The Office of Management and Budget (OMB) needs to do more to help Federal agencies with FISMA (Federal Information Security Modernization Act) compliance, according to a recent Government Accountability Office (GAO) report.
GAO found that despite OMB’s work in implementing government-wide FISMA guidance and programs, OMB had not submitted its required FY2018 FISMA report to Congress as of June 2019. OMB has also reduced the number of agencies at which it holds CyberStat meetings – a key component of OMB’s FISMA oversight responsibilities – between FY2016 and FY2018, GAO said.
“In fiscal year 2016, OMB scheduled [CyberStat] engagements with 24 agencies to help develop action items that address information security risk, identify areas for targeted assistance, and track performance at the agencies throughout the year,” GAO said. “The number of agencies scheduled to participate in an engagement decreased to five during fiscal year 2017, and decreased further to three during fiscal year 2018.”
GAO added that OMB had not scheduled any agencies to participate in a CyberStat meeting for FY2019.
The report further said that OMB and the Council of Inspectors General for Integrity and Efficiency (CIGIE) did not have proper metrics for facilitating agency compliance with FISMA-related reporting requirements. GAO said that has contributed to weakened oversight of agency information security programs.
Based on its findings, GAO recommended to OMB that it should:
- Submit its required FISMA report to Congress;
- Expand its coordination of CyberStat review meetings with agencies that need assistance in implementing information security; and
- Collaborate with CIGIE to ensure inspector general reporting metrics include FISMA-required elements for system security plans.
OMB agreed with the first two recommendations, as well as the third once GAO revised it.