FISMA continues to challenge

Only seven out of 24 agencies are more than 90 percent compliant with the Federal Information Security Management requirements, and more than half saw their compliance score decline compared to last fiscal year’s numbers, according to an Office of Management and Budget review.

The March 7 report outlines CFO Act  agencies' adoption of FISMA standards and shows that none of the reviewed entities were fully compliant. In addition to the  seven that were more than 90 percent compliant, eight scored between 65 and 90 percent compliance, and the remaining eight scored less than 65 percent.

OMB asked agency inspectors general to evaluate their agency’s information security programs in 11 areas, including risk management, security training and contingency planning. The IGs also looked at whether their agencies had a program in place that adhered to the various FISMA requirements to protect government systems and information.

Related story:

Can agency systems handle new FISMA requirements?

The National Science Foundation had the highest compliance score, falling just short of full compliance with 98.8 percent, while the Agriculture Department scored the lowest with 32.5 percent. Compared to 2010 scores, NASA had the largest spike with 32.1 points and the U.S. Agency for International Development saw the largest drop of 36.6 points. The Defense Department failed to provide details required for scoring in both 2010 and 2011.

The three top-scoring agencies -- NSF, the Social Security Administration and the Environmental Protection Agency – saw modest decreases in their compliance scores from last year. The Nuclear Regulatory Commission, NSF and SSA had compliant programs for all 11 areas, but reported that certain areas still need improvements. The remaining agencies needed significant improvement in at least one area.

Overall, the weakest compliance was found in continuous monitoring management, configuration management, and identity management. The number of agencies without continuous monitoring management increased in 2011, and those that needed improvements to make their programs fully compliant cited inadequate policies and a lack of security documentation as major obstacles.

“This reflects a general problem with public sector management,” said Daniel Castro, a senior analyst at the Information Technology & Innovation Foundation. “Federal agencies have an incentive to perform up to expectations, but rarely is there an incentive to exceed them. After all, agencies may have to pass certain tests, but a pass is a pass, and they get little to no benefit for doing extra well."

In this case, the reviews didn’t necessarily match up well with the FISMA standards because FISMA reporting requirements aren’t entirely comprehensive, he said. OMB increased the FISMA reporting requirements for fiscal 2010 to include continuous monitoring and identity management, and once inspector generals zoned in on these areas, they discovered a number of agencies that weren’t complaint.

Agencies did well on areas they have been tested on more frequently in previous years, and worse in those that have the newest reporting requirements, Castro said. He also acknowledged that some of these issues are harder to fix. Continuous monitoring, for one, can be complicated to do well unless it’s institutionalized. Another challenge is determining on a day-to-day basis if agencies are doing it well. Badly done incident response, on the other hand, is more noticeable because of user complaints and poor metrics, he said.

“That said, sometimes from an organizational perspective there is a benefit to failing,” Castro said. “After all, the squeaky wheel gets to petition Congress to appropriate federal dollars to buy more grease.”

FISMA became law in 2002 as part of the E-Government Act of 2002.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Thu, Mar 15, 2012

Non-compliance is the result of many problems that these agencies have to face. First, they already have many more regulations they have to deal with and adding a few more will just get lost in the mix as well as require more training and more time to devote to just one of many things that have to be prioritized. Second, with the many levels in the chain of command in these agencies, any new rules take a lot of time to get passed down, interpreted and prioritized at each level, and direction given to those who need to implement them. Third, there is not much incentive in these agencies to actually implement these rules. These people have many priorities, so adding one more will reduce the priority of everything else deemed less important - making other people upset. These groups are always looking to add more people whether or not they really need to. If they really need people, then adding more work to overworked people will likely result in it not getting done. If they have the extra manpower, getting this work done quickly just shows they do not need more people. So what incentive do they get for being efficient and ahead of the curve for productivity? None!

Thu, Mar 15, 2012 Jack

Great article. Well thought out and actually includes the fact that "continuous monitoring" is and always has been required by FISMA, C&A, and the NIST standards. This article also does a great job pointing out that agencies are responsible for the failures of implementation not the law.

Thu, Mar 15, 2012

Spelling error in paragraph 2. See additiont

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group