U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements

NCJ Number
Robert F. Dacey
Date Published
March 2004
45 pages
This report examines the Government’s overall information security status and analyzes the efforts of the 24 largest government agencies to implement Federal information security requirements.
Poor information security within Federal agencies has been identified as a high-risk issue by the General Accounting Office (GAO) since 1997. In October 2000, legislation designed to improve information security was enacted. The Federal Information Security Act of 2002 (FISMA) strengthened the 2000 legislation by incorporating new requirements. This report presents information from the Office of Management and Budget’s (OMB) recent report to Congress on the overall status of the Government’s information security campaign. Also reviewed and summarized are the fiscal year 2003 FIMSA reports for the 24 largest Federal agencies and the standards and guidance issued by the National Institute of Standards and Technology (NIST). The OMB report to Congress indicates that there have been significant improvements in identifying and addressing long-standing information security problems, but some challenges remain. According to OMB, one main government-wide challenge is the lack of understanding and accountability on the part of Federal agents in terms of their information security responsibilities. Recommendations to close the gap through management and budgetary processes are included in the OMB report. The 2003 FIMSA data revealed that overall the 24 largest Federal agencies are making progress toward information security. The total number of systems assessed for risk in these 24 agencies jumped from 65 percent to 78 percent and those having a contingency plan rose from 55 percent to 68 percent. However, some of these agencies still reported that less than half of their information systems met certain security requirements. Moreover, weaknesses were reported in each of the six key areas of general control: (1) security program management; (2) access controls; (3) software development and change controls; (4) segregation of duties; (5) operating systems controls; and (6) service continuity. Such weaknesses place a broad spectrum of Federal operations and assets at risk. Recommendations by GAO include having independent validation of data and completion of systems inventories. Tables, figures