GAO reminds agencies of FISMA requirements, says OMB report is overdue

As of fiscal 2018, "many federal agencies were often not adequately or effectively implementing their information security policies and practices" under the Federal Information Security Modernization Act.
Department of the Treasury
The Treasury building. (Getty Images)

The typical federal agency still has familiar deficiencies in its information security practices, according to a Government Accountability Office survey of implementation of one of the government’s key cybersecurity laws.

As of fiscal 2018, “many federal agencies were often not adequately or effectively implementing their information security policies and practices” under the Federal Information Security Modernization Act of 2014, or FISMA, the report says.

The GAO also says the White House Office of Management and Budget (OMB) is behind on one governmentwide requirement — a report to Congress on FISMA compliance for fiscal 2019.

The report is the latest update from GAO on cybersecurity issues covered in its famous High Risk List. Individual agencies have drawn their own dedicated reports in recent months, including the Census Bureau and the Internal Revenue Service. Governmentwide, the GAO recently examined how agencies are handling legacy IT systems.


The latest study looked at 16 “randomly selected” agencies, including 12 covered by the management rules of the 1990 CFO Act and four smaller ones. Most were meeting FISMA’s goals for security training, incident response and taking remedial actions. The group was less successful in implementing periodic risk assessments; periodic testing and evaluation of controls; and preparations for continuity of operations. Only four of the 16 complied with FISMA’s call for “subordinate plans for providing security” — for example, plans for individual networks or facilities.

The GAO also called out the 24 CFO Act agencies, in general, for failing to meet FISMA’s requirement for agencywide information security programs. Only six had them.

The bright spot in the report comes from the agencies responsible for helping direct federal cybersecurity. OMB, the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) are “generally implementing” their requirements under FISMA, the report says, “including issuing guidance and implementing programs that are intended to improve agencies’ information security.”

The survey of 16 agencies examined FISMA compliance at the departments of Agriculture, Commerce, Education, Housing and Urban Development, Justice, Labor, State, and the Treasury, as well as the EPA; Federal Communications Commission; Federal Retirement Thrift Investment Board; Merit Systems Protection Board; NASA; Presidio Trust; Small Business Administration; and the Social Security Administration.

Latest Podcasts