Federal agencies and the Office of Management and Budget are not doing enough to safeguard the confidentiality of vital federal information from cyberattacks, according to a Government Accountability Office report released July 26.

Under the Federal Information Security Management Act, federal agencies are required to establish security programs to protect the systems and information crucial to their operations and assets. Highlighting the importance of these security programs, the act directed OMB to oversee governmentwide information security practices and policies.

However, GAO found that many federal agencies did not adequately and efficiently implement the information security programs during fiscal year 2018. Out of the 16 agencies GAO examined, the majority were deficient in implementing the eight elements of agencywide information security programs required by FISMA. They were also deficient in most of the core functions of the National Institute of Standards and Technology cybersecurity framework they were required to meet under a May 2017 executive order.

Inspectors general also found that 18 of the 24 Chief Financial Act of 1990 agencies did not have agencywide information security programs.

Exacerbating the problem, OMB has not yet submitted its required FISMA report on agencies’ information security program implementation to Congress for FY2018, which was due March 18. This limits the information available to Congress, diminishing its oversight capabilities, according to GAO.

Insufficient information security programs and lack of oversight over them poses a threat to security, as federal information systems are highly complex and thus inherently at risk to unauthorized infiltration or attack.

“Federal systems and networks are often interconnected with other internal and external systems and networks, including the internet, thereby increasing the number of avenues of attack and expanding their potential attack surface,” according to GAO.

For example, in 2018 the Department of Justice reported that it “indicted nine Iranians for conducting a massive cybersecurity theft campaign on behalf of the Islamic Revolutionary Guard Corps.” The cyberattackers stole over 31 terabytes of documents and data from over 140 universities, 30 companies and five federal government agencies, among other entities, in the United States.

The Department of Homeland Security and the Federal Bureau of Investigation also reported in March 2018 that “Russian government actors had targeted U.S. government entities and critical infrastructure sectors, including energy, nuclear, water, aviation and critical manufacturing sectors” since at least March 2016.

Such threats should prompt more corrective initiatives. However, there appears to be much work left to be done. From FY2015 to FY2018, GAO made approximately 1,400 recommendations. As of May 2019, 500 of these recommendations have not been implemented and agencies continue to face challenges in safeguarding information systems and information. Despite this, OMB reduced the number of agencies at which it held advisory meetings on program implementation from 24 agencies in FY2016 to three agencies in FY2018.

“Also, OMB, in collaboration with the Council of Inspectors General for Integrity and Efficiency, did not include a metric system for security plans, one of the required information security program elements, in its guidance on FISMA reporting,” GAO said. “As a result, oversight of agencies’ information security programs was diminished.”

GAO recommended that OMB submit its FISMA report to Congress for FY2018 and “expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security.”

GAO also recommended that OMB “collaborate with CIGIE ensure that the inspector general reporting metrics include the FISMA-required information security program element for system security plans.”

OMB generally agreed with the recommendations.