December 2, 2022

ACN Center

Area Control Network

Cybersecurity: OMB Should Update Inspector General Reporting Guidance to Increase Rating Consistency and Precision

17 min read

What GAO Found

In fiscal year 2020, the effectiveness of federal agencies’ implementation of requirements set by the Federal Information Security Modernization Act of 2014 (FISMA) was mixed. For example, more agencies reported meeting goals for managing the security of their software assets, as well as for intrusion detection and prevention. Nevertheless, inspectors general (IG) identified agencies’ uneven performance of cybersecurity practices. For fiscal year 2020, IGs determined that seven of the 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies had effective information security programs. Between fiscal years 2017 and 2020, the percentage of agencies receiving effective ratings has generally been consistent, ranging from 22 to 30 percent.

Number of the 23 Civilian Chief Financial Officers Act of 1990 Agencies with Effective and Not Effective Agency-Wide Information Security Programs, as Reported by Inspectors General for Fiscal Years 2017-2020

Number of the 23 Civilian i Chief Financial Officers Act of 1990

According to officials at all 24 CFO Act agencies, FISMA and its associated reporting process enabled their agencies to improve their information security programs’ effectiveness. Specifically, Chief Information Officers and Chief Information Security Officers at 14 agencies stated that FISMA improved program effectiveness to a great extent, while officials at 10 agencies said it improved effectiveness to a moderate extent.

As required under FISMA, the Office of Management and Budget (OMB), in partnership with other organizations, provides guidance to IGs on conducting and reporting agency FISMA evaluations. GAO found that this guidance was not always clear, leading to inconsistent application by IGs. Further, GAO found that OMB’s overall IG rating scale of “effective” and “not effective” resulted in imprecise ratings that did not clearly distinguish the differing levels of agencies’ implementation of cybersecurity requirements. As a result, IG ratings may be less useful for cybersecurity oversight. By clarifying its future ratings guidance and improving its rating scale, OMB could help ensure that the reviews provide a more consistent picture of agencies’ cybersecurity performance, enabling Congress to better understand agencies’ relative cybersecurity risks.

Why GAO Did This Study

Since 1997, GAO has designated information security as a government-wide high-risk area. To protect federal information and systems, FISMA requires federal agencies to develop, document, and implement information security programs. Congress included a provision in FISMA for GAO to periodically report on agencies’ implementation of the act.

GAO’s objectives in this report were to (1) describe the reported effectiveness of federal agencies’ implementation of cybersecurity policies and practices and (2) evaluate the extent to which relevant officials at federal agencies consider FISMA to be effective at improving the security of agency information systems.

To do so, GAO reviewed the 23 civilian CFO Act agencies’ FISMA reports, agency reported performance data, past GAO reports, and OMB documentation and guidance. GAO also interviewed agency officials from the 24 CFO Act agencies (i.e., the 23 civilian CFO Act agencies and the Department of Defense), the Council of IGs on Integrity and Efficiency, and OMB.

More from:

  • Department Press Briefing – March 12, 2021
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Secretary Blinken’s Meeting with Philippine Secretary of Foreign Affairs Locsin
    In Crime Control and Security News
    Office of the [Read More…]
  • Secretary Antony J. Blinken and Crown Prince of Abu Dhabi Sheikh Mohammed bin Zayed Al Nahyan Before Their Meeting
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Nepal Travel Advisory
    Exercise increased [Read More…]
  • Pakistan Independence Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Justice Department Resolves Housing Discrimination Lawsuit Against the City of Arlington, Texas
    In Crime News
    The Justice Department announced today that the City of Arlington, Texas, has agreed to pay $395,000 to resolve a lawsuit alleging that it violated the Fair Housing Act when it refused to support an affordable housing development that would have served low-income families with children. 

    [Read More…]

