Risk
3/15/2012
07:49 PM
Connect Directly
RSS
E-Mail
50%
50%

Federal Agencies Still Lag On FISMA Compliance

Half the 24 agencies reviewed by their own inspector generals last year slipped in compliance with the Federal Information Security Management Act. Only 7 achieved more than 90% compliance in areas such as security training and contingency planning.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Despite the Obama administration's focus on cybersecurity, agencies still are not fully meeting the cybersecurity requirements of the Federal Information Security Management Act (FISMA), according to a recently released report.

Although agencies are making progress on implementing a new FISMA reporting requirement mandated by the feds in 2011, compliance with FISMA slipped for more than half of 24 agencies reviewed in a recent Office of Management and Budget (OMB) report.

The OMB asked inspector generals of the agencies to assess IT security programs in 11 areas, including risk management, configuration management, security training, contingency planning and identity and access management.

Only seven of the 24 agencies achieved more than 90% compliance with FISMA requirements for these areas, with the National Science Foundation (NSF) topping the list with 98.8% compliance. However, even that was a very slight slip from last year, when the NSF achieved 98.9% FISMA compliance, according to the OMB report.

[ Federal cybersecurity incidents are growing. See Federal Cybersecurity Incidents Rocket 650% In 5 Years. ]

Other agencies at the top of the list in compliance are the Social Security Administration (96.9%), the Environmental Protection Agency (94.9%), the Nuclear Regulatory Commission (94.8%), the Department of Homeland Security (DHS) (93.4%), NASA (92.9%), and the Department of Justice (91.2%). Still, the SSA, EPA, and NRC all achieved lower compliance scores from last year, when they were 100%, 99.2% and 96.7% compliant, respectively.

Eight agencies achieved 66% or higher compliance with FISMA, while nine achieved 65% or less. The Department of Transportation (44.2%), Department of Interior (44.2%) and Department of Agriculture (32.5%) were at the bottom of the list. The Department of Defense was not included in the OMB report, as it did not provide enough detail for FISMA compliance scoring, according to the report.

Despite overall low compliance numbers, there were some bright spots in the report. In 2011, the feds mandated that agencies begin reporting security data to an online compliance tool called Cyberscope.

More than 75% of the agencies reviewed have successfully demonstrated that they can provide automated data feeds to Cyberscope, a significant increase over the 17% that demonstrated this capability in 2010, according to the OMB's report. The plan is that the DHS will analyze this data to help mitigate risks across agencies going forward.

The report also outlines three priorities the feds have identified for FISMA this year: trusted Internet connections, continuous monitoring, and HSPD-12. The last requires agencies to upgrade their physical and logical access control infrastructure to require HSPD-12 PIV credentials for access to IT systems and facilities.

Agencies are making progress against these priorities, according to the report. In the area of HSPD-12, for example, agencies said that 89% of employees and contractors requiring PIV credentials--or cards to meet the new identity requirements--have received them.

Moreover, 66% of government user accounts are configured to require PIV cards to authenticate to agencies' networks, a figure that's up from 55% in fiscal-year 2010. The report attributes this increase to "several agencies which made significant strides in HSPD-12 implementation," according to the OMB.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.