The recent report of the GAO on the implementation of FISMA requirements, which was released on January 11, 2022, highlights the insufficient enforcement of the rules defined by law.
The Federal Information Security Modernization
Act of 2014 (FISMA)
was enacted to "provide a mechanism for improved oversight of agencies'
information security programs". According to this new report, “inspectors general (IG) identified uneven implementation of cyber
security policies and practices.” In 2020, “seven of the 23
civilian Chief Financial Officers Act of 1990 (CFO) agencies had effective
agency-wide information security programs” (in 2017 and
2018, only 6 agencies complied with the rules, and 5 in 2019).
GAO recommendations are only partially taken into
account: “GAO has also routinely reported on agencies’ inconsistent implementation
of federal cybersecurity policies and practices. Since 2010, GAO has made about
3,700 recommendations to agencies aimed at remedying cybersecurity
shortcomings; about 900 were not yet fully implemented as of November 2021.” The Department of Defense does not fully comply
with the rules and this situation is impacting
its cybersecurity:
“90 percent of cyberattacks could be
defeated by implementing basic cyber hygiene and sharing best practices”. The
GAO made a series of recommendations to the DoD, so that the latter improves
its “cyber hygiene”. But « As of
December 2021, DOD had not yet implemented any of the seven recommendations
».
What then are the reasons for such insufficient
application of the law? Some have been formulated: according to the agencies,
this is due to the « lack of resources » (be it human resources, time restrictions,
etc.). They claim they do “not have
enough time to implement new requirements and/or remediate findings identified
in the annual FISMA reviews before the next FISMA review starts”. They also
criticize the purely bureaucratic approach imposed on them by the FISMA: “FISMA reviews are too focused on compliance
and are not focused enough on effectiveness”.