Improved FISMA scores don't add up to better security, auditor says

GAO official says metrics generally don't measure how well security controls are established

The government’s current choice of metrics is partly to blame for the fact that agencies are reporting improved compliance with security requirements even while government investigators continue to find security gaps, auditors say.

Part of the problem is that although the Office of Management and Budget requires agencies to establish information technology security controls, the metrics generally do not measure how well those controls are implemented, according to the Government Accountability Office.

“Developing and using metrics that measure how well agencies implement important controls can contribute to increased focus on the effective implementation of federal information security,” said Gregory Wilshusen, director of information security issues at GAO, testifying June 25 before the House Science and Technology Committee’s Technology and Innovation Subcommittee.

Wilshusen said the current metrics probably served a useful purpose when they were developed because, at that time, many agencies weren’t performing basic security controls. However, he said, it’s time to examine how agencies implement the controls and consider other types of metrics.

Wilshusen’s testimony echoed findings GAO released in May that said OMB should improve the guidance it gives agencies for complying with the Federal Information Security Management Act. To comply with that law, OMB collects annual reviews of agencies’ information security programs from chief information officers, inspectors general and other agency officials.

Meanwhile, lawmakers continue to ponder reforms to FISMA, which critics say relies too much on paper compliance reports and doesn’t fully address IT vulnerabilities. For example, Sen. Thomas Carper (D-Del.) introduced legislation in April designed to improve FISMA.

The Obama administration has also indicated it might be time to change how IT security is measured. Vivek Kundra, the federal CIO, has said the administration’s initial review of government information security showed that performance data currently collected under FISMA doesn’t accurately reflect the security posture of agencies.

The current collection process is cumbersome and takes time away from meaningful analysis, Kundra has said. Furthermore, there is too much focus on compliance and not enough on outcomes, and a risk-based approach to IT security is needed.

During the hearing, Rep. David Wu (D-Ore.), the subcommittee’s chairman, said a key finding of the Obama administration’s cyberspace policy review was the need for objectives and metrics to accurately measure cybersecurity performance.

“The development of these metrics would provide a base from which we could improve program assessment, budgeting, research and development prioritization and strategic planning,” Wu said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Mon, Jul 6, 2009 Jeffrey A. Williams Frisco Texas

There is no metrics that have any meaning of actually fix or solve already known existing security holes. This is likely due to the fact that policy folks don't know how to actually fix or provide for doing the work that is needed to correct the many glaring security holes in government web sites.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group