB should institute the practice of approving or disapproving agency information security programs, as mandated by FISMA, the report states.

But Federal CIO Vivek Kundra disputed one of the findings.

“OMB reviews all agency and IG FISMA reports annually,” Kundra wrote in a June 23 response to Wilshusen. “For the major agencies, OMB also received and reviews quarterly information on their security programs. OMB uses this information, and other reporting, to evaluate agencies' security management programs. Concerns are communicated directly to the agencies.”

Wilshusen said OMB often reviews the programs but does not make the final call on their approval. Forcing OMB to do so will lead to a higher level of accountability and incentivize agencies to improve their programs.

Meanwhile, the OMB report also concluded that federal agencies have made strides toward complying with FISMA, but more work remains. Nearly all 24 major federal agencies had information security weaknesses, primarily because they have not fully implemented their information security programs, the report states.

“Although the OMB took steps to clarify its reporting instructions to agencies for preparing fiscal year 2008 reports, the instructions did not request inspectors general to report on agencies' effectiveness of key activities and did not always provide clear guidance to inspectors general,” the report states.
Share this article:

Next Article in News

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.