The Office of Management and Budget has disagreed with a Government Accountability Office’s finding that it should create a more precise scale for rating the overall effectiveness of agencies’ information security programs.
GAO periodically reports on the 23 civilian Chief Financial Officers Act agencies’ implementation of the Federal Information Security Modernization Act and found their inspectors general (IGs) simply deeming their information security programs “effective” or “not effective” lacked granularity.
“As a result, IG ratings may be less useful for cybersecurity oversight,” reads the report. “By clarifying its future ratings guidance and improving its rating scale, OMB could help ensure that the reviews provide a more consistent picture of agencies’ cybersecurity performance, enabling Congress to better understand agencies’ relative cybersecurity risks.”
GAO countered OMB need not alter its five-point maturity model scale, but instead end the practice of letting IGs report their information security programs as effective or not effective. As it stands IGs may rate their agencies’ programs as effective, even if the OMB-provided assessment suggest otherwise, and they don’t make program maturity clear.
The report further recommends OMB specify when IGs must use its grading scale versus another, but the agency responded it established standards but allows IGs review flexibility. GAO countered its recommendation would give IGs clarity on when to use their flexibilities to expand or adapt reviews.
While IGs found only seven out of the 23 agencies GAO reviewed had effective information security programs in fiscal 2020, that’s more than the previous three years. More agencies reported meeting FISMA goals for managing the security of software assets and intrusion detection and preventions, with chief information officers and chief information security officers at 14 agencies saying their programs improved to a “great extent” and 10 to a “moderate” extent.