The U.S. Government Accountability Office (GAO) studied how the agencies were responding to the regulations described in the Federal Information Security Management Act of 2002 (FISMA). The mandate requires government entities to develop and implement agencywide information security programs and calls for inspectors general (IG) to conduct annual reviews of agency progress.
The 66-page GAO report, released Friday, found that OMB has not included information on key deficiencies in agencies' information security programs in its reports to Congress. Nor does it approve -- or disapprove -- agency information security programs, Gregory Wilshusen, director of information security issues at the GAO told SCMagazineUS.com on Monday.
The GAO report recommends the OMB should report on how effectively certain controls are being met. In addition, certain reporting instructions should be clarified, and the OMB's report to Congress should include areas where information security programs fall short. The report also recommends that, in the future, the director of the OMB should institute the practice of approving or disapproving agency information security programs, as mandated by FISMA, the report states.
But Federal CIO Vivek Kundra disputed one of the findings.
“OMB reviews all agency and IG FISMA reports annually,” Kundra wrote in a June 23 response to Wilshusen. “For the major agencies, OMB also received and reviews quarterly information on their security programs. OMB uses this information, and other reporting, to evaluate agencies' security management programs. Concerns are communicated directly to the agencies.”
Wilshusen said OMB often reviews the programs but does not make the final call on their approval. Forcing OMB to do so will lead to a higher level of accountability and incentivize agencies to improve their programs.
Meanwhile, the OMB report also concluded that federal agencies have made strides toward complying with FISMA, but more work remains. Nearly all 24 major federal agencies had information security weaknesses, primarily because they have not fully implemented their information security programs, the report states.
“Although the OMB took steps to clarify its reporting instructions to agencies for preparing fiscal year 2008 reports, the instructions did not request inspectors general to report on agencies' effectiveness of key activities and did not always provide clear guidance to inspectors general,” the report states.