Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs, Report to Congressional Committees [open pdf - 1MB]
"Since 1997, GAO [Government Accountability Office] has designated federal information security as a government-wide high risk area, and in 2003 expanded this area to include computerized systems supporting the nation's critical infrastructure. In February 2015, in its high risk update, GAO further expanded this area to include protecting the privacy of personal information that is collected, maintained, and shared by both federal and nonfederal entities. FISMA [Federal Information Security Management Act] required federal agencies to develop, document, and implement an agency-wide information security program. The act also assigned OMB [Office of Management and Budget] with overseeing agencies' implementation of security requirements. FISMA also included a provision for GAO to periodically report to Congress on (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) agencies' implementation of FISMA requirements. GAO analyzed information security-related reports and data from 24 federal agencies, their inspectors general, and OMB; reviewed prior GAO work; examined documents from OMB and DHS; and spoke to agency officials. GAO is recommending that OMB, in consultation with DHS and others, enhance security program reporting guidance to inspectors general so that the ratings of agency security performance will be consistent and comparable. OMB generally concurred with our recommendation."
Government Accountability Office: http://www.gao.gov/