  • Disaster Block Grants: Factors to Consider in Authorizing a Permanent Program
    In U.S GAO News
    What GAO Found In March 2019, GAO reported that because the Community Development Block Grant Disaster Recovery (CDBG-DR) program lacks permanent authority and regulations—unlike other disaster assistance programs—appropriations require the Department of Housing and Urban Development (HUD) to customize grant requirements for each disaster in Federal Register notices—a time-consuming process. GAO identified challenges associated with the lack of permanent statutory authority, including delays in disbursal of funds and the need for grantees to manage multiple grants with different rules. For example, GAO found it took HUD 5 months after the first appropriation for the 2017 hurricanes (Hurricanes Harvey, Irma, and Maria) for HUD to issue the first Federal Register notice establishing the grant requirements. Officials from one of the 2017 CDBG-DR grantees told GAO of challenges managing multiple CDBG-DR grants it received over the years because each grant had different rules. HUD officials noted then that permanently authorizing CDBG-DR would allow HUD to issue permanent regulations for disaster recovery. GAO identified factors to consider when weighing whether and how to permanently authorize a program for unmet disaster assistance needs. These factors, which are based on GAO’s body of work on emergency management and past observations of broader government initiatives, include the following: Clarify how the program would fit into the broader federal disaster framework. GAO has emphasized the importance of articulating a program’s relationship to other programs and of aligning the program within organizations with compatible missions and goals. This is particularly important with disaster programs, given the approximately 30 agencies involved in disaster recovery. Clarify the purpose and design the program to address it. Greater clarity about the purpose of CDBG-DR could help resolve implementation issues GAO has previously identified, such as how much time grantees should have to spend funds and the proportion of funds that should be distributed to renters. Consider the necessary capacity and support infrastructure to implement the program. GAO’s prior work found that state, local, territorial, and tribal grantees and federal agencies faced capacity challenges in administering and overseeing federal grant funds, including CDBG-DR. Capacity challenges for grantees may contribute to fraud risks and slow expenditure of funds. Why GAO Did This Study Legislation proposed over the years would permanently authorize CDBG-DR or a similar program, but no proposal has been enacted. Since 1993, Congress has provided over $90 billion in supplemental appropriations through HUD’s CDBG program to help communities recover from disasters. Just since 2001, HUD has issued over 100 Federal Register notices linked to these funds. Communities use these funds to address unmet needs for housing, infrastructure, and economic revitalization. HUD is one of approximately 30 federal agencies tasked with disaster recovery. This testimony discusses (1) challenges associated with the lack of permanent statutory authority for CDBG-DR and (2) factors to consider when weighing whether and how to permanently authorize CDBG-DR or a similar program. It is based primarily on GAO’s March 2019 and May 2021 reports on CDBG-DR (GAO-19-232 and GAO-21-177) and GAO reports issued between February 2004 and June 2019 that identified factors to consider in making critical federal policy decisions. For those reports, GAO reviewed documentation on CDBG-DR and its observations of efforts to reorganize or streamline government, among other things.

    [Read More…]

  • Zoohackathon 2019: Combating Wildlife Trafficking Through Innovation and Technology
    In Climate – Environment – Conservation
    Office of the [Read More…]
  • Wrongful billing results in $2.6M settlement and 10-year exclusion from federal health care programs
    In Justice News
    A 46-year-old [Read More…]
  • Designation of Targets Linked to Corruption by Dan Gertler in the Democratic Republic of the Congo
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • International Trade: Foreign Sourcing in Government Procurement
    In U.S GAO News
    What GAO Found The U.S. government awarded contracts valued at about $12 billion to foreign-located firms, of which about $5 billion went to firms with reported locations in the other six main parties to the World Trade Organization Agreement on Government Procurement (GPA) and the North American Free Trade Agreement (NAFTA) (see figure). Conversely, government procurement databases indicated the central governments of these parties awarded an estimated $7 billion to foreign sources, out of which about $2 billion was U.S.-sourced. Canada and Mexico awarded most of the U.S.-sourced contracts. GAO was able to determine that the U.S. government awarded more, by contract value, to foreign-owned firms located abroad than to foreign-owned, U.S.-located firms. Moreover, more than 80 percent of U.S. government contracts awarded to foreign-owned firms located abroad were Department of Defense contracts performed abroad. Overall, while available contract data enable broad cross-country comparisons, they do not necessarily show where the goods are produced, where the services are delivered, or where the profits go, among other economic effects. Estimated Bilateral Procurement Flows between Central Governments of the United States and the Other Six Main Parties to Selected International Procurement Agreements, 2015 Foreign sourcing by the seven GPA and NAFTA parties within the scope of the study, using two alternative methods, is less than 20 percent of overall central government procurement. Foreign sourcing by central governments, estimated from government procurement databases of the United States and the other six main parties, varied in value by party from about 2 to 19 percent of overall central government procurement. Foreign sourcing by all levels of government, estimated from data on trade and public sector purchases, showed that the governments’ imports likely ranged from about 7 to 18 percent of the goods and services the governments purchased. In addition, contract data show that U.S., South Korean, and Mexican central government foreign sourcing was greater in value under contracts covered by GPA and NAFTA than under noncovered contracts, but the opposite was true for Canada and Norway. For the European Union and Japan, GAO found little difference or could not calculate an estimate. Why GAO Did This Study Globally, government procurement constitutes about a $4 trillion market for international trade. However, little is known about foreign sourcing in government procurement—how much governments procure from foreign-located suppliers or how much they acquire in foreign-made goods. GAO was asked to review the extent of foreign sourcing in government procurement across countries. GAO focused on the United States and the other six main parties to the GPA and NAFTA, selected international agreements that open procurement markets on a reciprocal basis. This report, the fourth of a related series, (1) provides broad estimates of foreign sourcing by the U.S. government and central governments of the other six main parties, and (2) assesses foreign sourcing as a share of estimated central government procurement and of estimated procurement by all levels of government, and the extent to which central government contracts that are covered under selected international procurement agreements are foreign-sourced. GAO analyzed the most recent comparable data available from two sources: (1) government procurement databases used in Canada, the European Union, South Korea, Mexico, Norway, and the United States, for 2015, and (2) 2014 trade data merged with data on the types of goods and services purchased by the public sector. Since Japan does not have a government procurement database, data for Japan were based on its 2015 GPA submission of 2013 data. GAO also interviewed cognizant government officials in Washington, D.C.; Ottawa, Canada; Mexico City, Mexico; Seoul, South Korea; and Tokyo, Japan. For more information, contact Kimberly Gianopoulos at (202) 512-8612 or gianopoulosk@gao.gov.

