After 10 Years Agencies Continue to Fail FISMA

March 16, 2012
By

Post to Twitter Post to Facebook Post to Reddit

Someone Stamping FISMA Compliant on a FolderAlthough I don’t think compliance is the right answer, the general stats presented in the article scare me. Only 7 out of 24 agencies tested are more than 90% compliant with FISMA. And this year FISMA will be 10 years old!

(… contemplate on that for a while …)

Although agencies are making progress as noted in the report, many are still lagging way behind. Geez, they can’t even fake compliance for goodness sake. Here are some more tidbits…

Top 3 Compliant Agencies

  • National Science Foundation (98.8%)
  • Social Security Administration
  • Environmental Protection Agency

Lowest Ranked Agencies

  • Agriculture Department (32.5%)
  • Defense Department (0% – note that they didn’t even report anything back)

Weakest Compliance Areas

  • Continuous Monitoring: What? This is like the most important area. And I hope they aren’t talking about continuous monitoring of security controls (e.g., reporting once a month vs. every three years) rather than continuous monitoring of our systems being attacked.
  • Configuration Management: Another important one… There’s this theory that if CM is done properly, then all other security controls wouldn’t be necessary. Perhaps a future blog post…
  • Identity Management: All that HSPD-12 stuff I don’t understand…

via FCW.com

Only seven out of 24 agencies are more than 90 percent compliant with the Federal Information Security Management requirements, and more than half saw their compliance score decline compared to last fiscal year’s numbers, according to an Office of Management and Budget review.

The March 7 report outlines CFO Act agencies’ adoption of FISMA standards and shows that none of the reviewed entities were fully compliant. In additiont to the seven that were more than 90 percent compliant, eight scored between 65 and 90 percent compliance, and the remaining eight scored less than 65 percent.

OMB asked agency inspectors general to evaluate their agency’s information security programs in 11 areas, including risk management, security training and contingency planning. The IGs also looked at whether their agencies had a program in place that adhered to the various FISMA requirements to protect government systems and information.

Continued here.

#####

Oh and by “faking compliance” what I mean is that they go through the motions of doing all the compliance things but in the end those things don’t make them any more secure or are only relevant for that point in time. The rest of the time … it’s business as usual and only picked up and dusted off when it’s audit time. Today’s post pic is from EcomInfoTech.biz.

Tags: , , ,

12 Responses to After 10 Years Agencies Continue to Fail FISMA

  1. (@novainfosec) (@novainfosec) on March 16, 2012 at 3:56 pm

    #NOVABLOGGER: After 10 Years Agencies Continue to Fail FISMA http://t.co/6LYeelzD http://t.co/Inu1SfcI

  2. (@grecs) (@grecs) on March 16, 2012 at 4:17 pm

    BLOGGED: After 10 Years Agencies Continue to Fail FISMA http://t.co/a0LujLVM

  3. (@Nathiet) (@Nathiet) on March 16, 2012 at 4:39 pm

    After 10 Years Agencies Continue to Fail FISMA – Although I don’t think compliance is the right answer, the general… http://t.co/lJRvUCBf

  4. (@Nathiet) (@Nathiet) on March 16, 2012 at 6:38 pm

    #NoVABlogger After 10 Years Agencies Continue to Fail FISMA http://t.co/FO68o5b0

  5. (@Nathiet) (@Nathiet) on March 16, 2012 at 9:01 pm

    Blogged: After 10 Years Agencies Continue to Fail FISMA http://t.co/t8HEs1Az

  6. Wouter-Bas v d Vegt (@WBVEGT) on March 16, 2012 at 10:47 pm

    RT @novainfosec: “Only 7 out of 24 agencies tested are more than 90% compliant with FISMA.” http://t.co/6LYeelzD Note FISMA is 10 yrs old.

  7. (@Nathiet) (@Nathiet) on March 17, 2012 at 12:00 am

    In Case You Missed it: After 10 Years Agencies Continue to Fail FISMA http://t.co/Mgi44L0I

  8. grecs on March 18, 2012 at 11:45 am

    Anther look at this data … Graphical Look at Fed Infosec Performance http://www.govinfosecurity.com/blogs.php?postID=1222

  9. (@novainfosec) (@novainfosec) on March 18, 2012 at 11:47 am

    Added comment with link to good GovInfosecurity article on latest FISMA report card to our post. http://t.co/6LYeelzD

  10. grecs on March 18, 2012 at 12:07 pm

    Another analogy re “faking compliance” … It isn’t about learning security; it’s about studying to pass the test.

  11. (@grecs) (@grecs) on March 18, 2012 at 12:08 pm

    Nother analogy re “faking compliance” – It isn’t a/b learning security; it’s about studying to pass the test. http://t.co/a0LujLVM

  12. Issac on December 11, 2012 at 12:32 pm

    Good way of explaining, and good paragraph to get facts about my presentation focus, which i am going to present in academy.

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.