- How to use electrical outlets and cheap lasers to steal data
- The botnet world is booming
- NTIA seeks volunteers to review broadband applications
- The 10 dumbest mistakes network managers make
- What's driving this university to IPv6? Going green
The annual release of cybersecurity grades are helping to improve U.S. government security, but the law the grades are based on needs to be more specific, U.S. agency chief information security officers said in a survey.
Sixty-seven percent of CISOs surveyed said they believe their agency's IT security has improved since their Federal Information Security Management Act (FISMA) grades were released a year ago. The CISO survey was part of the report, Is FISMA Making the Grade, published by the Merlin International Federal Research Consortium, representing a group of IT security vendors.
On Thursday, Representative Tom Davis, a Virginia Republican, released the 2006 FISMA scores, with eight of 24 agencies getting A minus grades or better. Eight agencies, including the Department of Defense, the Department of State and the Department of the Treasury, received F grades. FISMA, passed by Congress in 2002, requires agencies to take several actions, including conducting inventories of their IT equipment.
Although federal CISOs acknowledged that their agencies' cybersecurity has improved under FISMA, 46 percent of those surveyed said FISMA could be improved by clearer guidelines. Another 42 percent said FISMA could provide better guidance for yearly security controls tests. Only 54 percent of respondents said FISMA reporting provides real insight into their agency's IT security.
"High-level policies are nice -- to say, 'thou shalt be more secure,'" said Mark Zalubas, chief technology officer at Merlin International, a consulting firm associated with the consortium. "It's better when you provide specific language about how far you need to go."
Ambiguity in FISMA language requirements and funding issues were the two top reasons CISOs gave for decreases in FISMA grades this year, although 75 percent of those surveyed said their FISMA scores improved. Five of the agencies saw declines in their final letter-grade scores, released by Davis.
The funding issue isn't an easy one to fix, Zalubas said. "That's one you struggle with all the time," he added. "Do you give additional funding to folks who are doing poorly?"
Davis and Karen Evans, administrator of e-government and information technology in the White House Office of Management and Budget (OMB), both defended FISMA at a Thursday press conference. FISMA is a tool that helps agencies move forward on cybersecurity, Evans said.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment