Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 12/17/07 web stories

William Jackson | Happy Birthday FISMA

Cybereye—commentary

By William Jackson

The Federal Information Security Management Act is five years old. For five years, agencies have been struggling under unfunded mandates for regulatory compliance, a drumbeat of bad publicity from annual congressional report cards, a constant ping of hostile probes of IT systems and the occasional self-inflicted black eye. Is government’s IT security any better today than it was in 2002?

It is hard to say with certainty because assessing security is like trying to prove a negative. If security is done right, the outcome is nothing. This makes it difficult to identify success and easy to pinpoint every slip. This is further complicated by the fact that there is no such thing as “government IT security.” There are several dozen executive branch departments and agencies covered under FISMA, many with dozens more subdivisions, each with its unique networks, systems, missions and challenges.

But on the whole, I think government IT security has improved and I think FISMA has helped.

This might not be immediately apparent. The most recent annual IT security report card from the House Government Oversight and Reform Committee gave the 24 executive branch agencies covered in the report an overall grade of only C- for 2006. The grade had been stalled at D or D+ for the previous three years. Agencies receiving an F or an A this year are tied at eight each. Seven agencies improved their grades this year, six got worse and 10 remained the same. One major department, Veterans Affairs, didn’t provide a report for 2006 and so received an “incomplete.”

But these grades probably are neither a good assessment of IT security. They focus broadly on regulatory compliance without taking into account the complexities and incremental improvements.

“I don’t think these grades represent a good measure of how well agencies have secured their information assets,” said Chris Fountain, CEO of SecureInfo Corp. of Washington. “FISMA has gotten bad publicity because of non-representative grades.”

Faced with limited resources and shrinking budgets, administrators often are forced to make tough choices between regulatory compliance and practical efforts. Ted Julian, vice president of marketing and strategy for Application Security Inc. of New York, said that what he hears from his government customers is, “compliance is important, but they don’t want the compliance tail to wag the security dog.”

More news on related topics: IT Security, FISMA



GCN Popup