Government Computer News
Senate revisits FISMA
The Office of Management and Budget reports that as of last year agency compliance with the Federal Information Security Management Act (FISMA) had significantly improved. In 2007, 92 percent of information systems were certified and accredited, 86 percent of agencies had a tested contingency plan, and 95 percent had tested security controls.
Digg
De.licio.us
Slashdot
Technorati
Unfortunately, FISMA compliance is not necessarily a good measure of information technology security, a panel of witnesses told a Senate subcommittee March 12. There are no consistent assessments of the effectiveness of the controls being put into place, and practical examples of weaknesses, such as system penetrations and data loss, continue to crop up.
“Despite reported progress, 20 of 24 agencies continue to experience information security control deficiencies,” said Gregory Wilshusen, director of information security issues at the Government Accountability Office.
Sen. Thomas R. Carper (D-Del.), chairman of the Homeland Security and Government Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, cited a litany of security breaches, including data losses by agencies and the apparent systematic probing of federal IT systems by China. He called the weaknesses “simply unacceptable.”
“Our inability to secure federal information networks and protect the information they contain leaves American citizens open to threats like identity theft,” he said. “It even places our national security at risk.”
The problem is not that FISMA is bad, as far as it goes, but that it does not go far enough, officials and experts said. They suggested clarified reporting requirements and better guidelines on complying with the law.
FISMA was enacted in 2002, establishing a set of requirements for agencies to meet in inventorying, assessing risk and placing security controls on information systems. All systems are supposed to be certified and accredited for operation and security controls, and programs regularly evaluated. Agency inspectors general are supposed to do annual independent evaluations. From the start there have been complaints from agencies and from security experts that the act would become a paperwork drill rather than produce meaningful security.
Despite reported improvements in compliance metrics over the past five years, assessments of agencies’ overall security postures have been routinely disappointing. Last year’s annual House report card on security gave the government an overall grade of C-, a slight improvement from the previous year’s D+.
“Some argue that FISMA does not adequately measure information security,” said Tim Bennett, president at the Cyber Security Industry Alliance. “A high FISMA grade doesn’t mean the agency is secure and vice versa. That is because FISMA grades reflect compliance with mandated processes: they do not, in my view, measure how much these process have actually increased security.”
Despite an obvious need to improve security, no one suggested scrapping FISMA.
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [happiness]](/images/1105logo_website.gif "Government Computer News [happiness]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
