The Government Accountability Office (GAO) found “persistent weaknesses” at 24 federal agencies that it said showed the problems the agencies have in “effectively applying information security policies and practices.”
In most, the Sept. 29 report noted, challenges persist in limiting, preventing and detecting unauthorized access to systems; managing software and hardware configurations; dividing and partitioning duties to prevent one person from controlling vital aspects of computer operations; and planning continuity of operations if disaster occurs. They also struggle to implement security management programs across the agency that could ensure they spot control deficiencies as well as resolve problems and manage risk.
Agencies varied in both the way they implemented Federal Information Security Management Act of 2002 (FISMA) requirements in 2013 and 2014 and their success at doing so. “For example, most agencies had developed and documented policies and procedures for managing risk, providing security training, and taking remedial actions, among other things. However, each agency's inspector general reported weaknesses in the processes used to implement FISMA requirements,” the GAO said.
Noting that the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) both provide guidance to agency inspectors general on how to conduct agency evaluations and report them, the GAO said that “guidance was not always complete, leading to inconsistent application by the inspectors general.” The GAO pegged inconsistent reporting in part on agency security performance on the lack of criteria for making the assessments.
The government body said to ensure more consistent reporting of agency security performance and make the results more comparable OMB, working with DHS and other agencies, should bolster reporting guidelines for inspectors general.