Risk
3/15/2012
07:49 PM
Connect Directly
RSS
E-Mail
50%
50%

Federal Agencies Still Lag On FISMA Compliance

Half the 24 agencies reviewed by their own inspector generals last year slipped in compliance with the Federal Information Security Management Act. Only 7 achieved more than 90% compliance in areas such as security training and contingency planning.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Despite the Obama administration's focus on cybersecurity, agencies still are not fully meeting the cybersecurity requirements of the Federal Information Security Management Act (FISMA), according to a recently released report.

Although agencies are making progress on implementing a new FISMA reporting requirement mandated by the feds in 2011, compliance with FISMA slipped for more than half of 24 agencies reviewed in a recent Office of Management and Budget (OMB) report.

The OMB asked inspector generals of the agencies to assess IT security programs in 11 areas, including risk management, configuration management, security training, contingency planning and identity and access management.

Only seven of the 24 agencies achieved more than 90% compliance with FISMA requirements for these areas, with the National Science Foundation (NSF) topping the list with 98.8% compliance. However, even that was a very slight slip from last year, when the NSF achieved 98.9% FISMA compliance, according to the OMB report.

[ Federal cybersecurity incidents are growing. See Federal Cybersecurity Incidents Rocket 650% In 5 Years. ]

Other agencies at the top of the list in compliance are the Social Security Administration (96.9%), the Environmental Protection Agency (94.9%), the Nuclear Regulatory Commission (94.8%), the Department of Homeland Security (DHS) (93.4%), NASA (92.9%), and the Department of Justice (91.2%). Still, the SSA, EPA, and NRC all achieved lower compliance scores from last year, when they were 100%, 99.2% and 96.7% compliant, respectively.

Eight agencies achieved 66% or higher compliance with FISMA, while nine achieved 65% or less. The Department of Transportation (44.2%), Department of Interior (44.2%) and Department of Agriculture (32.5%) were at the bottom of the list. The Department of Defense was not included in the OMB report, as it did not provide enough detail for FISMA compliance scoring, according to the report.

Despite overall low compliance numbers, there were some bright spots in the report. In 2011, the feds mandated that agencies begin reporting security data to an online compliance tool called Cyberscope.

More than 75% of the agencies reviewed have successfully demonstrated that they can provide automated data feeds to Cyberscope, a significant increase over the 17% that demonstrated this capability in 2010, according to the OMB's report. The plan is that the DHS will analyze this data to help mitigate risks across agencies going forward.

The report also outlines three priorities the feds have identified for FISMA this year: trusted Internet connections, continuous monitoring, and HSPD-12. The last requires agencies to upgrade their physical and logical access control infrastructure to require HSPD-12 PIV credentials for access to IT systems and facilities.

Agencies are making progress against these priorities, according to the report. In the area of HSPD-12, for example, agencies said that 89% of employees and contractors requiring PIV credentials--or cards to meet the new identity requirements--have received them.

Moreover, 66% of government user accounts are configured to require PIV cards to authenticate to agencies' networks, a figure that's up from 55% in fiscal-year 2010. The report attributes this increase to "several agencies which made significant strides in HSPD-12 implementation," according to the OMB.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.