Security grades bring new complaints

Does FISMA compliance create secure IT systems?

Some departments’ information technology security grades went from dismal to decent in 2005, according to the latest IT security data collected by the Office of Management and Budget. Following a poor showing in previous years, the Department of Veterans Affairs, for example, received good marks for achieving 100 percent compliance with federal IT security certification and accreditation policies.

But after five years in which federal agencies have been graded on their compliance with IT security policies, some former federal security officials question the meaning of the annual security grades. “High grades could mean a lot of compliance but not necessarily a lot of security,” said Bruce Brody, vice president of information security at Input, a market research firm.

Brody, a former information security official at the VA and Energy Department, said he observed agencies creating huge amounts of paperwork to achieve compliance with the Federal Information Security Management Act of 2002. But that paperwork was not always connected to underlying security fixes, he added. “You really have to ask yourself what has five years of FISMA given to us?”

After a Feb. 22 information security workshop in Washington, D.C., Brody said it would be helpful if OMB would recognize technically based security audits in which agencies continuously scan and patch their systems and networks and maintain audit logs. “That process could replace an inordinate amount of paper that is generated right now on certification and accreditation.”

OMB, which ensures agencies’ compliance with FISMA, reported that 85 percent of federal agencies and departments met FISMA’s certification and accreditation requirements in fiscal 2005. OMB sees progress in the new figures. In fiscal 2002, only 47 percent of federal agencies complied with those requirements.

Aware of the costs of FISMA reporting, OMB officials have taken steps to save money by investigating whether compliance reporting could be consolidated.

Lynn McNulty, director of government services at the International Information Systems Security Certification Consortium, said the federal approach to information security could use further revamping. “I think we need a change of mind-set,” he said. “It’s kind of a regulatory mind-set that is dominating the process.”

McNulty said information security programs at most U.S. businesses require far less paperwork than federal agencies do. But important similarities exist, he added. In businesses and federal agencies, chief information security officers “are fighting for resources, fighting for management attention and management support,” he said. In some companies, the role of the chief information security officer is evolving as CISOs become risk managers and, in some cases, report to their company’s chief financial officer instead of the chief information officer.

But that evolution is not as likely to occur any time soon in the federal government, simply because FISMA requires the senior agency information security officer to report to the CIO, McNulty said. “By writing it into the statute, we’re locked into place, and it would require an act of Congress to change that relationship,” he added.



FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group