Watchdog recommends changes in FISMA metrics, as agencies still ‘mostly ineffective’ at implementation

Most civilian agencies reviewed by the Government Accountability Office didn’t demonstrate effective FISMA implementation.
(Getty Images)

The Government Accountability Office is recommending changes to how the government measures implementation of a decades-old cybersecurity law as agency information security programs continue to be “mostly ineffective.”

In a Tuesday report, the government watchdog said that while there was some improvement in agency implementation of the Federal Information Security Modernization Act between 2021 and 2022, more than half of the 23 civilian agencies it reviewed had information security programs that were “not effective.” 

But the watchdog also found that metrics for assessing security programs aren’t considered useful by some agencies and their inspectors general, who complete annual FISMA assessments. As a result, the GAO made two recommendations for the Office of Management and Budget related to improving the metrics.

“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control. Addressing the causes could improve the federal government’s cybersecurity posture,” the report said.


The recommendations are for the director of OMB, along with partners in the Department of Homeland Security, to “develop FISMA metrics related to causes of ineffective information security programs identified by IGs” and to “improve the CIO and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size, and adequately address risk.”

OMB neither agreed nor disagreed with the recommendations, according to the watchdog.

Madison Alder

Written by Madison Alder

Madison Alder is a reporter for FedScoop in Washington, D.C., covering government technology. Her reporting has included tracking government uses of artificial intelligence and monitoring changes in federal contracting. She’s broadly interested in issues involving health, law, and data. Before joining FedScoop, Madison was a reporter at Bloomberg Law where she covered several beats, including the federal judiciary, health policy, and employee benefits. A west-coaster at heart, Madison is originally from Seattle and is a graduate of the Walter Cronkite School of Journalism and Mass Communication at Arizona State University.

Latest Podcasts