The Government Accountability Office reviewed FISMA reports of 23 civilian Chief Financial Officers Act of 1990 agencies and preliminary results showed inconsistency in agencies’ implementation of requirements under the Federal Information Security Modernization Act of 2014.
Although more agencies reported progress in meeting targets related to automated access management and intrusion detection and prevention, 17 of those 23 CFO Act agencies did not meet all 10 of federal cybersecurity targets in fiscal year 2020, GAO said Tuesday.
For FY 2020 FISMA reporting, inspectors general reported that only seven of the 23 agencies had effective information security initiatives.
The congressional watchdog also interviewed agency officials from 24 CFO Act agencies and found that officials at all agencies stated that FISMA helped their organizations improve the effectiveness of their information security initiatives.
The officials also identified obstacles to their agencies’ FISMA implementation efforts, including lack of resources and insufficient time to implement new requirements and remediate findings.
They also made suggestions to enhance the FISMA reporting process, such as increasing the use of automation, reducing the frequency of FISMA-required independent annual evaluations, enhancing the IG evaluation process and maturity rating model and updating the FISMA metrics to enhance their effectiveness.