Report of the GAO on the implementation of FISMA requirements

The recent report of the GAO on the implementation of FISMA requirements, which was released on January 11, 2022, highlights the insufficient enforcement of the rules defined by law.

The Federal Information Security Modernization Act of 2014 (FISMA) was enacted to "provide a mechanism for improved oversight of agencies' information security programs". According to this new report, “inspectors general (IG) identified uneven implementation of cyber security policies and practices.” In 2020, “seven of the 23 civilian Chief Financial Officers Act of 1990 (CFO) agencies had effective agency-wide information security programs” (in 2017 and 2018, only 6 agencies complied with the rules, and 5 in 2019). 

GAO recommendations are only partially taken into account: “GAO has also routinely reported on agencies’ inconsistent implementation of federal cybersecurity policies and practices. Since 2010, GAO has made about 3,700 recommendations to agencies aimed at remedying cybersecurity shortcomings; about 900 were not yet fully implemented as of November 2021.”  The Department of Defense does not fully comply with the rules and this situation is impacting its cybersecurity: “90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices”. The GAO made a series of recommendations to the DoD, so that the latter improves its “cyber hygiene”. But « As of December 2021, DOD had not yet implemented any of the seven recommendations ».  

What then are the reasons for such insufficient application of the law? Some have been formulated: according to the agencies, this is due to the « lack of resources » (be it human resources, time restrictions, etc.). They claim they do “not have enough time to implement new requirements and/or remediate findings identified in the annual FISMA reviews before the next FISMA review starts”. They also criticize the purely bureaucratic approach imposed on them by the FISMA: “FISMA reviews are too focused on compliance and are not focused enough on effectiveness”.