Audit: Federal CISOs need more authority, guidance
Most chief information security officers in federal agencies and departments lack clear authorities — and the White House needs to issue guidance to ensure they have the powers they need to do their jobs.
That’s the conclusion of an audit by the Government Accountability Office, published this week, which looked at the CISO role in 24 the federal departments and agencies covered by the Chief Financial Officers Act.
The 2002 Federal Information Security Management Act, and its successor, the 2014 Federal Information Security Modernization Act, collectively known as FISMA, require agency CIO’s to designate a CISO and gives those CISOs clear responsibilities. But just over half of the agencies surveyed, 13 of them, “had not fully defined the role of their CISO in accordance with these [FISMA] requirements,” write the auditors in their report.
“This lack of clarity … hinders CISOs’ ability to address challenges to their authority,” from other elements of the agency, leading to friction and conflict, auditors found. A GAO survey of the 24 CISOs conducted as part of the audit, revealed that all but two of them faced some level of problems balancing operational and security imperatives. Also, many had difficulty “ensuring that senior managers are aware of information security risks facing the agency.”
Other difficulties identified by a majority of the CISOs included coordinating with other agency offices or components, the availability of contractor information, the oversight of contractors and indirect reports — often in other parts of the agency — and the CISO’s placement in organizational hierarchy.
“Although [the White House Office and Management and Budget or OMB] has responsibility under FISMA for providing guidance to federal agencies, it has not issued guidance clarifying how agencies should implement recent provisions in federal law aimed at strengthening their oversight of information security activities or the role of agency CISOs in carrying them out,” write the auditors.
“The Director of OMB should issue guidance for agencies’ implementation of the FISMA 2014 requirements,” the auditors conclude, to provide more clarity on the authorities and responsibilities of the CISO to enforce those new requirements.
In emailed comments about a draft copy of the report — comments that are not reproduced in the public report — OMB officials pushed back on that recommendation, saying existing guidance “provides sufficient and clear details on the expectations for agencies, to include procedures for overseeing and managing their information security programs.” OMB also contended that overly prescriptive guidance might tie the hands of agencies.
“We disagree that existing guidance and oversight mechanisms provide sufficient clarity for agencies on how to implement the new FISMA 2014 provisions,” write the auditors.
The CISOs surveyed also identified other challenges, including staffing shortages —
“insufficient personnel to oversee security activities effectively” — problems recruiting, training and retaining skilled staff and lack of resources.