    [Read More…]

  • On Pride Month
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Defense Acquisitions: Resolving Development Risks in the Army’s Networked Communications Capabilities Is Key to Fielding Future Force
    In U.S GAO News
    The Army has embarked on a major transformation of its force. Central to this transformation is the Future Combat Systems (FCS), a $108 billion effort to provide warfighters with the vehicles, weapons, and communications needed to identify and respond to threats with speed, precision, and lethality. Establishing reliable, robust communications and networking capabilities is key to FCS’s success. Each of the systems integral to the FCS communications network–the Joint Tactical Radio System (JTRS), the Warfighter Information Network-Tactical (WIN-T), and the System of Systems Common Operating Environment (SOSCOE)–rely on significant advances in current technologies and must be fully integrated to realize FCS. Given the complexity and costs of this undertaking, GAO was asked to review each of these key development efforts to identify any risks that may jeopardize the successful fielding of FCS.Each of the programs for developing FCS’s communications network is struggling to meet ambitious sets of user requirements and steep technical challenges within highly compressed schedules. As currently structured, the programs are at risk of not delivering intended capabilities for the first spiral of FCS, slated to start in fiscal year 2008. The JTRS Cluster 1 program–a program to develop radios for ground vehicles and helicopters–began development with an aggressive schedule, immature technologies, and a lack of clearly defined and stable requirements. As currently designed, the radio will only have a transmission range of only 3 kilometers–well short of the required 10 kilometers–and will not meet security requirements for operating in an open networked environment. The program’s struggle to mature and integrate key technologies has contributed to significant cost and schedule growth. A recent review of the program concluded that the current program structure is not executable, and in April 2005, DOD directed the Army to stop work and notify the contractor that it was considering terminating the contract. Meeting requirements for JTRS Cluster 5 radios–miniaturized radios, including those that soldiers carry–is even more technically challenging given their smaller size, weight, and power needs. The smallest of these radios weighs only about 1 pound, compared with 84 pounds for Cluster 1 radios. Several programmatic changes and a contract award bid protest have further slowed program progress. The Army is considering options for restructuring the program to meet the needs of FCS and address the technical issues encountered in the Cluster 1 program. The Army does not expect to fully mature the technologies for WIN-T–communications equipment that supports an expanded area of battlefield operations and interfaces with JTRS radios–when production begins in March 2006. Moreover, the compressed schedule assumes nearly flawless execution and does not allow sufficient time for correcting problems. Significant interdependencies among the critical technologies further increase overall program risk. The program was directed to deliver networking and communications capabilities sooner to meet near-term warfighting needs and synchronize with the restructured FCS program. A plan for how to develop and field WIN-T capabilities sooner to address FCS needs remains undetermined. According to Army network system integration officials, SOSCOE–the operating software to integrate the communications network–may not reach the necessary technical maturity level required to meet program milestones. In addition, top-level FCS requirements are still evolving and have not been translated into more detailed specifications necessary for writing SOSCOE software.

