A new report from the Government Accountability Office (GAO) reveals that Federal agencies’ implementation of the Federal Information Security Modernization Act (FISMA) continued to be mostly ineffective in recent years, and it calls on the Office of Management and Budget (OMB) to develop better metrics to evaluate the effectiveness of FISMA.
FISMA requires Federal civilian agencies to comply with cybersecurity standards, but it has not been updated since 2014.
To compile its report, GAO reviewed the 23 civilian Chief Financial Officers Act of 1990 (CFO Act) agencies’ FISMA reports from 2017 to 2022, agency reported performance data, and OMB documentation and guidance.
Although GAO found some improvement from 2021 to 2022, inspectors general (IG) of 15 of the 23 civilian agencies found the information security programs to be ineffective – just eight programs were found to be effective.
“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control,” the report says. “Addressing the causes could improve the Federal government’s cybersecurity posture.”
“Agency officials identified various practices that have contributed to improving the effectiveness of their agency’s information security program,” it adds. “Specifically, officials most often highlighted internal communication; organizational characteristics, such as leadership commitment; and centralized policies and procedures as being essential to effectively implement FISMA.”
OMB, in collaboration with other oversight groups, is responsible for providing the FISMA metrics to agencies. However, GAO said that agencies and IGs noted that some of the FISMA metrics aren’t useful “because they do not always accurately evaluate information security programs.”
The agencies and IGs said they want metrics that are directly tied to performance goals, account for workforce issues and agency size, and incorporate risk. Additionally, they noted that OMB could develop metrics that are tailored to improve the ineffective information security programs.
“By modifying FISMA metrics in these ways, OMB could help ensure that the measures provide an accurate picture of agencies’ information security performance,” the report says.
GAO made two recommendations for OMB to collaborate with its partners to enhance FISMA metrics that can lead to more effective programs and performance. OMB did not agree or disagree with the recommendations and provided technical comments that GAO incorporated into the report.
