Federal agencies uniformly report that their certification
and accreditation processes meet criteria consistent with
those identified in federal guidance, such as a current risk
assessment and security control evaluation, but the
Government Accountability Office has said that’s not always
the case.
Following a review of documentation for the certification
and accreditation of 32 selected systems at 24 agencies it
said four of them do not always meet these criteria, a claim
echoed by agency inspectors general.
Three of the four agencies lack routine quality review
processes to determine whether such criteria are met,
processes that could provide consistent information to agency
crediting officials, said GAO.
It said in support of the Federal Information Security
Management Act of 2002, the Office of Management and Budget
requires agencies to accredit their operations by certifying
the security controls of their information systems and
formally authorizing and accepting associated risks.
As a FISMA performance measure, OMB also requires agencies
to report the number of systems authorized following
certification and accreditation, for which the National
Institute of Standards and Technology and the Department
of Defense have provided guidance, according to GAO.
It said many agencies report the use of new guidance from
NIST that emphasizes a model of continuous monitoring and
compliance with FISMA standards for minimum-security controls.
In the first half of 2004 the 63 percent of reported
systems were certified and accredited for operation at 24
major federal agencies, but seven reported over 90 percent
accreditation and six reported fewer than half, according to
GAO-04-376.
It said it found instances where agencies do not consistently
report FISMA performance measurement data, which deceases its
usefulness, but noted that some agencies have begun to improve
their processes by redefining system boundaries to better
manage systems.
Rep. Adam Putnam, R-Fla., chairman of the subcommittee on
technology, information policy, intergovernmental relations,
and the census, which has oversight responsibility for the
implementation of FISMA, responded to the report by calling
attention to the subcommittee’s 2003 report card on the
compliance of the 24 largest departments and agencies with FISMA.
“The overall grade was a ‘D’ with eight agencies receiving an
‘F.’ This followed a report card in 2002 that produced an
overall grade of ‘F’ for the federal government with 14
agencies receiving failing grades. While 2003 demonstrated
improvement it is clear that greater focus and attention on
reducing vulnerabilities and improving our overall information
security profile is critical to the protection of federal
computer networks and the information assets that they
contain,” said Putnam.