Most major agencies made incremental progress in closing IT security performance gaps against established performance criteria, OMB concluded in its fiscal 2008 report to Congress on the implementation of the Federal Information Security Management Act of 2002, or FISMA.
Moving forward, it said agencies should continue focusing management attention on achieving 100 percent certification and accreditation levels for all operational systems, properly identifying and providing oversight of contractor systems, and maintaining privacy impact assessments and system of records notices for all applicable systems.
Almost all agencies report having in place procedures for reporting security incidents both internally and externally, such as reporting to the United States Computer Emergency Readiness Team or law enforcement when appropriate.
According to the report, 22 or 25 major agencies say they log and monitor activities involving access to and modification of sensitive or critical information, while all 25 report having incident handling and response programs, including reporting capabilities.
Under the new administration, OMB will continue to work with agencies, IGs, CIOs, senior privacy officials, GAO, and the Congress to strengthen the federal government’s IT security and privacy programs.
As part of those activities, OMB said it would review business cases and the security metrics provided by agencies in their quarterly and annual reports for FISMA compliance.
