Risk
3/15/2012
07:49 PM
Connect Directly
RSS
E-Mail
50%
50%

Federal Agencies Still Lag On FISMA Compliance

Half the 24 agencies reviewed by their own inspector generals last year slipped in compliance with the Federal Information Security Management Act. Only 7 achieved more than 90% compliance in areas such as security training and contingency planning.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Despite the Obama administration's focus on cybersecurity, agencies still are not fully meeting the cybersecurity requirements of the Federal Information Security Management Act (FISMA), according to a recently released report.

Although agencies are making progress on implementing a new FISMA reporting requirement mandated by the feds in 2011, compliance with FISMA slipped for more than half of 24 agencies reviewed in a recent Office of Management and Budget (OMB) report.

The OMB asked inspector generals of the agencies to assess IT security programs in 11 areas, including risk management, configuration management, security training, contingency planning and identity and access management.

Only seven of the 24 agencies achieved more than 90% compliance with FISMA requirements for these areas, with the National Science Foundation (NSF) topping the list with 98.8% compliance. However, even that was a very slight slip from last year, when the NSF achieved 98.9% FISMA compliance, according to the OMB report.

[ Federal cybersecurity incidents are growing. See Federal Cybersecurity Incidents Rocket 650% In 5 Years. ]

Other agencies at the top of the list in compliance are the Social Security Administration (96.9%), the Environmental Protection Agency (94.9%), the Nuclear Regulatory Commission (94.8%), the Department of Homeland Security (DHS) (93.4%), NASA (92.9%), and the Department of Justice (91.2%). Still, the SSA, EPA, and NRC all achieved lower compliance scores from last year, when they were 100%, 99.2% and 96.7% compliant, respectively.

Eight agencies achieved 66% or higher compliance with FISMA, while nine achieved 65% or less. The Department of Transportation (44.2%), Department of Interior (44.2%) and Department of Agriculture (32.5%) were at the bottom of the list. The Department of Defense was not included in the OMB report, as it did not provide enough detail for FISMA compliance scoring, according to the report.

Despite overall low compliance numbers, there were some bright spots in the report. In 2011, the feds mandated that agencies begin reporting security data to an online compliance tool called Cyberscope.

More than 75% of the agencies reviewed have successfully demonstrated that they can provide automated data feeds to Cyberscope, a significant increase over the 17% that demonstrated this capability in 2010, according to the OMB's report. The plan is that the DHS will analyze this data to help mitigate risks across agencies going forward.

The report also outlines three priorities the feds have identified for FISMA this year: trusted Internet connections, continuous monitoring, and HSPD-12. The last requires agencies to upgrade their physical and logical access control infrastructure to require HSPD-12 PIV credentials for access to IT systems and facilities.

Agencies are making progress against these priorities, according to the report. In the area of HSPD-12, for example, agencies said that 89% of employees and contractors requiring PIV credentials--or cards to meet the new identity requirements--have received them.

Moreover, 66% of government user accounts are configured to require PIV cards to authenticate to agencies' networks, a figure that's up from 55% in fiscal-year 2010. The report attributes this increase to "several agencies which made significant strides in HSPD-12 implementation," according to the OMB.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.