Fewer Agencies Are Periodically Testing and Continuously Monitoring Controls
Although OMB reported overall increases in the 24 agencies’ continuous monitoring (from 81 percent in fiscal year 2013 to 92 percent in fiscal year 2014) of controls, inspectors general reported that fewer agencies had continuously monitored controls for their systems. For example, for fiscal year 2014, 12 inspectors general stated that their agency had ensuredinformation security controls were being monitored on an ongoing basis, including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting a security impact analysis of the associated changes, and reporting the security state of the system to designated organizational officials. This is a decrease from fiscal year 2013, when 14 agencies had monitored security controls on an ongoing basis.
If controls are not effectively tested or properly monitored, agencies will have less assurance that they have been implemented correctly, are operating as intended, and are producing the desired outcome with respect to meeting the security requirements of the agency.
Leave a Reply