Federal agencies have been inconsistent in their plans to implement cybersecurity measures mandated by the Federal Information Security Management Act of 2002 (FISMA), according to a new report released by the U.S. Government Accountability Office (GAO).
FISMA requires each federal agency to establish an information security program that incorporates eight components, and each agency inspector general to evaluate and report on the information security program and practices of the agency annually.
By 2012, 24 major federal agencies had established many of the components of an information security program required by FISMA; however, they had only partially established others. The report does not break down findings by agency.
These and other “weaknesses show that information security continues to be a major challenge for federal agencies,” the report stated. “Until steps are taken to address these persistent challenges, overall progress in improving the nation’s cybersecurity posture is likely to remain limited…we have identified the protection of federal information systems as a government-wide high-risk area since 1997,” the report continued. “Since that time, we have issued numerous reports making recommendations to address weaknesses in federal information security programs.”
The act also requires the Office of Management and Budget (OMB) to develop and oversee the implementation of policies, principles, standards and guidelines on information security in federal agencies and the National Institute of Standards and Technology (NIST) to develop security standards and guidelines.
In regard to the extent to which agencies implemented security program components, the report revealed mixed progress from 2011 to 2012. For example, according to inspectors general reports, the number of agencies that had analyzed, validated, and documented security incidents increased from 16 to 19, while the number able to track identified weaknesses decreased from 20 to 15.
Cybersecurity is no longer just the purview of IT departments, but rather the concern of entire organizations, from workers who bring their own devices to the office all the way up to the highest C-level executives, and this includes a crucial role for general counsel.
The NIST released a preview of what could be forthcoming cybersecurity standards. The “discussion drafts,” which the NIST made available in early September, are being developed as a part of President Obama’s cybersecurity executive order.