FISMA continues to challenge
Ten years after it first passed, FISMA continues to frustrate agencies trying to comply with its requirements.
Only seven out of 24 agencies are more than 90 percent compliant with the Federal Information Security Management requirements, and more than half saw their compliance score decline compared to last fiscal year’s numbers, according to an Office of Management and Budget review.
The March 7 report outlines CFO Act agencies' adoption of FISMA standards and shows that none of the reviewed entities were fully compliant. In addition to the seven that were more than 90 percent compliant, eight scored between 65 and 90 percent compliance, and the remaining eight scored less than 65 percent.
OMB asked agency inspectors general to evaluate their agency’s information security programs in 11 areas, including risk management, security training and contingency planning. The IGs also looked at whether their agencies had a program in place that adhered to the various FISMA requirements to protect government systems and information.
Can agency systems handle new FISMA requirements?
The National Science Foundation had the highest compliance score, falling just short of full compliance with 98.8 percent, while the Agriculture Department scored the lowest with 32.5 percent. Compared to 2010 scores, NASA had the largest spike with 32.1 points and the U.S. Agency for International Development saw the largest drop of 36.6 points. The Defense Department failed to provide details required for scoring in both 2010 and 2011.
The three top-scoring agencies -- NSF, the Social Security Administration and the Environmental Protection Agency – saw modest decreases in their compliance scores from last year. The Nuclear Regulatory Commission, NSF and SSA had compliant programs for all 11 areas, but reported that certain areas still need improvements. The remaining agencies needed significant improvement in at least one area.
Overall, the weakest compliance was found in continuous monitoring management, configuration management, and identity management. The number of agencies without continuous monitoring management increased in 2011, and those that needed improvements to make their programs fully compliant cited inadequate policies and a lack of security documentation as major obstacles.
“This reflects a general problem with public sector management,” said Daniel Castro, a senior analyst at the Information Technology & Innovation Foundation. “Federal agencies have an incentive to perform up to expectations, but rarely is there an incentive to exceed them. After all, agencies may have to pass certain tests, but a pass is a pass, and they get little to no benefit for doing extra well."
In this case, the reviews didn’t necessarily match up well with the FISMA standards because FISMA reporting requirements aren’t entirely comprehensive, he said. OMB increased the FISMA reporting requirements for fiscal 2010 to include continuous monitoring and identity management, and once inspector generals zoned in on these areas, they discovered a number of agencies that weren’t complaint.
Agencies did well on areas they have been tested on more frequently in previous years, and worse in those that have the newest reporting requirements, Castro said. He also acknowledged that some of these issues are harder to fix. Continuous monitoring, for one, can be complicated to do well unless it’s institutionalized. Another challenge is determining on a day-to-day basis if agencies are doing it well. Badly done incident response, on the other hand, is more noticeable because of user complaints and poor metrics, he said.
“That said, sometimes from an organizational perspective there is a benefit to failing,” Castro said. “After all, the squeaky wheel gets to petition Congress to appropriate federal dollars to buy more grease.”
FISMA became law in 2002 as part of the E-Government Act of 2002.