More than Half of Agency Cybersecurity Chiefs Lack the Authority to be Effective

The Federal Information Security Modernization Act of 2014 (FISMA 2014) requires agencies to designate a Chief Information Security Officer (CISO) who is responsible to ensure that the agency is meeting the requirements of the law, including developing, documenting, and implementing an agency-wide information security program. The Government Accountability Office (GAO) recently conducted a study where they reviewed agency security policies, administered a survey to 24 CISOs, interviewed current CISOs, and spoke with officials from the Office of Management and Budget (OMB). GAO was asked to review current CISO authorities to identify the extent to which federal agencies have defined the role of the CISO in accordance with law and guidance and identify key challenges faced by federal CISOs in fulfilling their responsibilities.

GAO’s findings reveal the “work-in-progress” nature of cybersecurity and CISO authorities among most executive branch departments and agencies.

Evaluation and Findings

GAO evaluated the 24 agencies on 11 CISO activities required by FISMA: periodic risk assessments, policies and procedures, security plans, security awareness training, periodic testing, remedial actions, incident response, contingency planning, specialized security training, contractor system security oversight, and system authorization.

Highlights of the assessment include:

• Eleven of the 24 agencies had fully defined CISO roles for all 11 activities. The other 13 agencies varied in the number of activities for which they had defined CISO roles.
• Departments on the lower side of the spectrum for defined CISO roles were:
  • Defense - 8 activities
  • Energy - 6 activities
  • Interior - 7 activities
  • Treasury - 4 activities
• All 24 agencies had defined CISO roles for periodic risk assessments, and all but Energy had defined roles for remedial actions.
• Contingency planning was the least-defined activity among agencies with 7 having undefined CISO roles –Commerce, Energy, EPA, HHS, Interior, Justice, and Treasury.
• Contractor systems was the second least-defined activity with 6 agencies with undefined roles – DoD, Energy, Interior, Treasury, NASA, and USAID. (See Table 1 in the report for complete details.)

In their responses to GAO’s survey, agency CISOs identified the factors that most challenge and limit their authority and ability to oversee their agency’s information security activities and effectively manage information security risk. (See table below.)

Conclusions

GAO did not place all the onus on agencies and their CISOs. They also noted that OMB has not issued information security guidance required by FISMA 2014 to tell federal agencies how they should ensure CISOs and others fulfill their responsibilities and how personnel are to be held accountable for keeping with agency-wide cybersecurity programs. GAO concluded that the lack of such guidance – combined with the challenges to their authority that CISO face – hinders an agency CISO’s ability to be effective.

In addition to recommending OMB issue the guidance mentioned above, GAO issued 33 other recommendations to the 13 departments addressing individual agency shortfalls in the 11 activities to ensure that their CISO roles are well defined to meet FISMA requirements.