    [Read More…]

  • Paycheck Protection Program: Program Changes Increased Lending to the Smallest Businesses and in Underserved Locations
    In U.S GAO News
    What GAO Found The Paycheck Protection Program (PPP) supports small businesses through forgivable loans for payroll and other eligible costs. Early lending favored larger and rural businesses, according to GAO’s analysis of Small Business Administration (SBA) data. Specifically, 42 percent of Phase 1 loans (approved from April 3–16, 2020) went to larger businesses (10 to 499 employees), although these businesses accounted for only 4 percent of all U.S. small businesses. Similarly, businesses in rural areas received 19 percent of Phase 1 loans but represented 13 percent of all small businesses. Banks made a vast majority of Phase 1 loans. In response to concerns that some underserved businesses—in particular, businesses owned by self-employed individuals, minorities, women, and veterans—faced challenges obtaining loans, Congress and SBA made a series of changes that increased lending to these businesses. For example, SBA admitted about 600 new lenders to start lending in Phase 2 (which ran from April 27–August 8, 2020), including nonbanks (generally, lending institutions that do not accept deposits). SBA developed guidance after Phase 1 helping self-employed individuals participate in the program. SBA targeted funding to minority-owned businesses in part through Community Development Financial Institutions in Phases 2–3. (Phase 3 ran from January 12–June 30, 2021.) By the time PPP closed in June 2021, lending in traditionally underserved counties was proportional to their representation in the overall small business community (see figure). While lending to businesses with fewer than 10 employees remained disproportionately low, it increased significantly over the course of the program. Paycheck Protection Program Loans, by Type of Business or County Why GAO Did This Study The COVID-19 pandemic resulted in significant turmoil in the U.S. economy, leading to temporary and permanent business closures and high unemployment. In response, in March 2020, Congress established PPP under the CARES Act and ultimately provided commitment authority of approximately $814 billion for the program over three phases. When initial program funding ran out in 14 days, concerns quickly surfaced that certain businesses were unable to access the program, prompting a series of changes by Congress and SBA. The CARES Act includes a provision for GAO to monitor the federal government’s efforts to respond to the COVID-19 pandemic. GAO has issued a series of reports on this program, and has made a number of recommendations to improve program performance and integrity. This report describes trends in small business and lender participation in PPP. GAO analyzed loan-level PPP data from SBA and county-level data from four U.S. Census Bureau products and surveyed a generalizable sample of PPP lenders, stratified by lender type and size. GAO also reviewed legislation, interim final rules, agency guidance, and relevant literature, as well as interviewed SBA officials. For more information, contact John Pendleton at (202) 512-8678 or pendletonj@gao.gov.

    [Read More…]

  • Public Service Loan Forgiveness: DOD and Its Personnel Could Benefit from Additional Program Information
    In U.S GAO News
    What GAO Found Personnel in the Department of Defense (DOD)—including service members and civilian employees—may be eligible for federal student loan forgiveness through the Public Service Loan Forgiveness (PSLF) program if they remain in public service employment for 10 years while making 120 qualifying loan payments, among other requirements. As of January 2020, Department of Education (Education) data show that 287 DOD borrowers received loan forgiveness, while 5,180 DOD borrowers (about 94 percent) were denied (see figure). The most common reasons for the denials were not enough qualifying payments and missing information on the form. GAO previously reported in September 2019 an overall denial rate of 99 percent for all PSLF applications submitted by borrowers. More information from DOD could help potential applicants be aware of all eligibility requirements. Number of Department of Defense (DOD) Personnel Approved or Denied for Public Service Loan Forgiveness (PSLF), as of January 31, 2020 Note: The “Civilian” categories include all civilian employees within DOD, including the military services. As its administrator, Education has specialized knowledge about the PSLF program but has not shared complete information with DOD. Education officials have not shared with DOD summary information about its personnel who have taken steps to pursue PSLF or service members who may be eligible. Education officials also stated they have not shared the benefits of using the PSLF program together with DOD’s student loan repayment program. Education officials have also not updated the student loan guide for service members with specific information on PSLF. Education could take additional steps to improve information sharing about PSLF with DOD personnel. DOD officials expressed interest in obtaining more program information. Collaboration among the departments and updated program information could help DOD officials and its personnel to take full advantage of PSLF. DOD does not widely use the PSLF program for recruitment and retention to promote readiness despite facing challenges in certain specialty career fields. Some DOD officials we interviewed stated that they preferred to use other DOD benefits and incentives that DOD directly controls, such as bonuses or DOD’s student loan repayment program. DOD could enhance its recruitment and retention efforts to promote readiness with department-wide and service-specific guidance about how the PSLF program could be used as a tool for such efforts. Why GAO Did This Study At a time when student loan debt continues to mount for many, the PSLF program—established in 2007 and administered by Education—is intended to encourage individuals to pursue careers in public service. Senate Report 116-48 included a provision for GAO to study the effectiveness of the PSLF program at promoting military and civilian recruitment and retention as well as military readiness. GAO’s report assesses the extent to which (1) DOD personnel pursue and receive loan forgiveness through the PSLF program, (2) Education has shared information with DOD officials and its military and civilian personnel about the program, and (3) DOD uses the program for recruitment and retention to promote readiness. GAO analyzed student loan data from Education and the PSLF servicer from the beginning of the program through January 2020; reviewed relevant laws, documents, and other information related to PSLF, benefits, recruitment, retention, and readiness; and interviewed DOD and Education officials.

