GAO Reviews FISMA Implementations, Deems it "Mostly Ineffective"

| Author , tagged in FISMA
Cloudticity, L.L.C.

In a recent review of 23 government organizations, the GAO determined that the implementation of FISMA is “mostly ineffective.”


The Government Accountability Office (GAO) released a report on how 23 civilian federal agencies implemented the Federal Information Security Modernization Act of 2014 (FISMA). The report is based on a review of the 2022 fiscal year. 

According to the GAO, which has the authority to regularly review federal agency security efforts, national cybersecurity should be on the High Risk List, meaning that cybersecurity operations are viewed as “vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.”  

In the GAO’s report, they stated having the following goals: 

  1. 1. To identify the reported effectiveness of agency efforts to implement FISMA
  2. 2. To identify key practices used to meet FISMA requirements
  3. 3. To identify how metrics could be changed to better measure FISMA’s effectiveness 

As part of the GAO’s review, they reported on various agencies’ performance data, The Office of Management and Budget’s (OMB) documentation and guidance, and agencies’ FISMA reports. Lastly, the GAO interviewed leaders of the agencies and officials from the Council of Inspectors General on Integrity and Efficiency, the Cybersecurity and Infrastructure Security Agency, and the OMB.  

FISMA Background

FISMA is a federal legislation  that provides a framework of guidelines and security standards designed to protect government information and operations. 

Agencies must be reviewed annually for FISMA compliance. While FISMA sets the legal requirements for agencies, the standards themselves were developed by the National Institute of Standards and Technology (NIST). 

Related: New NIST Publication Identifies AI Cyber Attack Threats

For agencies to be FISMA-compliant, they must do the following: 

  • Perform system risk categorization–each information system must be categorized according to risk level, where the most high-valued and sensitive information is provided the highest level of security. 
  • Meet baseline security controls–agencies must follow security requirements as outlined in the NIST SP 800-53.
  • Document the controls in the system security plan–agencies must document the baseline controls used to protect a system.
  • Perform risk assessments–system risk should be regularly evaluated to determine if additional security controls are necessary. 
  • Conduct annual security reviews–program officials must conduct annual security reviews. 
  • Implement continuous monitoring–agencies must continually monitor their systems for potential vulnerabilities. 

Report Highlights

According to the report, 15 of the 23 civilian agencies found the information security programs to be ineffective. The reasons for an ineffective rating included: 

  • Management accountability issues were reported by 21 of the inspectors. In these cases, inspectors said there was no accountability or consistency in implementation.  
  • Resource constraints were reported by 19 inspectors. Many stated they did not have a sufficient IT budget to utilize security software and tools. 
  • Workforce challenges were reported by 14 inspectors. In these cases, inspectors found that agencies struggled to obtain qualified cybersecurity personnel. 
  • Unclear or undefined management roles and responsibilities were found by 12 inspectors. Unclear responsibilities led to difficulty in enforcing policies or procedures. 
  • Federated information system environment challenges were reported by 9 inspectors. In these cases, inspectors said they were unable to fully assess all systems. 

Inspectors also said there were gaps in standards and quality control, as well as a lack of management and resources in some agencies. 

According to the inspectors, many agencies have begun taking action to implement FISMA requirements. Agency officials reported the following actions were most effective: 

  • Improving internal communications, including information security groups and individual meetings. 
  • Improving organizational culture and characteristics. This includes agencies evaluating their unique characteristics to improve information security and implement new technology. 
  • Creating centralized policies and procedures in alignment with FISMA requirements. 
  • Auditing support activities, including preparing for and reflecting on audits. 
  • Encouraging shared services to centralize and improve security tools. This may look like using some of the agency’s existing tools for security purposes. 

GAO Recommendations

At the end of the review, the GAO provided two recommendations to help agencies improve their ability to meet FISMA requirements. 

Alongside issues related to accountability, resources, workforce, and more, the GAO found the ineffective results could be linked to the evaluative metrics used. The GAO, alongside agency officials, believes that the current metrics to evaluate agencies should be changed. 

To better move forward, the GAO is recommending the OMB develop FISMA metrics that are more related to the causes of ineffective IT security programs. Specific metrics should relate to management in accountability and quality control. Furthermore, the OMB should make goals more quantifiable; many currently do not include specific targets or ways to measure progress. 

The second recommendation is also linked to metrics but is focused on how success is measured by inspectors. The GAO is recommending the OMB improve inspector metrics to clearly link them to performance goals. Agency officials and inspectors agreed that performance goals should consider workforce challenges, agency size, and take a risk-based approach. 

What the Experts Said

In the official report, the GAO emphasized that threats can be both internal–errors, mistakes, or nefarious acts by employees, or external–threats from a variety of outside organizations or sources. Despite the significant risks, the GAO says that “IT systems are often riddled with security vulnerabilities–both known and unknown.” 

The report further read, “These vulnerabilities can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.” 

Agency officials supported the recommendations proposed by the GAO, especially regarding inspector metrics. According to the report, agency officials felt, “From our standpoint, the Federal Information Security Modernization Act of 2014 (FISMA) is not risk-based.”

Officials added, “It is set up to encourage the production of documents, and we are asked to test procedures to ensure the documents are being followed. The focus should be on testing and response rather than initial documentation. It is beyond time that we move on from asking for the generation of policies and procedures.” 

What’s Next

Now that the GAO has completed its report and released its recommendations, impacted agencies can begin making more progress toward meeting FISMA standards. 

With most agencies receiving similar outcomes following inspection, improving metrics could likely improve agency ratings.  

The review process shows that while a strong security system is difficult to achieve, it’s also difficult to measure. As cybersecurity trends continue to develop, new metrics will be formed and ultimately evolved to better account for the unique challenges agencies face.  

How Clouditicity Can Help

Regulations are constantly revised and reviewed to ensure they meet the goals they were created for. In the case of FISMA, the regulation is designed for agencies to protect their IT departments and data. FISMA also emphasizes documenting and centralizing policies and procedures that can allow a more streamlined response to threats or vulnerabilities.

One of the best way to stay on top of new developments in FISMA is by working with a cloud managed services provider that offers managed compliance and security. Look for one that is HITRUST CSF Certified, specializes in healthcare, and has experience managing FISMA workloads.

Read more: How to Choose a Cloud Managed Service Provider for Healthcare. 

Cloudticity, founded in 2011, is a HITRUST CSF Certified provider that helps organizations stay in alignment with regulatory requirements including HIPAA, NIST 800-53, and many others. 

Reach out for a free consultation.

speak with a healthcare cloud expert


Subscribe Today

Get notified with product release updates and industry news.