Skip to content ↓ | Skip to navigation ↓

A recent report by the Government Accountability Office indicates that federal agencies are moving slow to implement information security policies and procedures as mandated by the Federal Information Security Management Act of 2002 (FISMA), and that improved metrics are needed to better track progress.

FISMA requires by law that every federal agency needs to to establish a comprehensive information security program that includes eight key components. the GAO study revealed that the extent to which agencies have successfully implemented the required security program components showed only mixed progress from fiscal year 2011 to fiscal year 2012.

Component Agencies Fully Implemented Agencies Partially Implemented
Establishing a program for managing security risk 18 6
Documenting policies and procedure 10 12
Selecting security controls for systems
18 6
Establishing a security training program 22 2
Monitoring controls on an ongoing basis 13 10
Establishing a remediation program 19 5
Establishing an incident response and reporting program
20 3
Establishing a continuity of operations program
18 5

Meanwhile, the government shutdown has led to a significant number of agency personnel being furloughed, many from the IT departments, meaning that implementation of these key FISMA-mandated security components will languish even longer than previously expected.

“The speed and accessibility that create the benefits of the computer age, if not properly controlled, can allow unauthorized individuals and organizations to inexpensively eavesdrop on or interfere with these operations from remote locations for potentially malicious purposes, including fraud or sabotage,” the GAO report states.

“Increasingly sophisticated cyber threats have underscored the need to manage and bolster the cybersecurity of key government systems as well as the nation’s critical infrastructure.”

Read More Here… (PDF)