On March 16, 2006, the Government Accountability Office (“GAO”) released a Report on Information Security entitled, “Federal Agencies Show Mixed Progress in Implementing Statutory Requirements.” While noting improvement in some areas, the Report makes clear that agencies have significant work to do before being in full compliance with the Federal Information Security Management Act of 2002 (“FISMA”).
FISMA was passed in response to what the GAO Report describes as “accounts of attacks on commercial systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack.” One of the duties FISMA places on agencies is that they test contingency plans in place to prevent or minimize disruption from unanticipated events. The Report notes that less than two-thirds of agencies’ information technology (“IT”) systems have been adequately tested, “thereby reducing assurance” that agencies would be able to put into practice procedures that have yet to be tried.
The March 16 Report comes amid other GAO Reports on the continued need for progress in Federal agencies’ IT infrastructure. In February, the GAO outlined problems with the Department of Health and Human Services’ (“HHS’”) information security systems. In March, the GAO reported on weaknesses at both the Internal Revenue Service (“IRS”) and the Securities and Exchange Commission (“SEC”). The GAO also issued a Report on the challenges facing the Department of Homeland Security’s (“DHS’”) IT management.
During the same month, the House of Representatives Government Reform Committee issued its report card on FISMA compliance. The results were grim: the Federal Government overall scored a D+, with numerous agencies receiving an F.
As the GAO Report on DHS’ system explained, “IT is a critical tool for [DHS], not only in performing its mission today, but also in transforming how it will do so in the future.” Because of the magnitude of the task facing DHS and many other Federal agencies, the Government may increasingly turn to the private sector for assistance in strengthening its IT security.
This update is published by Venable LLP. Venable publications are not intended to provide legal advice or opinion. Such advice may only be given when related to specific fact situations. © Copyright by Venable LLP 2006.