Watchdog recommends changes in FISMA metrics, as agencies still ‘mostly ineffective’ at implementation

The Government Accountability Office is recommending changes to how the government measures implementation of a decades-old cybersecurity law as agency information security programs continue to be “mostly ineffective.”

In a Tuesday report, the government watchdog said that while there was some improvement in agency implementation of the Federal Information Security Modernization Act between 2021 and 2022, more than half of the 23 civilian agencies it reviewed had information security programs that were “not effective.” 

But the watchdog also found that metrics for assessing security programs aren’t considered useful by some agencies and their inspectors general, who complete annual FISMA assessments. As a result, the GAO made two recommendations for the Office of Management and Budget related to improving the metrics.

“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control. Addressing the causes could improve the federal government’s cybersecurity posture,” the report said.

The recommendations are for the director of OMB, along with partners in the Department of Homeland Security, to “develop FISMA metrics related to causes of ineffective information security programs identified by IGs” and to “improve the CIO and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size, and adequately address risk.”

OMB neither agreed nor disagreed with the recommendations, according to the watchdog.