IG inspections of agencies’ cybersecurity practices may not tell the whole story.
Federal agencies across the board are still struggling to prevent and detect inappropriate access to computer networks and to implement agencywide security management programs.
And because of fuzzy guidance from the White House, inspectors general -- who are supposed to annually double check that agencies actually comply with federal cybersecurity laws -- are inconsistently reporting their agency’s overall security performance.
That’s according to the Government Accountability Office, which reviewed how agencies fared complying with the 2002 Federal Information Security Management Act, which requires agencies to put cybersecurity programs in place. (The law was amended in late 2014, but GAO’s review predated those changes.)
“Federal agencies continued to experience weaknesses in protecting their information and information systems,” the GAO report concluded. “These systems remain at risk as illustrated in part by the evolving array of cyber-based threats and the increasing numbers of incidents reported by federal agencies."
Overall, the federal government’s FISMA compliance between 2013 and 2014 was “mixed,” GAO found.
Most agencies have in place necessary policies for managing risk, providing security training and making fixes when vulnerabilities are identified, GAO reported.
But the number of agencies reporting that deficiencies in their handling of information security controls were either a “material weakness” or a “significant deficiency” increased to 19 agencies out of the 24 reviewed.
Additionally, IGs at 23 of the agencies cited information security as a “major management challenge” for their agency -- two more than the year before.
But GAO says IG inspections of agencies’ cybersecurity practices may not tell the whole story, in part because of vague guidance from the Office of Management and Budget and the Department of Homeland Security,
IGs are under orders to double check that agencies have effective security plans across 11 broad components, including continuous monitoring, security training and others. IGs must first conclude whether the agency has properly established the necessary components and then whether they meet an additional layer of attributes. What do the IGs do if an agency has established a component but it only meets a few of the necessary attributes? The guidance isn’t clear, so some IGs give the agency a check mark and some don’t.
“Without complete instructions, differing interpretations of the guidance may therefore result in responses by inspectors general that are not always comparable for presenting a clear governmentwide picture of agencies’ information security implementation,” GAO concluded.
GAO recommended OMB and DHS work with the federal Chief Information Officers Council and the Council of the Inspector General on Integrity and Efficiency to enhance the guidelines.
The report added, “Without consistent criteria for reporting, inspectors general may be providing Congress and other oversight bodies with uneven information on the extent to which federal agencies are effectively implementing security requirements.”
OMB officials told GAO it has improved FISMA metrics for the coming year and is working with the IGs to improve the reporting process.