A government watchdog found that while civilian federal agencies improved their cybersecurity in response to a 2014 law, 17 of those 23 organizations did not fully meet their cybersecurity goals.
Updated by Congress in 2014, the Federal Information Security Modernization Act, or FISMA, requires federal agencies to develop information security programs to protect their systems and data. However, a January 11 Government Accountability Office report found that as of fiscal year 2020, agencies were inconsistent in implementing cybersecurity policies and practices. Only seven civilian agencies were rated as having effective agency-wide information security programs.
Still, the GAO says progress is being made. All agencies indicated that FISMA was enabling improvements, although some cited lack of resources as a barrier to implementation.
Although this most recent report focuses primarily on civilian federal agencies, the GAO notes that recent reviews have identified cybersecurity weaknesses at the Department of Defense. And as of December 2021, the DoD had yet to implement any of the seven recommendations made by the agency in an April 2020 report.
This report is consistent with previous GAO findings. Since 2010, the agency has made 3,700 recommendations to federal organizations to improve cybersecurity. As of November 2021, 900 are still not fully implemented.
In response to the most recent GAO review, the agencies offered suggestions on how to improve FISMA reporting, such as updating the metrics used, focusing reviews more on risk than compliance and increasing the use of automation in reporting data collection.
Some congressional lawmakers are considering reforming FISMA, with the House Committee on Oversight and Reform holding a hearing Jan. 11 to discuss the proposed legislation.
“The bill would improve the cybersecurity of federal networks through a risk-based approach that uses the most advanced tools, techniques and best practices,” Rep. Carolyn B. Maloney, DN.Y., said in his opening statement. “It would also clarify and streamline the responsibilities of federal entities so they can respond quickly and decisively to major breaches and cyber incidents. By modernizing the law and focusing it on the most important security outcomes, we can ensure that federal agencies are better equipped to combat the ever-changing threats they face.
Nathan Strout is the editor of C4ISRNET, where he covers the intelligence community.