Summary: This letter responds to congressional request that GAO address additional questions arising from the May 19, 2009, hearing on federal information security held by the Subcommittee on Government Management, Organization, and Procurement. In that hearing, we discussed the current state of information security throughout the federal government and agency efforts to comply with the requirements of the Federal Information Security Management Act of 2002 (FISMA). Congress had the following two questions: (1) Please comment on the need for improved cyber security relating to S.773, the proposed Cybersecurity Act of 2009; and (2) Please provide recommendations to improve the Federal Information Security Management Act.
GAO's responses are as follows. (1) The bill is intended to improve cyber security in the United States. According to the bill, America's failure to protect cyberspace is one of the most urgent national security problems facing the country. The need for improved cyber security in the federal government is clear. Since 1997, we have designated federal information security as a governmentwide high-risk area in our biennial reports to Congress. Recently, we testified that reviews at the 24 major federal agencies continue to highlight deficiencies in their implementation of information security policies and procedures. In March 2009, we testified that the present cyber security strategy and its implementation had not been fully effective in mitigating the threat. (2) FISMA was intended to provide (1) a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets and (2) a mechanism for improved oversight of federal agency information security programs. To do this, the act requires agencies to develop, document, and implement an agencywide information security program that is largely consistent with the principles noted in our study of the risk management activities of leading private sector organizations--assessing risk, establishing a central management focal point, implementing appropriate policies and procedures, promoting awareness, and monitoring and evaluating policy and controls effectiveness. The act also requires annual reports and independent annual evaluations on the adequacy and effectiveness of agency information security policies, procedures, and practices, and compliance with the provisions of the act. In addition to the improvements noted in our response to the prior question, we believe the following suggestions can improve FISMA and its associated implementing guidance can be improved with the following actions: (1) clarify requirements for testing and evaluating security controls, (2) require agency heads to provide an assurance statement on the overall adequacy and effectiveness of the agency's information security program, (3) enhance independent annual evaluations, (4) strengthen annual reporting mechanisms, and (5) strengthen OMB oversight of agency information security programs.