    [Read More…]

  • Deputy Assistant Attorney General Richard A. Powers Delivers Remarks at Cartel Working Group Plenary: Big Data and Cartelization, 2020 International Competition Network Annual Conference
    In Crime News
    Virtual Event Good [Read More…]
  • Panama’s Independence Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Cybersecurity: Preliminary Results Show That Agencies’ Implementation of FISMA Requirements Was Inconsistent
    In U.S GAO News
    What GAO Found Based on GAO’s preliminary results, in fiscal year 2020, the effectiveness of federal agencies’ implementation of requirements set by the Federal Information Security Modernization Act of 2014 (FISMA) varied. For example, more agencies reported meeting goals related to capabilities for the detection and prevention of cybersecurity incidents, as well as those related to access management for users. However, inspectors general (IG) identified uneven implementation of cyber security policies and practices. For fiscal year 2020 reporting, IGs determined that seven of the 23 civilian Chief Financial Officers Act of 1990 (CFO) agencies had effective agency-wide information security programs. The results from the IG reports for fiscal year 2017 to fiscal year 2020 were similar with a slight increase in effective programs for 2020. Number of 23 Civilian Chief Financial Officers Act of 1990 Agencies with Effective and Not Effective Agency-Wide Information Security Programs, as Reported by Inspectors General for Fiscal Years 2017-2020 GAO has also routinely reported on agencies’ inconsistent implementation of federal cybersecurity policies and practices. Since 2010, GAO has made about 3,700 recommendations to agencies aimed at remedying cybersecurity shortcomings; about 900 were not yet fully implemented as of November 2021. More recent GAO reviews have identified weaknesses regarding access controls, configuration management, and the protection of data shared with external entities. GAO has made numerous recommendations to address these. Based on interviews with agency officials, such as chief information security officers, GAO’s preliminary results show that officials at 14 CFO Act agencies stated that FISMA enabled their agencies to improve information security program effectiveness to a great extent. Officials at the remaining 10 CFO Act agencies said that FISMA had improved their programs to a moderate extent. The officials also identified impediments to implementing FISMA, such as a lack of resources. Agency officials suggested ways to improve the FISMA reporting process, such as by updating FISMA metrics to increase their effectiveness, improving the IG evaluation and rating process, and increasing the use of automation in report data collection. Why GAO Did This Study Federal systems are highly complex and dynamic, technologically diverse, and often geographically dispersed. Without proper safeguards, computer systems are increasingly vulnerable to attack. As such, since 1997, GAO has designated information security as a government-wide high-risk area. FISMA was enacted to provide federal agencies with a comprehensive framework for ensuring the effectiveness of information security controls. FISMA requires federal agencies to develop, document, and implement an information security program to protect the information and systems that support the operations and assets. It also includes a provision for GAO to periodically report on agencies’ implementation of the act. This testimony discusses GAO’s preliminary results from its draft report in which the objectives were to (1) describe the reported effectiveness of federal agencies’ implementation of cybersecurity policies and practices and (2) evaluate the extent to which relevant officials at federal agencies consider FISMA to be effective at improving the security of agency information systems. To do so, GAO reviewed the 23 civilian CFO Act agencies’ FISMA reports, agency-reported performance data, past GAO reports, and OMB documentation and guidance. GAO also interviewed agency officials from the 24 CFO Act agencies (i.e., the 23 civilian CFO Act agencies and the Department of Defense). For more information, contact Jennifer R. Franks at (404) 679-1831 or franksj@gao.gov.

    [Read More…]

  • Houthis’ Ship Seizure Threatens International Trade and Security
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Secretary Blinken’s Meeting with Japanese Foreign Minister Motegi and Republic of Korea Foreign Minister Chung
    In Crime Control and Security News
    Office of the [Read More…]

Source: Network News
Area Control Network

Copyright © 2022 ACN
All Rights Reserved © ACN 2020

ACN Privacy Policies
ACN TOS
Area Control Network (ACN)
Area Control Network
Area Control Network Center