Feds cram before 2005 FISMA scores arrive

Top information technology officials from all over the federal government met Wednesday to bone up on best IT security practices.

Chief information officers, chief information security officers and inspectors general met to share tips on how to make federal information and information systems more secure, as required by law under the Federal Information Security Management Act (FISMA) of 2002. FISMA scores for the 2005 fiscal year are expected soon.

“We want to give them some actionable items they can use soon after their scores come out,” said Charles Havekost, CIO for the Department of Health and Human Services.

The Federal CIO Council sponsored the conference in Washington, D.C., to discuss how federal agencies can improve their FISMA scores.

“The goal is not to get a good grade,” said Karen Evans, OMB's administrator of e-government and IT. “The goal is to secure our systems to protect our national assets. We’re asking you not just to crank out paperwork, but to produce results.”

Federal IT offices must work with their inspectors general to show that the offices are proactively managing risk and have created secure systems that are verifiable and trackable, Evans said.

All agencies must have continuity-of-operations plans and communications plans in case an incident happens, Evans said.

Agencies should also report any potential incident to the Homeland Security Department, which can analyze and coordinate enterprisewide responses throughout the federal government, Evans said.

Support from chief financial and acquisition officers as well as department chiefs is essential to improving FISMA scores, said Lisa Schlosser, CIO for the Department of Housing and Urban Development (HUD).

As CISO at the Transportation Department, Schlosser guided DOT from an “F” FISMA grade in the 2002 fiscal year to an “A-“ in the 2004 fiscal year. She became HUD CIO six months ago.

CIOs and others responsible for IT must speak leaders’ language and frame their requests in terms of meeting business needs, Schlosser said. For instance, HUD must keep data on $500 billion in loan information safe and accessible, she said.

“When you start talking about half a trillion dollars, you get people’s attention,” Schlosser said.

IT shops should also look around the federal government for successful applications and practices to modify for their own use, Schlosser said. For example, DOT uses a program from the Environmental Protection Agency, called ASSERT, to automate FISMA testing, she said.

Federal agencies should include IT security requirements in their procurements to ensure that cybersecurity is already built into systems when they arrive, both Evans and Schlosser said.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.