Federal Audit Shows Agencies are Inconsistent in Implementing Information Security

The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to implement information security plans, policies and practices and it requires agency inspectors general (IGs) and the Government Accountability Office (GAO) to measure their progress.

The GAO audited the 24 federal agencies covered by the Chief Financial Officers (CFO) Act of 1990, as well as smaller non-CFO Act agencies, for their compliance in implementing FISMA, which requires GAO to periodically report to Congress on agencies' implementation of the act. The latest audit for fiscal year 2018 found that “many federal agencies were often not adequately or effectively implementing their information security policies and practices.”

Deficiencies in Agency Information Security Programs

Within the audit, GAO randomly selected the following 16 agencies to measure their implementation of eight elements of an agency-wide information security program required by FISMA: the Departments of Agriculture, Commerce, Education, Housing and Urban Development, Justice, Labor, State, and the Treasury; the Environmental Protection Agency; Federal Communications Commission; Federal Retirement Thrift Investment Board; Merit Systems Protection Board; National Aeronautics and Space Administration; Presidio Trust; Small Business Administration; and the Social Security Administration.

GAO found that most of these 16 agencies had deficiencies, although they did not identify departments or agencies by name. (See figure below.)

Agencies Fell Short of the NIST Cybersecurity Framework

FISMA requires an agency’s inspector general to determine the effectiveness of their agency’s information security programs. Further, OMB instructed inspectors general to provide a maturity rating for their agency’s information security program related to the five core security functions identified in the NIST cybersecurity framework – Identify, Protect, Detect, Respond, Recover – as well as for the agency-wide information security program.

For the 2018 fiscal year, the inspectors general for six of the 24 CFO Act agencies reported that their agencies had an effective agency-wide information security program, the remaining 18 agencies were reported as having ineffective information security programs. For most of the five core security functions above, most agencies were at Level 3 (consistently implemented) for the Identify, Protect, and Recover functions; at Level 2 (defined) for the Detect function; and at Level 4 (managed and measurable) for the Respond function. Again, GAO did not identify departments and agencies by name. (See figure below.)

GAO also noticed two other areas of concern: First, the number of agency CyberStat meetings with DHS and OMB has declined significantly – from 24 in FY 2016 to three in FY 2018. Second, the OMB metrics that IGs use to evaluate FISMA implementation do not include system security plans, one of the elements required by FISMA. GAO recommended that DHS and OMB remedy these issues to ensure that agency information security programs are effective and receive the proper oversight.

In response to the audit only the U.S. Agency for International Development (USAID) had stated that it has developed, documented, and implemented an agency-wide security program that has been validated by its inspector general. Most of the other agencies reviewed in the report made no additional comment.