Only eight of 23 surveyed civilian agencies have adequate Federal Information Security Modernization Act (FISMA) controls in place, according to a recent GAO report.  The findings were originally published in an article on nextgov.com. The number comes as a surprise given the governmentwide emphasis on cybersecurity, supply chain risk management, and similar requirements the government places not only on itself, but also on contractors.  While some of the problems may stem from ineffective measurement metrics, a point raised by several agencies, GAO also cited comments made by inspector’s generals about agency shortcomings.  “IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control,” the watchdog said, adding that “addressing the causes could improve the federal government’s cybersecurity posture,” said the report.  Large civilian agencies including USDA, HHS, Transportation, and HUD are among those with significant FISMA shortcomings.  While their lack of FISMA accountability is a concern, it is also an opportunity for contractors with FISMA compliance solutions.  Significantly, the GAO report did not cite lack of available funding as a major reason for the shortcomings.  This means that agencies may have funding, pending Congressional appropriations action, for FISMA improvements.  Such improvements may also move up the priority list if CIO’s know that their performance will be measured in part on how they bring their agencies systems into compliance.  One of GAO’s recommendations, in fact, was to “improve the [chief information officer] and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size and adequately address risk.”  Contractors should take note of this report and the potential impact it could have for civilian agency business.  Outreach efforts to targeted agencies with potential solutions could be met with positive responses.