Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements: GAO-05-483T

Wilshusen, Gregory C.
April 2005
GAO Reports;4/7/2005, p1
Government Documents
For many years, GAO has reported that poor information security is a widespread problem that has potentially devastating consequences. Further, since 1997, GAO has identified information security as a governmentwide high-risk issue in reports to Congress--most recently in January 2005. Concerned with accounts of attacks on commercial systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the federal information security program, evaluation, and reporting requirements established for federal agencies. This testimony discusses the federal government's progress and challenges in implementing FISMA as reported by the Office of Management and Budget (OMB), the agencies, and Inspectors General (IGs) and opportunities for improving the usefulness of the annual reporting process, including the consideration of a common framework for the annual FISMA reviews conducted by the IGs. In its fiscal year 2004 report to the Congress, OMB reports significant strides in addressing long-standing problems, but at the same time, cites challenging weaknesses that remain. The report notes several governmentwide findings, such as the varying effectiveness of agencies' security remediation processes and the inconsistent quality of agencies' certification and accreditation (the process of authorizing operation of a system including the development and implementation of risk assessments and security controls). Fiscal year 2004 data reported by 24 major agencies generally show increasing numbers of systems meeting key statutory information security requirements compared with fiscal year 2003. Nevertheless, challenges remain. For example, only 7 agencies reported that they had tested contingency plans for 90 to 100 percent of their systems, and 6 of the remaining 17 agencies reported that they had tested plans for less than 50 percent of their systems. Opportunities exist to improve the usefulness of the annual FISMA reporting process, including enhancing the reliability and quality of reported information, providing performance information based on the relative importance or risk of the systems, and reporting on key information security requirements. In addition, a commonly accepted framework for the annual FISMA mandated reviews conducted by the IGs could help ensure the consistency and usefulness of their evaluations.


Related Articles

  • Notices: FEDERAL COMMUNICATIONS COMMISSION.  // Federal Register (National Archives & Records Service, Office of;6/17/2013, Vol. 78 Issue 116, p36185 

    The article presents notices from the U.S. Federal Communications Commission (FCC). These involve request for comments on information collections submitted for review and approval to the Office of Management and Budget (OMB). It also notes the effort of the agency in reducing paperwork burden as...

  • Notices: OFFICE OF PERSONNEL MANAGEMENT.  // Federal Register (National Archives & Records Service, Office of;3/31/2014, Vol. 79 Issue 61, p18083 

    The article focuses on a notice issued by the U.S. Office of Personnel Management (OPM) and Federal Investigative Services (FIS). Topics include a request to approve a revised information collection on General Request for Investigative Information (INV 40) and Investigative Request for...

  • Feds look to fudge IPv6 mandates. Marsan, Carolyn Duffy // Network World;12/17/2007, Vol. 24 Issue 49, p1 

    The article reports on the mandate released by the U.S. Office of Management and Budget (OMB) for federal agencies to comply with the application of the Internet Protocol version6 (IPv6). The mandate only allocates six months for federal chief information officers (CIO) to upgrade or implement...

  • Information Collection Request to Office of Management and Budget. Day, R. E. // Federal Register (National Archives & Records Service, Office of;2/21/2013, Vol. 78 Issue 35, p12083 

    This article presents a notice of request for U.S. Office of Management and Budget's (OMB) approval of revisions to the collection of information, 1625-0086m Great Lakes Pilotage.

  • OMB Final Draft of A-130: Hard Line Still There. Nyren, Karl // Library Journal;2/1/1986, Vol. 111 Issue 2, p18 

    Reports on the issuance of final draft by the U.S. Office of Management and Budget on argued circular A-130 on management of federal information resources. Purpose of the circular; Absence of substantive change in the final draft; Rewording of phrases included in the circular.

  • Proposed Rules: FEDERAL COMMUNICATIONS COMMISSION.  // Federal Register (National Archives & Records Service, Office of;7/15/2014, Vol. 79 Issue 135, p41159 

    The article mentions that the U.S. Federal Communications Commission is seeking comments on proposed modifications on its rules on the Emergency Alert System (EAS). The proposal calls for the establishment of a national location code for EAS alerts to be accessible to the public. The deadline...

  • Notices: FEDERAL DEPOSIT INSURANCE CORPORATION.  // Federal Register (National Archives & Records Service, Office of;2/13/2014, Vol. 79 Issue 30, p8714 

    The article presents notices and other actions on information collection activities from the Federal Deposit Insurance Corp. (FDIC). The FDIC is seeking comments from the general public and other federal agencies on information collection under the requirements of the Paperwork Reduction Act of...

  • A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Deng, Mina; Wuyts, Kim; Scandariato, Riccardo; Preneel, Bart; Joosen, Wouter // Requirements Engineering;Mar2011, Vol. 16 Issue 1, p3 

    Ready or not, the digitalization of information has come, and privacy is standing out there, possibly at stake. Although digital privacy is an identified priority in our society, few systematic, effective methodologies exist that deal with privacy threats thoroughly. This paper presents a...

  • Revisions to OMB's Circular A-130: AIMD-00-183R. McClure, David L. // GAO Reports;5/23/2000, p1 

    GAO commented on the proposed revision to Office of Management and Budget (OMB) Circular A-130 regarding the management of information resources in the federal government. GAO noted that: (1) GAO concurs with the proposal's emphasis on the institutionalization of strong information technology...


Read the Article


Sorry, but this item is not currently available from your library.

Try another library?
Sign out of this library

Other Topics