Who keeps failing their FISMA compliance?

Summary:The recently released U.S Federal Computer Security Report Card for 2008, indicates that several critical to national security departments continue failing to implement the Federal Information Security Management Act (FISMA).

The recently released U.S Federal Computer Security Report Card for 2008, indicates that several critical to national security departments continue failing to implement the Federal Information Security Management Act (FISMA).

FISMA 2008

From a cyber espionage perspective, the lack of prioritization of departments that must be audited first, often results in anecdotal cases.

Case in point, who cares if the Environmental Protection Agency scored A+ when the Nuclear Regulatory Commission and the Department of the Interior have been failing for 2006 and 2007 altogether? And isn't it disturbing to know that Housing and Urban Development scores higher than the Department of Defense? Secured by default through the use of (outdated) information security acts isn't perfect, and the results of such assessments shouldn't be taken for granted. That's mostly because the threatscape and the dynamic development of a department's infrastructure is prone to grow faster than a standard can keep up with the threats and insecurities posed by the new technologies. Here are some more opinions about FISMA's applicability in real-life threatscape situations :

“Some argue that FISMA does not adequately measure information security,” said Tim Bennett, president at the Cyber Security Industry Alliance. “A high FISMA grade doesn’t mean the agency is secure and vice versa. That is because FISMA grades reflect compliance with mandated processes: they do not, in my view, measure how much these process have actually increased security.” Despite an obvious need to improve security, no one suggested scrapping FISMA.

“The bill itself is fine with the way the framework is set up,” said Karen Evans, OMB’s administrator for electronic government and IT. FISMA is a tool that provides metrics for reporting efforts, and with independent IG evaluations it does not rely on self-reporting. Whether or not it is a paperwork drill or a genuine enhancement to security “depends on how the agency goes about doing the work.”

FISMA is currently revisited, and therefore an updated framework is definitely in the works.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.