“Federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls,” the GAO concluded after surveying 24 major agencies and conducting in-depth case studies on 30 IT systems at six of the agencies.
The report was ordered by Rep. Tom Davis (R-Va.), the original sponsor of FISMA, the Federal Information Security Management Act. Apparently no agencies are compliant with the law, passed in 2002.
"What this shows is that we have a long way to go to ensure Americans the information their government keeps about them is safe," Davis said in a release. "We're going to do this, but it's going to take time."
GAO recommends that OMB instruct agencies to develop and implement policies on periodic testing and evaluation, and revise instructions for future FISMA reporting by inspectors general to include assessments on the quality of agencies’ testing processes.
“We received oral comments on a draft of this report from representatives” at OMB, the GAO reported. “The representatives agreed to consider our recommendations as part of their oversight responsibilities for information security at federal agencies.”