A government watchdog found that while civilian federal agencies have improved their cybersecurity in response to a 2014 law, 17 of those 23 organizations did not fully meet their cybersecurity targets.
Updated by Congress in 2014, the Federal Information Security Modernization Act, or FISMA, requires federal agencies to develop information security programs to protect their systems and data. However, a Jan. 11 Government Accountability Office report found that as of fiscal year 2020 agencies were inconsistent in implementing cybersecurity policies and practices. Only seven civilian agencies were deemed to have effective agency-wide information security programs.
Still, GAO says progress is being made. All of the agencies reported FISMA was enabling improvements, although some cited a lack of resources as an impediment to implementation.
While this most recent report focuses primarily on civilian federal agencies, GAO notes recent reviews have identified cybersecurity weaknesses at the Department of Defense. And as of December 2021, the DoD has yet to implement any of the seven recommendations the agency made in an April 2020 report.
This report falls in line with previous GAO findings. Since 2010, the agency has made 3,700 recommendations to federal organizations to improve cybersecurity. As of November 2021, 900 were still not fully implemented.
In response to GAO’s most recent review, agencies offered suggestions on how to improve FISMA reporting, such as updating the metrics used, focusing reviews more on risk than compliance, and increasing the use of automation in report data collection.
Some lawmakers in Congress are exploring reforms to FISMA, with the House Committee on Oversight and Reform holding a Jan. 11 hearing to discuss proposed legislation.
“The bill would improve the cybersecurity of federal networks through a risk-based approach that uses the most advanced tools, techniques, and best practices,” said Rep. Carolyn B. Maloney, D-N.Y., in her opening statement. “It would also clarify and streamline the responsibilities of federal entities so they can respond quickly and decisively to breaches and major cyber incidents. By modernizing the law and focusing it on the most important security outcomes, we can ensure that federal agencies are better equipped to combat the evolving threats they face.”
Nathan Strout is the staff editor at C4ISRNET where he covers the intelligence community.