Agencies’ FISMA implementation is still ‘mostly ineffective,’ watchdog says

weerapatkiatdumrong/Getty Images

The Government Accountability Office found that less than half of surveyed federal agencies had compliant security programs and called for improved performance metrics.

The federal government’s implementation of the Federal Information Security Modernization Act — or FISMA — “continued to be mostly ineffective” in fiscal 2022, with only eight of 23 surveyed civilian agencies found to have effective information security programs in place, according to a Government Accountability Office report released on Tuesday.

FISMA requires covered agencies to develop and implement programs to secure their information systems. The Office of Management and Budget is also tasked with overseeing agencies’ security practices and developing policies to guide implementation of their cyber standards.

GAO reviewed inspectors general reports on the surveyed agencies’ compliance with FISMA for the 2021 and 2022 fiscal years and said that, while “some improvement was reported,” broad adherence to the security standards was still lacking. 

“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control,” the watchdog said, adding that “addressing the causes could improve the federal government’s cybersecurity posture.”

Despite finding that just eight surveyed agencies had implemented effective security programs in FY2022 — the departments of Homeland Security, Education and Justice, as well as the Environmental Protection Agency, General Services Administration, National Science Foundation, Nuclear Regulatory Commission and the U.S. Agency for International Development — GAO said its latest report still represented something of a high-water mark in terms of recent levels of compliance with FISMA. 

“Out of the 23 civilian [Chief Financial Officers Act] agencies, no more than eight received an effective rating in any given year over the last six years of reporting (fiscal years 2017 through 2022),” the watchdog said.

OMB provides metrics for evaluating the effectiveness of agencies’ security programs and their implementation of FISMA, but GAO said that “agencies and IGs stated that some FISMA metrics are not useful because they do not always accurately evaluate information security programs.”

The watchdog said agencies and IGs reported that FISMA metrics “should be clearly tied to performance goals, account for workforce issues and agency size and incorporate risk,” and further suggested that “crafting metrics that address the key causes of ineffective programs could enhance their effectiveness.” 

GAO made two recommendations to OMB, including calling for the agency to develop metrics “related to causes of ineffective information security programs identified by IGs” and to “improve the [chief information officer] and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size and adequately address risk.”

OMB did not agree or disagree with the watchdog’s recommendations but provided technical comments that were incorporated into the report.