The Government Accountability Office echoed the report,
calling for continued effort to maintain progress
implementing the act’s provisions.
At a recent hearing before the House Government Reform
Committee, chairman Tom Davis, R-Va., indicated that
additional amendments to FISMA could be needed to get
agencies to implement the act and suggested agency funding
be tied compliance with the act’s provisions.
Information security has been on GAO’s “high-risk” list
since 1997, and the committee’s most recent federal
information security report card which measures the
ability of agencies to safeguard information as it moves
within agencies, across departments, and across
governmental jurisdictions, gave agencies an overall
grade of D-plus, an increase of 2.5 points over last year.
According to the report card, agencies have made
improvements in certifying and accrediting systems,
annual testing and security training, but Davis
identified the need for improvements to annual reviews
of contractor systems, contingency plan testing,
configuration management, incident reporting, and
specialized training, areas where the OMB report to
Congress noted varying degrees of effectiveness.
GAO added that while data from most major agencies for
fiscal 2004 show them meeting key statutory information
security requirements in increasing numbers over 2003,
just seven agencies reported having tested contingency
plans for 90 to 100 percent of their systems, one of
many areas in need of improvement sure to remain in the
FISMA spotlight.