Federal Cyber Grades Still Lacking
by Dan Lohrmann, Lohrmann on GovSpace
Sat, 2007-04-14 15:25
Topic(s): |

 

The newest federal government information security report card was just released by U.S. Representative Tom Davis (R-VA). The Office of Management and Budget (OMB) report examines federal cyber efforts for 2006, and it’s clear that more security work is needed in many departments.

Some highlights included the U.S. departments of Defense and State received F grades, and Homeland Security received a D. Meanwhile, Agency for International Development (USAID)got an A+ and the Social Security Administration received another A.

The Washington Post did an article on the subject with several interesting quotes and opinions.

The Cyber Security Industry Alliance (CSIA) also issued a press release calling for drastic improvement and calling attention to their own report which gave the federal government an D grade and urged “Congress and the Administration work more closely together to strengthen FISMA implementation and enforcement.”

 Over the past few years, various opinions from inside and outside of government have surfaced regarding the value of the report cards. For better or worse, it provides a benchmark or metric that people understand. Over the years, it also tells the public which agencies are improving and which are not.

 The Merlin International Federal Research Consortium (MFRC), a group of leading Information Assurance solution providers, issued their own report on the process entitled, “Is FISMA Making the Grade?” Based on a survey of Federal Chief Information Security Officers (CISOs), the study reveals that CISOs report their Federal Computer Security Report Card grades for 2007 have improved over 2006, but challenges persist with the process.

“CISOs still struggle with language ambiguities related to the Federal Information Security Management Act (FISMA) guidelines, according to the study. In addition, CISOs from large and small agencies hold divergent opinions on the value of the Report Card process.

Many agencies are making major efforts to improve their security systems and processes.  For example, the Department of State is upgrading security at posts worldwide.   

 Another relevant GCN article echos a refrain heard widely across the federal government: FISMA grades don’t portray agencies’ true security postures.

“A good deal of what we are doing is not reflected on FISMA,” Van Derhoff said. He noted that the 110-point grading protocol omits consideration of scanning and intrusion detection methods that State uses.

Regardless of your views on these grades and the paperwork process, I believe that the federal government is, in general, still ahead of their state and local counterparts when it comes to cybersecurity. While some states are taking a more pragmatic approach to threats and addressing immediate needs faster than their federal colleagues, most states do not apply the FISMA rigor to their enterprise-wide efforts.

In my opinion, we’ll be hearing much more about this gap in years to come, since many federal programs are administered locally with state and local technology. For more on that issue, see my earlier blog on FISMA.

» read more from Dan Lohrmann | post a comment
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast