The Council of the Inspectors General on Integrity and Efficiency (CIGIE) issued its first-ever capstone report this week on trends in Federal agencies’ cybersecurity performance, and revealing that Feds strengthened their information security programs on average from fiscal year (FY) 2020 to FY2023.
The report – published by CIGIE’s Technology Committee – marks the first time CIGIE has examined Federal Information Security Modernization Act (FISMA) reports from Offices of Inspectors General (OIGs) across the Federal government to look for common agency challenges.
FISMA requires all Federal agencies to comply with cybersecurity standards and document agency-wide information security programs.
While Federal agencies have improved their cybersecurity programs over the past few years, the report says they could be doing more to ensure program effectiveness. Specifically, the report notes additional improvements are needed in the areas of supply chain risk management, cybersecurity risk management, and configuration management.
“This comprehensive cybersecurity report from CIGIE’s Technology Committee supports our efforts to highlight issues that cut across the Federal government,” said the Honorable Mark Lee Greenblatt, CIGIE chairperson and inspector general at the Department of the Interior. “CIGIE is committed to providing similar cross-cutting studies to Federal managers and policymakers, which can improve government operations and benefit the American public.”
According to the report, 60 percent of agencies operated an effective information security program from FY2020 to FY2023. Additionally, all cybersecurity function areas – except for identity – increased in overall maturity governmentwide.
In the identity function, IGs continue to report challenges for their agencies in “maturing their supply chain and cybersecurity risk management processes and controls,” according to the report.
“From FY2020 through FY2023, we observed consistently higher maturity ratings by IGs for metrics in the incident response and security training domains on average, indicating that Federal agencies’ information security programs are stronger in these areas than they are in others,” the report says. “Conversely, Federal agencies were consistently rated at a lower maturity by IGs, on average, for metrics in the supply chain risk management, risk management, and configuration management domains.”
Nevertheless, the report found that the number of CFO Act agencies with information security programs rated as “effective” by their IGs was only about four percent higher in 2023 than in 2020.
Notably, information security program effectiveness at small/independent agencies is about 45 percent higher than at CFO Act agencies.
The report also included results from a survey of the IG community on their experience using CyberScope, the FISMA reporting application developed and maintained by the Department of Homeland Security.
It found that IGs are generally satisfied with CyberScope, with 71 percent of respondents either agreeing or strongly agreeing that the CyberScope application meets their needs for responding to the IG FISMA metrics.
However, the report says that additional functionality for data analytics and advanced word processing capabilities in CyberScope would help IGs meet their FISMA reporting requirements.
“The CIGIE Technology Committee plans to update this analysis periodically and use these results to continue its work with Federal stakeholders on improving the IG FISMA reporting process,” the report concludes. “The committee hopes that this analysis will provide key information to stakeholders, including the American public, on the status of Federal agency information security programs.”