Risk
3/15/2012
07:49 PM
Connect Directly
RSS
E-Mail
50%
50%

Federal Agencies Still Lag On FISMA Compliance

Half the 24 agencies reviewed by their own inspector generals last year slipped in compliance with the Federal Information Security Management Act. Only 7 achieved more than 90% compliance in areas such as security training and contingency planning.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Despite the Obama administration's focus on cybersecurity, agencies still are not fully meeting the cybersecurity requirements of the Federal Information Security Management Act (FISMA), according to a recently released report.

Although agencies are making progress on implementing a new FISMA reporting requirement mandated by the feds in 2011, compliance with FISMA slipped for more than half of 24 agencies reviewed in a recent Office of Management and Budget (OMB) report.

The OMB asked inspector generals of the agencies to assess IT security programs in 11 areas, including risk management, configuration management, security training, contingency planning and identity and access management.

Only seven of the 24 agencies achieved more than 90% compliance with FISMA requirements for these areas, with the National Science Foundation (NSF) topping the list with 98.8% compliance. However, even that was a very slight slip from last year, when the NSF achieved 98.9% FISMA compliance, according to the OMB report.

[ Federal cybersecurity incidents are growing. See Federal Cybersecurity Incidents Rocket 650% In 5 Years. ]

Other agencies at the top of the list in compliance are the Social Security Administration (96.9%), the Environmental Protection Agency (94.9%), the Nuclear Regulatory Commission (94.8%), the Department of Homeland Security (DHS) (93.4%), NASA (92.9%), and the Department of Justice (91.2%). Still, the SSA, EPA, and NRC all achieved lower compliance scores from last year, when they were 100%, 99.2% and 96.7% compliant, respectively.

Eight agencies achieved 66% or higher compliance with FISMA, while nine achieved 65% or less. The Department of Transportation (44.2%), Department of Interior (44.2%) and Department of Agriculture (32.5%) were at the bottom of the list. The Department of Defense was not included in the OMB report, as it did not provide enough detail for FISMA compliance scoring, according to the report.

Despite overall low compliance numbers, there were some bright spots in the report. In 2011, the feds mandated that agencies begin reporting security data to an online compliance tool called Cyberscope.

More than 75% of the agencies reviewed have successfully demonstrated that they can provide automated data feeds to Cyberscope, a significant increase over the 17% that demonstrated this capability in 2010, according to the OMB's report. The plan is that the DHS will analyze this data to help mitigate risks across agencies going forward.

The report also outlines three priorities the feds have identified for FISMA this year: trusted Internet connections, continuous monitoring, and HSPD-12. The last requires agencies to upgrade their physical and logical access control infrastructure to require HSPD-12 PIV credentials for access to IT systems and facilities.

Agencies are making progress against these priorities, according to the report. In the area of HSPD-12, for example, agencies said that 89% of employees and contractors requiring PIV credentials--or cards to meet the new identity requirements--have received them.

Moreover, 66% of government user accounts are configured to require PIV cards to authenticate to agencies' networks, a figure that's up from 55% in fiscal-year 2010. The report attributes this increase to "several agencies which made significant strides in HSPD-12 implementation," according to the OMB.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.