Risk
9/25/2013
10:27 AM
50%
50%

FISMA Security Approach Falls Short, Fed IT Pros Say

Primary tool for defending government information systems is inadequate in the battle against cyber threats and attacks, federal IT security managers say.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
The primary statutory framework for defending government information systems -- the Federal Information Security Management Act (FISMA) -- is falling short in the battle against cyber threats and attacks, creating a compelling need for new strategies, such as continuous monitoring, to improve security at agencies, federal cybersecurity professionals say.

Only about half of the federal IT security managers polled in a survey released this week said that FISMA has improved security at their agencies. Just 27% reported that their agencies are "currently perfectly compliant" with FISMA.

The polling figures suggest that efforts to push FISMA compliance have made little headway since a March 2012 assessment conducted by the Office of Management and Budget.

While 62% of respondents in the new survey believed that increased FISMA compliance would improve security, the survey also revealed that many security managers lack overall confidence in FISMA. They said FISMA is antiquated (11%), is insufficient in dealing with today's increasingly sophisticated threat landscape (21%), and encourages compliance rather than risk identification and assessment (28%). Moreover, 86% reported that FISMA compliance increases costs.

[ Warning about trouble isn't the same as stopping trouble. Read Federal DDoS Warnings Are Outdated. ]

The findings were based on an online survey of more than 200 federal IT managers conducted in July, and made available in a report, "FISMA Fallout," produced by MeriTalk and underwritten by NetApp.

An effort to reform FISMA, which was signed into law in 2002 and requires the head of each agency to implement policies and procedures to reduce IT security risks, is underway in Congress. The Federal Information Security Amendments Act of 2013 (HR 1163) was passed unanimously by the House last April and referred to the Senate. The bill, introduced by Rep. Darrell Issa (R-Calif.), establishes stronger oversight of federal agency IT systems by focusing on "automated and continuous monitoring" of cybersecurity threats and by regular "threat assessments."

Approximately one-fourth of the respondents in the survey (27%) agreed that FISMA could be improved with new requirements such as continuous monitoring.

Asked how FISMA can be reformed, managers in the survey recommended:

-- Get rid of the scorecard mindset and improve metrics as whole;

-- Take into account a realistic picture of agency budgets in light of sequestration;

-- Require less rote compliance documentation and more assessment and risk analysis;

-- Establish clear requirements that need to be met for different risk levels; and

-- Develop a consistent tool to capture data, store documents, and continually update and maintain information.

Beyond issues directly related to FISMA, only 22% of federal security pros in the survey rated their current cybersecurity as sustainable. Another 22% said their security systems were sustainable -- but for only the next 12 months. And 21% said their systems were currently near the limit of sustainability.

In addition, current network capacity is also hindering security efforts, the survey found. More than half (55%) of IT professionals polled said their agency networks are either increasingly overloaded with data or they were not able to keep up with the amount of data already crossing their networks.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
9/25/2013 | 9:56:23 PM
re: FISMA Security Approach Falls Short, Fed IT Pros Say
While these findings may be a fresh take on an antiquated law, the reality is that IT security pros -- and NIST -- have long since dismissed relying on FISMA to address security threats in favor of risk-based assessments and continuous monitoring. The irony is, by the time Congress updates FISMA to require continuous monitoring, agencies will be on to a more comprehensive approach. The Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) approach is where agenies need to be headed. In the meantime, let's hope Congress gets agencies out of the business of creating binders of paper documents every year to comply with FISMA's current requirements.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?