GAO report finds agencies' FISMA implementation still not complete
Sep 26 2013
WASHINGTON – Today, Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-Del.) and Ranking Member Tom Coburn (R-Okla.) reacted to a Government Accountability Office (GAO) report on the implementation of the Federal Information Security Management Act of 2002 (FISMA). The bi-annual GAO report, which is mandated by FISMA, found that 11 years since its enactment, the majority of federal agencies still have not fully implemented the security program, despite the increasing risks of cyber attacks.
In its assessment, GAO found that reports of security-related incidents on federal information systems have increased 782 percent over the past 6 years, exposing continued vulnerabilities in agencies’ information systems security. While GAO noted that the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) have made progress in overseeing federal agencies’ information systems security efforts, GAO recommends that OMB and DHS establish clearer guidelines and apply more pressure to lagging agencies in order to properly implement the program and better protect critical systems.
Chairman Carper: "As the number of cyber-related attacks and information breaches continue to grow, it is critical that our federal agencies do all that they can to not only comply with the law but to ensure that sensitive information is properly secured. This Government Accountability Office (GAO) report makes it clear that while some progress has been made, federal agencies still have important work to do when it comes to enhancing the federal government’s information security efforts. Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future, and they need the proper oversight, resources, and guidance from Congress and the Administration to help them accomplish that critical goal. That’s why I continue to work closely with my colleagues in the Senate and House, especially Dr. Coburn, on bipartisan legislation that will address the very serious cyber threats facing our country, including updating our current FISMA framework to provide continuous, real-time security.”
Ranking Member Coburn: “Today’s report confirms a disturbing fact: the federal government still has miles to go to protect its own systems from cyber-attacks. It is Congress’s first duty to protect these public systems, and I plan to working further with Chairman Carper on crafting legislation to safeguard these networks.”
Under FISMA, each federal agency is required to establish an information security program that incorporates eight key components, and each agency inspector general is required to annually evaluate and report on the information security program and practices of the agency. FISMA also requires the OMB to develop and oversee the implementation of policies, principles, standards, and guidelines on information security in federal agencies and the National Institute of Standards and Technology, under DHS, to develop security standards and guidelines.