Security grades bring new complaints

Does FISMA compliance create secure IT systems?

Some departments’ information technology security grades went from dismal to decent in 2005, according to the latest IT security data collected by the Office of Management and Budget. Following a poor showing in previous years, the Department of Veterans Affairs, for example, received good marks for achieving 100 percent compliance with federal IT security certification and accreditation policies.

But after five years in which federal agencies have been graded on their compliance with IT security policies, some former federal security officials question the meaning of the annual security grades. “High grades could mean a lot of compliance but not necessarily a lot of security,” said Bruce Brody, vice president of information security at Input, a market research firm.

Brody, a former information security official at the VA and Energy Department, said he observed agencies creating huge amounts of paperwork to achieve compliance with the Federal Information Security Management Act of 2002. But that paperwork was not always connected to underlying security fixes, he added. “You really have to ask yourself what has five years of FISMA given to us?”

After a Feb. 22 information security workshop in Washington, D.C., Brody said it would be helpful if OMB would recognize technically based security audits in which agencies continuously scan and patch their systems and networks and maintain audit logs. “That process could replace an inordinate amount of paper that is generated right now on certification and accreditation.”

OMB, which ensures agencies’ compliance with FISMA, reported that 85 percent of federal agencies and departments met FISMA’s certification and accreditation requirements in fiscal 2005. OMB sees progress in the new figures. In fiscal 2002, only 47 percent of federal agencies complied with those requirements.

Aware of the costs of FISMA reporting, OMB officials have taken steps to save money by investigating whether compliance reporting could be consolidated.

Lynn McNulty, director of government services at the International Information Systems Security Certification Consortium, said the federal approach to information security could use further revamping. “I think we need a change of mind-set,” he said. “It’s kind of a regulatory mind-set that is dominating the process.”

McNulty said information security programs at most U.S. businesses require far less paperwork than federal agencies do. But important similarities exist, he added. In businesses and federal agencies, chief information security officers “are fighting for resources, fighting for management attention and management support,” he said. In some companies, the role of the chief information security officer is evolving as CISOs become risk managers and, in some cases, report to their company’s chief financial officer instead of the chief information officer.

But that evolution is not as likely to occur any time soon in the federal government, simply because FISMA requires the senior agency information security officer to report to the CIO, McNulty said. “By writing it into the statute, we’re locked into place, and it would require an act of Congress to change that relationship,” he added.

chart

**********

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.