GAO found that federal agencies were inconsistent in implementing cybersecurity requirements under the Federal Information Security Modernization Act ("FISMA").
GAO evaluated (i) the effectiveness of federal agencies' implementation of cybersecurity policies and practices, and (ii) the extent to which relevant officials at federal agencies consider FISMA to be effective at improving the security of agency information systems.
In its report covering fiscal year 2020, GAO found that 23 civilian Chief Financial Officers Act ("CFO") agencies reported progress toward meeting federal cybersecurity targets. A majority of those, however, said they were not fully meeting the requirements. GAO stated that Inspectors General found uneven implementation and concluded that only seven CFO agencies had effective agency-wide information security programs.
Agencies that implemented FISMA cybersecurity requirements into their security programs benefited from, among other things, (i) the standardization of security program requirements, (ii) the improvement of cybersecurity posture, (iii) more effective communication within the agencies, (iv) the ability to track the performance of security programs over time, and (v) the ability to establish responsibilities and authorities with respect to cybersecurity programs.
GAO noted that since 2010, it has made approximately 3,700 recommendations related to the nation's cybersecurity efforts, of which about 900 have not yet been fully implemented as of November 2021.