GAO Proposes Changes to FISMA

This was written by Amara Channell on Thursday, July 2, 2009, 10:13.

The Government Accountablitity Office has written a letter, to the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee, proposing changes to the Federal Information Security Management Act of 2002. They believe that the changes would decrease the amount of risk involved in federal information security.

The GAO has proposed that although FISMA has sound risk-management principles, the testing, reporting, and oversight requirements need to be more specific. They also believe that Congress should require Agency heads to give written guarantees that their information security programs are effective.

 FISMA was designed to provide a standardized way of securing government information technology resources but in the last three years security incidents have tripled and at least 20 of 24 government agencies have weak information system programs and security controls.

According to the letter, “Clarifying or strengthening FISMA and its implementing guidance for determining the frequency, depth and breadth of security control tests and evaluations could help agencies better assess the effectiveness of the controls protecting the information and systems supporting their programs, operations and assets.”

In their letter GAO suggested the following changes:

• Developing a national strategy that clearly articulates strategic objectives, goals and priorities.
• Establishing White House leadership on the issue.
• Publicizing and raising awareness about the seriousness of the cybersecurity problem.
• Focusing more efforts on prioritizing assets, assessing vulnerabilities and reducing them than on developing additional plans.
• Bolstering public/private partnerships through an improved value proposition and use of incentives.
• Focusing greater attention on addressing the global aspects of cyberspace.
• Placing greater emphasis on cybersecurity research and development, including how to better coordinate government and private-sector efforts.
• Increasing the cadre of cybersecurity professionals.