GAO has concluded that smaller agencies – those with under 6,000 employees – are showing mixed progress implementing the elements of information security and privacy programs as required by the Federal Information Security Management Act of 2002, the Privacy Act of 1974, the E-Government Act of 2002, and OMB guidance.
It looked at the Federal Trade Commission, the International Boundary Commission, United States and Canada, the James Madison Memorial Fellowship Foundation, the National Capital Planning Commission, and the National Endowment for the Humanities.
According to OMB and DHS, 55 of 129 small agencies are not reporting on information security and privacy requirements.
Further, the agencies in GAO’s review have faced challenges in using the guidance and services offered, according to GAO-14-344.
It said that until OMB and DHS oversee agencies’ implementation of information security and privacy program requirements and provide additional assistance, small agencies would continue to face challenges in protecting their information and information systems.
GAO called on OMB to report on all small agencies’ implementation of security and privacy requirements, and recommended that DHS develop services and guidance targeted to small agencies’ environments. GAO also issued recommendations to the smaller agencies in the review in a restricted report.
