Improved FISMA scores don't add up to better security, auditor says

GAO official says metrics generally don't measure how well security controls are established

The government’s current choice of metrics is partly to blame for the fact that agencies are reporting improved compliance with security requirements even while government investigators continue to find security gaps, auditors say.

Part of the problem is that although the Office of Management and Budget requires agencies to establish information technology security controls, the metrics generally do not measure how well those controls are implemented, according to the Government Accountability Office.

“Developing and using metrics that measure how well agencies implement important controls can contribute to increased focus on the effective implementation of federal information security,” said Gregory Wilshusen, director of information security issues at GAO, testifying June 25 before the House Science and Technology Committee’s Technology and Innovation Subcommittee.

Wilshusen said the current metrics probably served a useful purpose when they were developed because, at that time, many agencies weren’t performing basic security controls. However, he said, it’s time to examine how agencies implement the controls and consider other types of metrics.

Wilshusen’s testimony echoed findings GAO released in May that said OMB should improve the guidance it gives agencies for complying with the Federal Information Security Management Act. To comply with that law, OMB collects annual reviews of agencies’ information security programs from chief information officers, inspectors general and other agency officials.

Meanwhile, lawmakers continue to ponder reforms to FISMA, which critics say relies too much on paper compliance reports and doesn’t fully address IT vulnerabilities. For example, Sen. Thomas Carper (D-Del.) introduced legislation in April designed to improve FISMA.

The Obama administration has also indicated it might be time to change how IT security is measured. Vivek Kundra, the federal CIO, has said the administration’s initial review of government information security showed that performance data currently collected under FISMA doesn’t accurately reflect the security posture of agencies.

The current collection process is cumbersome and takes time away from meaningful analysis, Kundra has said. Furthermore, there is too much focus on compliance and not enough on outcomes, and a risk-based approach to IT security is needed.

During the hearing, Rep. David Wu (D-Ore.), the subcommittee’s chairman, said a key finding of the Obama administration’s cyberspace policy review was the need for objectives and metrics to accurately measure cybersecurity performance.

“The development of these metrics would provide a base from which we could improve program assessment, budgeting, research and development prioritization and strategic planning,” Wu said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.