Saying No to Government AuditorsAgencies Don't Always Have Resources to Comply with Audits
The headline sounds alarming: DOT Falls Short in Annual FISMA Audit, as does the warning from the Department of Transportation's Inspector General Calvin Scovel III:
"These weaknesses significantly increase the risk that systems will become victim to cyberattacks or disruptions that can compromise the integrity, availability and confidentiality of data needed to fulfill DOT's missions."
But is the situation that dire? And, if DOT, or any other agency, fails to implement the recommendations of government auditors, will IT systems be much worse off? The answer is obvious: yes and no.
Putting in place the proper controls recommended by inspectors general and Government Accountability Office auditors will make IT systems more secure; there's no doubt about that. Still, there's much more to securing data and systems than implementing controls and other practices recommended by auditors. And, under existing federal law, the responsibility of making sure IT is secure falls to the agency's chief information officer. As Transportation CIO Nitin Pradhan suggests in his response to the latest IG audit, you can't do it all:
"Resources are increasingly constrained and it is unlikely that our cybersecurity program will receive the additional resources as anticipated in our earlier planning. As a result, it is neither realistic nor plausible to commit to addressing all of the issues described in the (Office of Inspector General) draft report in a single year. While the issues discussed in the OIG draft report are integral to FISMA objectives, it is imperative that we focus our constrained resources on the highest priority actions."
In the case of DOT, it's Pradhan's responsibility to decide what's the best way to secure the department's IT, and the recommendations made by the IG office in its annual Federal Information Security Management Act review are merely one set of approaches to take.
The process of determining what steps to take is a familiar one: information risk management. When deciding how best to secure DOT digital assets, Pradhan will balance the IG's valuable recommendations with other security challenges the department faces, and with limited resources, and then make what he believes will be the right decisions.
Many government agencies face the same challenges Pradhan is tackling. Nearly every IG and GAO audit of nearly every federal agency reads the same: progress has been made but more must be done to secure IT, and until more is done, the agency's IT is at risk.
What the auditors say is true, but in a conversation I had last year with John Gilligan, the former CIO at the Energy and Air Force departments, he expressed the frustration many CIOs and chief information security officers have with those audits (see Should IG Reports be Treated as Gospel?):
"The whole IG review process is one that has not really provided a lot of value because the IGs come in without criteria, and all they do is that they have to find potential problems. So, the agency says, 'It doesn't matter what I do; the IG is going to find some problems.' "
Gilligan doesn't find these audits to be valueless, and neither does Pradhan or, for that matter, most other CIOs. But these audits are part of a greater process of identifying security weaknesses. To fulfill their responsibility for securing their agencies' IT, CIOs should use IG and GAO audits as valuable recommendations to be combined with other ideas on how best to safeguard information and technology.