Feds cram before 2005 FISMA scores arrive

Top information technology officials from all over the federal government met Wednesday to bone up on best IT security practices.

Chief information officers, chief information security officers and inspectors general met to share tips on how to make federal information and information systems more secure, as required by law under the Federal Information Security Management Act (FISMA) of 2002. FISMA scores for the 2005 fiscal year are expected soon.

“We want to give them some actionable items they can use soon after their scores come out,” said Charles Havekost, CIO for the Department of Health and Human Services.

The Federal CIO Council sponsored the conference in Washington, D.C., to discuss how federal agencies can improve their FISMA scores.

“The goal is not to get a good grade,” said Karen Evans, OMB's administrator of e-government and IT. “The goal is to secure our systems to protect our national assets. We’re asking you not just to crank out paperwork, but to produce results.”

Federal IT offices must work with their inspectors general to show that the offices are proactively managing risk and have created secure systems that are verifiable and trackable, Evans said.

All agencies must have continuity-of-operations plans and communications plans in case an incident happens, Evans said.

Agencies should also report any potential incident to the Homeland Security Department, which can analyze and coordinate enterprisewide responses throughout the federal government, Evans said.

Support from chief financial and acquisition officers as well as department chiefs is essential to improving FISMA scores, said Lisa Schlosser, CIO for the Department of Housing and Urban Development (HUD).

As CISO at the Transportation Department, Schlosser guided DOT from an “F” FISMA grade in the 2002 fiscal year to an “A-“ in the 2004 fiscal year. She became HUD CIO six months ago.

CIOs and others responsible for IT must speak leaders’ language and frame their requests in terms of meeting business needs, Schlosser said. For instance, HUD must keep data on $500 billion in loan information safe and accessible, she said.

“When you start talking about half a trillion dollars, you get people’s attention,” Schlosser said.

IT shops should also look around the federal government for successful applications and practices to modify for their own use, Schlosser said. For example, DOT uses a program from the Environmental Protection Agency, called ASSERT, to automate FISMA testing, she said.

Federal agencies should include IT security requirements in their procurements to ensure that cybersecurity is already built into systems when they arrive, both Evans and Schlosser said.

Featured

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected