Feds Can’t Get Their “Act” Together. Agencies Have Problems Implementing Federal Information Security Management Act.
The National Institute of Standards and Technology (NIST) sets out specifications, guidelines, and methods for securing information for the Federal Information Security Management Act (FISMA). NIST also requires the Government Accounting Office (GAO) to do regular progress reports for the agency that oversees FISMA, which is the Office of Management and Budget, which reports to Congress.
How did we ever get along before there were bureaucracies? Maybe somebody should appoint a commission to find out.
Of the 24 agencies the GAO evaluated, can you guess how many met all eight key FISMA requirements as enacted by Congress in 2002? If you guessed “zero,” you’d be 100% correct. From fiscal years 2011 to 2012, the different agencies’ ability to track computer system weaknesses declined from twenty to fifteen. At the same time, the number that analyzed, validated and documented security incidents increased from 16 to 19. Additionally, 23 agencies had vulnerabilities in controls meant to limit or detect access to computer systems.
And it’s not like the government is skimping on security because it spends something like $12 billion a year, or 15% of its overall IT budget, on security. That in the view of csoonline.com makes security a top priority.
So, to paraphrase Shakespeare, where’s the rub? And, to further paraphrase the Bard (sort of) and possibly cause him to roll over in his grave, the fault might not lie in our stars or ourselves, but in FISMA.
According to a recent poll of more than 200 federal cybersecurity pros conducted by MeriTalk, a public-private partnership focused on improving government IT, half said FISMA improved security at their agencies. If our math is correct, it also meant half did not feel it improved security. The survey also found that the majority believed their agencies were vulnerable to cyberthreats; nearly three-quarters said current security measures would not be sufficient beyond the next year.
A Forrester Research report released last year and quoted in the csoonline.com article said the NIST framework behind FISMA was “”vague and confusing….It outlines what to do, but not how to accomplish goals, its security control descriptions leave room for interpretation, and it functions too much like a ‘choose-your-own-adventure’ book with no ending.”
In April, reports csoonline.com, the House of Representatives passed a FISMA reform. (We double-checked the accuracy of the previous statement and amazingly enough it was true. The House did pass something.) Anyway, one of the reforms replaced the compliance checklist with a process of continuous monitoring to ensure that systems maintained their required level of security.
Stephen W.T. O’Keeffe, founder of MeriTalk sums up, “Too often, feds are left chasing their tails — working paperwork compliance issues when real threats need their attention.”
ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.