In a recent review of 23 government organizations, the GAO determined that the implementation of FISMA is “mostly ineffective.”
The Government Accountability Office (GAO) released a report on how 23 civilian federal agencies implemented the Federal Information Security Modernization Act of 2014 (FISMA). The report is based on a review of the 2022 fiscal year.
According to the GAO, which has the authority to regularly review federal agency security efforts, national cybersecurity should be on the High Risk List, meaning that cybersecurity operations are viewed as “vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.”
In the GAO’s report, they stated having the following goals:
As part of the GAO’s review, they reported on various agencies’ performance data, The Office of Management and Budget’s (OMB) documentation and guidance, and agencies’ FISMA reports. Lastly, the GAO interviewed leaders of the agencies and officials from the Council of Inspectors General on Integrity and Efficiency, the Cybersecurity and Infrastructure Security Agency, and the OMB.
FISMA is a federal legislation that provides a framework of guidelines and security standards designed to protect government information and operations.
Agencies must be reviewed annually for FISMA compliance. While FISMA sets the legal requirements for agencies, the standards themselves were developed by the National Institute of Standards and Technology (NIST).
Related: New NIST Publication Identifies AI Cyber Attack Threats
For agencies to be FISMA-compliant, they must do the following:
According to the report, 15 of the 23 civilian agencies found the information security programs to be ineffective. The reasons for an ineffective rating included:
Inspectors also said there were gaps in standards and quality control, as well as a lack of management and resources in some agencies.
According to the inspectors, many agencies have begun taking action to implement FISMA requirements. Agency officials reported the following actions were most effective:
At the end of the review, the GAO provided two recommendations to help agencies improve their ability to meet FISMA requirements.
Alongside issues related to accountability, resources, workforce, and more, the GAO found the ineffective results could be linked to the evaluative metrics used. The GAO, alongside agency officials, believes that the current metrics to evaluate agencies should be changed.
To better move forward, the GAO is recommending the OMB develop FISMA metrics that are more related to the causes of ineffective IT security programs. Specific metrics should relate to management in accountability and quality control. Furthermore, the OMB should make goals more quantifiable; many currently do not include specific targets or ways to measure progress.
The second recommendation is also linked to metrics but is focused on how success is measured by inspectors. The GAO is recommending the OMB improve inspector metrics to clearly link them to performance goals. Agency officials and inspectors agreed that performance goals should consider workforce challenges, agency size, and take a risk-based approach.
In the official report, the GAO emphasized that threats can be both internal–errors, mistakes, or nefarious acts by employees, or external–threats from a variety of outside organizations or sources. Despite the significant risks, the GAO says that “IT systems are often riddled with security vulnerabilities–both known and unknown.”
The report further read, “These vulnerabilities can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.”
Agency officials supported the recommendations proposed by the GAO, especially regarding inspector metrics. According to the report, agency officials felt, “From our standpoint, the Federal Information Security Modernization Act of 2014 (FISMA) is not risk-based.”
Officials added, “It is set up to encourage the production of documents, and we are asked to test procedures to ensure the documents are being followed. The focus should be on testing and response rather than initial documentation. It is beyond time that we move on from asking for the generation of policies and procedures.”
Now that the GAO has completed its report and released its recommendations, impacted agencies can begin making more progress toward meeting FISMA standards.
With most agencies receiving similar outcomes following inspection, improving metrics could likely improve agency ratings.
The review process shows that while a strong security system is difficult to achieve, it’s also difficult to measure. As cybersecurity trends continue to develop, new metrics will be formed and ultimately evolved to better account for the unique challenges agencies face.
Regulations are constantly revised and reviewed to ensure they meet the goals they were created for. In the case of FISMA, the regulation is designed for agencies to protect their IT departments and data. FISMA also emphasizes documenting and centralizing policies and procedures that can allow a more streamlined response to threats or vulnerabilities.
One of the best way to stay on top of new developments in FISMA is by working with a cloud managed services provider that offers managed compliance and security. Look for one that is HITRUST CSF Certified, specializes in healthcare, and has experience managing FISMA workloads.
Read more: How to Choose a Cloud Managed Service Provider for Healthcare.
Cloudticity, founded in 2011, is a HITRUST CSF Certified provider that helps organizations stay in alignment with regulatory requirements including HIPAA, NIST 800-53, and many others.
Reach out for a free consultation.