Critics question value of federal IT security report card

The U.S. government received an overall C grade on an annual information security report card that was released Tuesday. But the report card and the internal security reports on which it's based face increasing skepticism about whether they accurately portray how prepared federal agencies are to deal with cyberthreats.

For the second year in a row, the governmentwide grade improved modestly, rising from a C- on the report card issued last year for 2006. But nine of the 24 agencies rated by U.S. Rep. Tom Davis (R-Va.) were given failing grades for 2007 on the latest report card (download PDF), among them the Nuclear Regulatory Commission and the Departments of Defense, Agriculture, Labor and Veterans Affairs.

Meanwhile, four agencies, including the Department of Justice and the Environmental Protection Agency, earned A+ grades on the new report card. Four others received grades of A or A- from Davis, who is the ranking minority member on the House Committee on Oversight and Government Reform.

The grades are based on reports compiled annually by the inspector general at each agency to measure its compliance with the Federal Information Security Management Act, which Davis authored. FISMA requires agencies to develop processes for testing their security controls and contingency plans, and also mandates that they adopt standard system configurations, set incident response and breach disclosure policies, and implement programs for security training and for system accreditation and certification.

The law was approved in the aftermath of the Sept. 11, 2001, terrorist attacks and initially was seen as a much-needed measure for bolstering federal information security. But over the past two or three years, there has been growing concern that many agencies have begun treating the FISMA process as little more than a paperwork exercise, resulting in little in the way of actual security improvements.

The current FISMA reports "say absolutely nothing about government security," said Alan Paller, director of research at the SANS Institute, a Bethesda, Md.-based IT training and certification organization. "This is just a measure of compliance with report generation."

The big problem, according to Paller and other critics, is that FISMA doesn't require agencies to actually demonstrate that they have effectively implemented the mandated controls, thus bolstering their IT security. For instance, an agency that can show it has a security awareness training program in place is deemed to be compliant with that requirement, even if no employees have received any actual training, Paller said.

Ironically, he added, some agencies that are making an effort to comply with the true intent of the 396-page FISMA requirements document are getting poor grades on the annual report card, while others that have treated the process as a mere paperwork exercise are getting good grades. FISMA "is an example for the textbooks," Paller said. "First, Congress creates waste by writing FISMA in a way that demands useless reporting, and then it highlights the useless scores in a way that in some cases provides incentives for federal agencies to deliver misleading results."

Tim Bennett, president of the Cyber Security Industry Alliance trade group, raised the same concerns in written testimony (download PDF) that he submitted prior to a Senate subcommittee hearing in March. "FISMA does not tell the whole story when it comes to agencies' information security practices," Bennett wrote. "Nowhere is an agency's ability to detect and respond to intrusions measured in FISMA."

And Gregory Wilshusen, director of information security issues at the Government Accountability Office, said last June that simply complying with FISMA wasn't enough to close the gaps in IT security controls at many federal agencies.

Gartner Inc. analyst John Pescatore said that FISMA has succeeded to a large extent in focusing attention on cybersecurity issues governmentwide. "At least it's forcing government agencies to publicly state how well they're doing with security," he noted. "Where are the grades for private industry?" But as with numerous other government initiatives, FISMA has become too "paperbound" and too heavily focused on process issues, Pescatore said.

He added that it's time for a "major revamp" of the entire FISMA process to make it "less a reflection of paperwork" and more about real security measures. For example, he said he would like to see a focus on "continuous vulnerability assessment requirements," such as those mandated by the credit card companies as part of the Payment Card Industry Data Security Standard. There also could be more emphasis on ensuring that new technologies being introduced by federal agencies have adequate security controls baked into them, he said.

A staffer in Davis' office, which asked that he not be identified, acknowledged some of the issues but said that FISMA has played a major role in focusing attention on information security issues within the government. "What we continue to work with is to try to improve the efficacy of the scores and to make sure the process is measuring what it is supposed to be measuring," the staffer said.

According to the staffer, Davis is actively working on legislation that would give the FISMA mandates more teeth. The goal, he said, is to give agencies incentives for using FISMA to bolster their IT security while instituting some kind of "firm penalties" for those that fail to do so.

Learn more about this topic


This story, "Critics question value of federal IT security report card" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.