OIG Finds GAO Isn’t FISMA Compliant

The Office of the Inspector General (OIG) found that the General Accountability Office (GAO) isn’t fully compliant with the Federal Information Security Modernization Act of 2014 (FISMA), according to a report released yesterday.

While GAO isn’t required by law to comply with FISMA or executive branch information security policies, OIG noted that GAO “has adopted them to help ensure its physical and information system security.”

Due to security concerns the full report was only given to GAO to use internally; however, in the report highlights released publicly the OIG shared broadly what issues it found and the recommendations it made to GAO.

Things aren’t all bad at GAO, and OIG noted that its work “has continued to confirm ongoing progress in GAO’s efforts to refine its information security program in a manner that is generally consistent with the requirements of FISMA, Office of Management and Budget implementing guidance, and National Institute of Standards and Technology standards and guidance.”

The report also praised GAO’s “robust” information security awareness training program. Additionally, during the review period OIG found that GAO continued its efforts to improve its existing capabilities and strengthen information security controls, especially in the areas of identity and access management, security training, and continuous monitoring.

However, there are still areas that need improvement and reinforcement. OIG said that GAO needs to increase efforts in the areas of configuration management and contingency planning to have its information security achieve FISMA compliance. The report also stresses that gaps in GAO’s “implementation of an enterprise-wide risk management program may have contributed to the challenges and heightened risks identified during [the] audit.”

OIG offered three recommendations to the GAO’s Comptroller General, all of which involve improved documentation of plans and procedures.

OIG recommends that GAO document:

  • A process to evaluate current and future enterprise IT investment portfolio assets, including risks, and ensure alignment with GAO’s IT Strategy for fiscal years 2017-2019;
  • Its plans, policies, and procedures for identifying, prioritizing, and mitigating operational risk related to establishing full failover capabilities at the agency’s alternate computing facility in the event of a disaster and preparing for end-of-support upgrades for Windows 7; and
  • a process to identify and track hardware and software interdependencies for GAO’s system inventory including vendor support data.

The report noted that GAO agreed with OIG’s recommendations and provided actions it intends to take to mitigate the risks OIG identified.

Recent