FISMA Implementation

Home Forums Technology FISMA Implementation

This topic contains 1 reply, has 1 voice, and was last updated by  Henry Brown 5 years, 5 months ago.

  • Author
  • #180366

    Henry Brown

    From Tripwire Blog:

    Federal Agencies Slow to Implement FISMA Mandated Security

    A recent report by the Government Accountability Office indicates that federal agencies are moving slow to implement information security policies and procedures as mandated by the Federal Information Security Management Act of 2002 (FISMA), and that improved metrics are needed to better track progress.

    FISMA requires by law that every federal agency needs to to establish a comprehensive information security program that includes eight key components. the GAO study revealed that the extent to which agencies have successfully implemented the required security program components showed only mixed progress from fiscal year 2011 to fiscal year 2012.

    Meanwhile, the government shutdown has led to a significant number of agency personnel being furloughed, many from the IT departments, meaning that implementation of these key FISMA-mandated security components will languish even longer than previously expected.

    “The speed and accessibility that create the benefits of the computer age, if not properly controlled, can allow unauthorized individuals and organizations to inexpensively eavesdrop on or interfere with these operations from remote locations for potentially malicious purposes, including fraud or sabotage,” the GAO report states.

    Download the 61 page 2.8 Meg PDF file from GAO:

  • #180369

    Henry Brown

    From Above GAO report:What GAO Found

    In fiscal year 2012, 24 major federal agencies had established many of the components of an information security program required by The Federal Information Security Management Act of 2002 (FISMA); however, they had partially established others. FISMA requires each federal agency to establish an information security program that incorporates eight key components, and each agency inspector general to annually evaluate and report on the information security program and practices of the agency. The act also requires the Office of Management and Budget (OMB) to develop and oversee the implementation of policies, principles, standards, and guidelines on information security in federal agencies and the National Institute of Standards and Technology to develop security standards and guidelines.

    The extent to which agencies implemented security program components showed mixed progress from fiscal year 2011 to fiscal year 2012. For example, according to inspectors general reports, the number of agencies that had analyzed, validated, and documented security incidents increased from 16 to 19, while the number able to track identified weaknesses declined from 20 to 15. GAO and inspectors general continue to identify weaknesses in elements of agencies’ programs, such as the implementation of specific security controls. For instance, in fiscal year 2012, almost all (23 of 24) of the major federal agencies had weaknesses in the controls that are intended to limit or detect access to computer resources.

    OMB and the Department of Homeland Security (DHS) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, such as conducting risk assessments and developing security plans; are focused mainly on compliance rather than effectiveness of controls; and in many cases did not identify specific performance targets for determining levels of implementation. Enhancements to these metrics would provide additional insight into agency information security programs.
    Why GAO Did This Study

    FISMA requires the Comptroller General to periodically report to Congress on agency implementation of the act’s provisions. To this end, this report summarizes GAO’s evaluation of the extent to which agencies have implemented the requirements of FISMA, including the adequacy and effectiveness of agency information security policies and practices. To do this, GAO analyzed its previous information security reports, annual FISMA reports and other reports from the 24 major federal agencies, reports from inspectors general, and OMB’s annual reports to Congress on FISMA implementation. GAO also interviewed agency officials at OMB, DHS, NIST, and 6 agencies selected using the total number of systems the agencies reported in fiscal year 2011.
    What GAO Recommends

    GAO and inspectors general have previously made numerous recommendations to improve agencies’ information security programs. The agencies generally agreed with GAO’s recommendations. In addition, GAO previously recommended that OMB revise annual reporting guidance to require performance targets to which OMB generally agreed. GAO is also recommending that the Director of OMB ensure that metrics are incorporated that assess the effectiveness of information security programs in OMB’s annual FISMA reporting instructions to agencies and inspectors general.

You must be logged in to reply to this topic.