While the rest of us are struggling under threat of penalty to comply with an ever-increasing array of security-related regulations, the federal government itself is failing miserably in practicing what it’s been preaching.

The GAO issued a report this week on how government agencies have been responding to the Federal Information Security Management Act of 2002 (FISMA), which requires government agencies to create agencywide information security programs with supporting security architectures.

The report concluded that out of 24 government agencies, 23 of them had inadequate authorization controls, and 22 said that information security was a “major management challenge.” The agencies also came up short in several other security-related areas, and poor IT security continues to be seen throughout government. According to the report, all 24 agencies have reported multiple security incidents wehre sensitive information has been either lost or stolen.

The report did indicate that user awareness of security issues is rising among agencies however. FISMA requires security awareness training for agency personnel and contractors. FISMA is a very broad set of guidelines dealing with overall security; email admins within agencies must also be aware of FISMA to ensure compliance, especially in the areas of authentication.