Information security policies for the two sets of IT systems are developed and administered by different federal agencies, which leads to inefficiency and redundancy. This creates additional costs for the government and additional burdens for contractors and IT systems developers, the GAO report said.
In 2009, the federal government set up a task force to work on harmonizing the information security policies of the civilian government and national security IT systems. The task force is made up representatives from the Office of Management and Budget and the National Institute of Standards and Technology, which are responsible for the civilian government sector, and the Department of Defense (DoD), the Committee on National Security, and the US intelligence community, which are responsible for the national security sector.
The task force is developing common information security guidance that is “expected to result in less duplication of effort and more effective implementation of controls across multiple interconnected systems,” the report said.
The GAO cautioned that work has been slow on developing this common information security guidance.
“While much of the harmonized guidance incorporates controls and language previously developed for use for non-national security systems, significant work remains to implement the guidance for national security systems. DoD and the intelligence community are developing agency-specific guidance and transition plans for implementing the harmonized guidance, but, according to officials, actual implementation could take several years to complete,” the report noted.
In addition, the agencies involved have not established implementation milestones and lack performance metrics for measuring progress. The harmonization effort has also failed to use established collaborative practices, such as documenting information security needs, and to identify individual agency roles and processes to monitor and report results, it added.
To address these shortcomings, the GAO recommends that the Secretary of Commerce and the Secretary of Defense update plans for future collaboration, establish timelines for implementing revised guidance, and implement key practices for interagency collaboration in the harmonization effort.