Widespread security problems self-reported at Interior

In a sharp departure from the more typical agency-level FISMA self-assessments, the internal FISMA audit by the Inspector General of the Department of the Interior reveals serious systemic problems in DOI’s security management, with blame focused on ineffective governance, under-skilled staff, and the failure of bureaus to adhere to departmental and federal-wide guidance. What is interesting about this latest example of poor security program management is that we don’t see more reports of this type, as the structural deficiencies cited by the Interior IG are common in other agencies. Among the key problems highlighted was the way Interior’s security officers tend to push security responsibility out to regional managers, instead of maintaining central oversight at the CISO level. One IG recommendation was therefore to escalate the reporting relationship of the Department CIO so that the CIO reports directly to the Secretary, rather than the current org structure that puts the CIO under the Assistant Secretary for Policy, Budget, and Management. Having the CIO (and by extension, the CISO, who under FISMA is supposed to report to the CIO) a few layers down in the organization, rather than reporting to the Secretary, is hardly unusual: at agencies such as DHS, State, Treasury and HHS, the CIO reports to an executive responsible for management (the Undersecretary for Management at DHS and State; the Assistant Secretary for Management at Treasury; and the Assistant Secretary for Administration and Management at HHS). By contrast, at both the VA and DOD, the CIO is an Assistant Secretary. Judging by other agencies, it would seem less important to whom the CIO reports, and more important just how much delegation of security responsibility is allowed below the bureau level. Any decentralized or federated department will face security management challenges due to differing risk tolerances (and possibly levels of maturity in applying risk management practices), so without strong top-down guidance and enterprise standards for security, findings such as those seen at DOI aren’t very surprising.