Hurford: Failing at FISMA

An agency’s failing grade means many things, including a disconnected Internet

The computer security report card that Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, issues attracts notoriety when he releases it each spring. Perhaps the spectacle of so many failing agencies attracts our attention. Or maybe it is the interest in seeing a Cabinet-level agency — the Interior Department in this case — contesting its failing grade in federal court.

In most professional disciplines, failing usually means your performance has been so remiss that you are no longer entitled to practice. But that doesn’t appear to be the meaning of the criteria and scoring developed by the Office of Management and Budget, the Government Accountability Office and the House Government Reform Committee.

GAO applies a weighting system to the policy, training, risk analysis and testing criteria established by OMB. Then GAO collects the reported metrics from each agency and each agency’s inspector general to create a blended score. It weighs the IGs’ scores more heavily because they are seen as independent reviewers who are not inclined to make the numbers look good.

The IGs and agencies, however, have latitude to interpret the standards when they report compliance with OMB’s criteria. That subjectivity makes it difficult to assign consistent meaning to report card grades.

For example, every IG completes an annual financial audit at about the same time each agency completes its yearly evaluation for compliance with the Federal Information Security Management Act of 2002. The financial audit requires that the IG assess information system controls using the same standards prescribed for FISMA. The auditor identifies the most severe discrepancies with those standards as a material weakness. You would expect that ineffective computer controls that contributed to a material weakness would appear in that agency’s FISMA report card grades. But that is not always the case.

In May 2005, Interior defended itself in a legal action to disconnect its information systems from the Internet. The department’s IG testified in a public hearing that he would give the agency an F for information technology security. The IG made his determination three weeks before OMB released its FISMA assessment criteria and four months before the end of the reporting period.

The rapid evolution of computer security standards must be considered in interpreting the progress of federal IT security. The number of FISMA standards from the National Institute of Standards and Technology has quintupled in the past five years. They provide meaningful IT security objectives. The report card, however, does not take into account the challenge of meeting an increasing number of standards.

The report card is a valid attempt to measure and improve government performance. Federal leaders, however, must consider its limitations when planning strategically. Agencies may be challenged to pursue meaningful and cost-effective security in areas that the report card fails to acknowledge.

Even worse, the public and litigants have read the report card as evidence of organizational failure and a preponderance of individual risk.

Such a view of the report card is not accurate, but it has been presented in a U.S. District Court to justify disconnecting Interior from the Internet (Cobell v. Norton). The economic and governmental disruption would be catastrophic if that same ruling were applied to all federal agencies with failing FISMA scores.

Hurford is a former chief information security officer at the Interior Department. He is now a partner with Mitsis IT Services.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group