Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively applying information security policies and practices, GAO has said.
It said most agencies continue to have trouble controlling access to computer resources; managing software and hardware configuration; making sure no single individual has control over all key aspects of a computer-related operation; planning for continuity of operations in the event of a disaster or disruption; and implementing agency-wide security management programs.
According to GAO-15-714, federal agencies’ implementation in fiscal 2013 and 2014 of requirements set by the Federal Information Security Management Act of 2002 was mixed.
It said most agencies had developed and documented policies and procedures for managing risk, providing security training, and taking remedial actions, among other things, but that agency IG’s reported weaknesses in the processes used to implement FISMA requirements.
Further, the guidance provided by OMB and DHS to IGs on conducting and reporting agency evaluations was not always complete, leading to inconsistent agency security performance reporting, for example.
OMB agreed to consult with DHS and others to enhance security program reporting guidance to IGs to help yield more consistent data.