GAO recommends changes to FISMA reporting

Auditors suggest to the Office of Management and Budget ways to improve the performance metrics for agency security controls.

Agency computer systems are vulnerable because many lack basic controls, and one of the best ways to improve information technology security is to improve the metrics for how departments measure how these basic controls are implemented. That was the conclusion of the Government Accountability Office, which on Friday issued a tell-tale report identifying widespread IT security weaknesses across the government. “Weaknesses exist predominantly in access controls, including authentication and identification, authorization, cryptography, audit and monitoring, boundary protection and physical security,” the report said. “Weaknesses also exist in configuration management, segregation of duties and continuity of operations.” Auditors said the metrics under the Federal Information Security Management Act are not effective enough and offer only limited assurance of the quality of agency evaluations. “[A]gencies are required to test and evaluate the effectiveness of the controls over their systems at least once a year and to report on the number of systems undergoing such tests,” the report said. “However there is no measure of the quality of agencies’ test and evaluation processes.” GAO recommended that the Office of Management and Budget improve FISMA in three general ways. The audit agency’s most specific recommendation was for OMB to require agencies to report how they perform patch management. OMB previously required this in 2004, but since dropped it from FISMA guidance. Auditors said patch management is one area of weakness among agencies. “OMB and Congress lack information that could demonstrate whether or not agencies are taking appropriate steps for protecting their systems,” the report said. Sen. Joe Lieberman (I-Conn.), Homeland Security and Governmental Affairs Committee chairman and author of the E-Government Act of 2002, which included FISMA, said agencies need to do more to protect their systems. He said that the “federal government is not doing enough to guarantee the security of its computers and the vast databases within them.” Lieberman added that as technology moves forward so should the methods by which IT is secured. In addition to the patch management suggestion, GAO recommended that OMB develop additional performance metrics, and request agency inspectors general to report on the quality of additional agency security processes, such as system test and evaluation, and risk categorization. Karen Evans, OMB’s administrator for IT and e-government, said in a letter to GAO that her office would review GAO’s recommendations. But Evans said the certification and accreditation process does provide a “systematic approach for determining whether appropriate security controls are in place, functioning properly and producing the desired outcome.” Evans added that the IGs have flexibility to tailor their evaluation based on the agency’s documented weaknesses and plans for improvement. “If OMB were to request quality reviews on specific control groups, we would require qualitative reviews on certain areas where agencies may already be effective,” Evans wrote. “We would also reduce the flexibility needed by agencies to tailor their evaluations to address documented weaknesses…”