Security grades bring new complaints

Some departments’ information technology security grades went from dismal to decent in 2005, according to the latest IT security data collected by the Office of Management and Budget. Following a poor showing in previous years, the Department of Veterans Affairs, for example, received good marks for achieving 100 percent compliance with federal IT security certification and accreditation policies.

But after five years in which federal agencies have been graded on their compliance with IT security policies, some former federal security officials question the meaning of the annual security grades. “High grades could mean a lot of compliance but not necessarily a lot of security,” said Bruce Brody, vice president of information security at Input, a market research firm.

Brody, a former information security official at the VA and Energy Department, said he observed agencies creating huge amounts of paperwork to achieve compliance with the Federal Information Security Management Act of 2002. But that paperwork was not always connected to underlying security fixes, he added. “You really have to ask yourself what has five years of FISMA given to us?”

After a Feb. 22 information security workshop in Washington, D.C., Brody said it would be helpful if OMB would recognize technically based security audits in which agencies continuously scan and patch their systems and networks and maintain audit logs. “That process could replace an inordinate amount of paper that is generated right now on certification and accreditation.”

OMB, which ensures agencies’ compliance with FISMA, reported that 85 percent of federal agencies and departments met FISMA’s certification and accreditation requirements in fiscal 2005. OMB sees progress in the new figures. In fiscal 2002, only 47 percent of federal agencies complied with those requirements.

Aware of the costs of FISMA reporting, OMB officials have taken steps to save money by investigating whether compliance reporting could be consolidated.

Lynn McNulty, director of government services at the International Information Systems Security Certification Consortium, said the federal approach to information security could use further revamping. “I think we need a change of mind-set,” he said. “It’s kind of a regulatory mind-set that is dominating the process.”

McNulty said information security programs at most U.S. businesses require far less paperwork than federal agencies do. But important similarities exist, he added. In businesses and federal agencies, chief information security officers “are fighting for resources, fighting for management attention and management support,” he said. In some companies, the role of the chief information security officer is evolving as CISOs become risk managers and, in some cases, report to their company’s chief financial officer instead of the chief information officer.

But that evolution is not as likely to occur any time soon in the federal government, simply because FISMA requires the senior agency information security officer to report to the CIO, McNulty said. “By writing it into the statute, we’re locked into place, and it would require an act of Congress to change that relationship,” he added.