Although I don’t think compliance is the right answer, the general stats presented in the article scare me. Only 7 out of 24 agencies tested are more than 90% compliant with FISMA. And this year FISMA will be 10 years old!
(… contemplate on that for a while …)
Although agencies are making progress as noted in the report, many are still lagging way behind. Geez, they can’t even fake compliance for goodness sake. Here are some more tidbits…
Top 3 Compliant Agencies
- National Science Foundation (98.8%)
- Social Security Administration
- Environmental Protection Agency
Lowest Ranked Agencies
- Agriculture Department (32.5%)
- Defense Department (0% – note that they didn’t even report anything back)
Weakest Compliance Areas
- Continuous Monitoring: What? This is like the most important area. And I hope they aren’t talking about continuous monitoring of security controls (e.g., reporting once a month vs. every three years) rather than continuous monitoring of our systems being attacked.
- Configuration Management: Another important one… There’s this theory that if CM is done properly, then all other security controls wouldn’t be necessary. Perhaps a future blog post…
- Identity Management: All that HSPD-12 stuff I don’t understand…
Only seven out of 24 agencies are more than 90 percent compliant with the Federal Information Security Management requirements, and more than half saw their compliance score decline compared to last fiscal year’s numbers, according to an Office of Management and Budget review.
The March 7 report outlines CFO Act agencies’ adoption of FISMA standards and shows that none of the reviewed entities were fully compliant. In additiont to the seven that were more than 90 percent compliant, eight scored between 65 and 90 percent compliance, and the remaining eight scored less than 65 percent.
OMB asked agency inspectors general to evaluate their agency’s information security programs in 11 areas, including risk management, security training and contingency planning. The IGs also looked at whether their agencies had a program in place that adhered to the various FISMA requirements to protect government systems and information.
Oh and by “faking compliance” what I mean is that they go through the motions of doing all the compliance things but in the end those things don’t make them any more secure or are only relevant for that point in time. The rest of the time … it’s business as usual and only picked up and dusted off when it’s audit time. Today’s post pic is from EcomInfoTech.biz.