in addition, ohb, office of management and budget, issues policy memorandums as art of its oversight role of federal activities. so there are government-wide policies and procedures as well as standards. and at the same time, though, federal agencies need to assess the risk and alie those standards -- apply those standards as they pertain to their own environments. so they're going to need to be able to assess the risk and determine which appropriate controls are necessary to mitigate those risks this their own computing environments. >> host: did the gao in its report look at the framework for decision making and have any suggestions for that? >> >> guest: yes. in our ore view, we do look at the standards that nist and omb has established for federal agencies and monitor the extent to which federal agencies have implemented that. under fisma, gao is responsible for assessing the security at federal agencies and compliance with the ro visions of the act -- ro visions of the act. so that's the other side is federal law is another requirement for agencies to follow. and in our report w