Federal agencies across the board are still struggling to prevent and detect inappropriate access to computer networks and to implement agencywide security management programs.
And because of fuzzy guidance from the White House, inspectors general — who are supposed to annually double check that agencies actually comply with federal cybersecurity laws — are inconsistently reporting their agency’s overall security performance.
That’s according to the Government Accountability Office, which reviewed how agencies fared complying with the 2002 Federal Information Security Management Act, which requires agencies to put cybersecurity programs in place. (The law was amended in late 2014, but GAO’s review predated those changes.)
“Federal agencies continued to experience weaknesses in protecting their information and information systems,” the GAO report concluded. “These systems remain at risk as illustrated in part by the evolving array of cyber-based threats and the increasing numbers of incidents reported by federal agencies.”
Overall, the federal government’s FISMA compliance between 2013 and 2014 was “mixed,” GAO found.
Most agencies have in place necessary policies for managing risk, providing security training and making fixes when vulnerabilities are identified, GAO reported.
But the number of agencies reporting that deficiencies in their handling of information security controls were either a “material weakness” or a “significant deficiency” increased to 19 agencies out of the 24 reviewed.
Additionally, IGs at 23 of the agencies cited information security as a “major management challenge” for their agency — two more than the year before.
But GAO says IG inspections of agencies’ cybersecurity practices may…