Under the Federal Information Security Modernization Act of 2014 (FISMA 2014), the agency chief information security officer (CISO) has the responsibility to ensure that the agency is meeting the requirements of the law, including developing, documenting, and implementing the agency-wide information security program. However, 13 of the 24 agencies GAO reviewed had not fully defined the role of their CISO in accordance with these requirements. For example, these agencies did not always identify a role for the CISO in ensuring that security controls are periodically tested; procedures are in place for detecting, reporting, and responding to security incidents; or contingency plans and procedures for agency information systems are in place. Thus, CISOs’ ability to effectively oversee these agencies’ information security activities can be limited.
The 24 CISOs GAO surveyed identified challenges that limited their authority to carry out their responsibilities to oversee information security activities. These challenges can impact agencies’ ability to effectively manage information security risk. The table below shows the factors that CISOs reported as being the most challenging to their authority.
The 24 CISOs also reported that other factors posed challenges to their abilities to carry out their responsibilities effectively, including difficulties related to having sufficient staff; recruiting, hiring, and retaining security personnel; ensuring that security personnel have appropriate expertise and skills; and a lack of sufficient financial resources. Several government-wide activities are under way to address many of these challenges. However, while the Office of Management and Budget (OMB) has a statutory responsibility under FISMA 2014 to provide guidance on information security in federal agencies, it has not issued such guidance addressing how agencies should ensure that officials carry out their responsibilities and personnel are held accountable for complying with the agency-wide information security program. As a result, agencies lack clarity on how to ensure that their CISOs have adequate authority to effectively carry out their duties in the face of numerous challenges.