Interior Fails Big Time in FISMA AuditIG Blames Lack of CIO Oversight, Under-Qualified Personnel
In a scathing report, the Interior Department inspector general said the department, once again, failed to comply with the Federal Information Security Management Act in fiscal 2009.
In the 46-page report posted on its website, the IG blamed a decentralized organization structure, fragmented IT governance processes, lack of oversight, bureau resistance to departmental guidance and use of substantially under-qualified personnel to perform significant IT securities duties. These weaknesses exasperates the challenges in securing Interior's IT systems, the IG said, adding that personnel responsible for managing Interior's IT programs failed to be accountable for results, wasting investments that aren't leverage to their fullest.
"These serious flaws significantly negate the benefit of the $182 million spent on IT security in FY 2009 and the efforts of the 677 employees and contractors fully devoted to information security across the department," the IG wrote in Interior's annual FISMA assessment report.
A major flaw is the tendency for the department, bureau and office chief information officers to delegate IT security responsibility to regional managers, in contrast to federal law that calls for strong CIO oversight of information security. "Delegating authority from the department CIO has resulted in multiple layers of bureaucracy that impede achieve of results and drive up costs," the report said.
The IG also criticized Interior's IT governance, calling it inefficient, wasteful and lacking of accountability. The Information Technology Management Council, Interior's governing body, consists of bureau and office CIOs who report to bureau and office directors, yet the council tackles departmental-wide information security concerns. "Implementation of ITMC decisions is sporadic and often incomplete," the IG wrote. "The lack of adequate governance constitutes a weakness in the department's overall information security program, which is a significant deficiency under FISMA."
Among the IG's recommendations:
- Realign the department CIO to report directly to the Interior secretary.
- Realign personnel performing significant responsibility for IT security under the departmental CIO purview.
- Performance of significant IT security duties should be consolidated and centralize to improve consistency, enhance efficiency and reduce costs.