Report finds OMB must have bigger role in agency infosec

Share this article:
A new government report contends that the federal Office of Management and Budget (OMB) should hold more of an oversight role on the information security programs of U.S. agencies.

The U.S. Government Accountability Office (GAO) studied how the agencies were responding to the regulations described in the Federal Information Security Management Act of 2002 (FISMA). The mandate requires government entities to develop and implement agencywide information security programs and calls for inspectors general (IG) to conduct annual reviews of agency progress.

The 66-page GAO report, released Friday, found that OMB has not included information on key deficiencies in agencies' information security programs in its reports to Congress. Nor does it approve -- or disapprove -- agency information security programs, Gregory Wilshusen, director of information security issues at the GAO told on Monday.

The GAO report recommends the OMB should report on how effectively certain controls are being met. In addition, certain reporting instructions should be clarified, and the OMB's report to Congress should include areas where information security programs fall short. The report also recommends that, in the future, the director of the OMB should institute the practice of approving or disapproving agency information security programs, as mandated by FISMA, the report states.

But Federal CIO Vivek Kundra disputed one of the findings.

“OMB reviews all agency and IG FISMA reports annually,” Kundra wrote in a June 23 response to Wilshusen. “For the major agencies, OMB also received and reviews quarterly information on their security programs. OMB uses this information, and other reporting, to evaluate agencies' security management programs. Concerns are communicated directly to the agencies.”

Wilshusen said OMB often reviews the programs but does not make the final call on their approval. Forcing OMB to do so will lead to a higher level of accountability and incentivize agencies to improve their programs.

Meanwhile, the OMB report also concluded that federal agencies have made strides toward complying with FISMA, but more work remains. Nearly all 24 major federal agencies had information security weaknesses, primarily because they have not fully implemented their information security programs, the report states.

“Although the OMB took steps to clarify its reporting instructions to agencies for preparing fiscal year 2008 reports, the instructions did not request inspectors general to report on agencies' effectiveness of key activities and did not always provide clear guidance to inspectors general,” the report states.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.