Risk
9/25/2013
10:27 AM
50%
50%

FISMA Security Approach Falls Short, Fed IT Pros Say

Primary tool for defending government information systems is inadequate in the battle against cyber threats and attacks, federal IT security managers say.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
The primary statutory framework for defending government information systems -- the Federal Information Security Management Act (FISMA) -- is falling short in the battle against cyber threats and attacks, creating a compelling need for new strategies, such as continuous monitoring, to improve security at agencies, federal cybersecurity professionals say.

Only about half of the federal IT security managers polled in a survey released this week said that FISMA has improved security at their agencies. Just 27% reported that their agencies are "currently perfectly compliant" with FISMA.

The polling figures suggest that efforts to push FISMA compliance have made little headway since a March 2012 assessment conducted by the Office of Management and Budget.

While 62% of respondents in the new survey believed that increased FISMA compliance would improve security, the survey also revealed that many security managers lack overall confidence in FISMA. They said FISMA is antiquated (11%), is insufficient in dealing with today's increasingly sophisticated threat landscape (21%), and encourages compliance rather than risk identification and assessment (28%). Moreover, 86% reported that FISMA compliance increases costs.

[ Warning about trouble isn't the same as stopping trouble. Read Federal DDoS Warnings Are Outdated. ]

The findings were based on an online survey of more than 200 federal IT managers conducted in July, and made available in a report, "FISMA Fallout," produced by MeriTalk and underwritten by NetApp.

An effort to reform FISMA, which was signed into law in 2002 and requires the head of each agency to implement policies and procedures to reduce IT security risks, is underway in Congress. The Federal Information Security Amendments Act of 2013 (HR 1163) was passed unanimously by the House last April and referred to the Senate. The bill, introduced by Rep. Darrell Issa (R-Calif.), establishes stronger oversight of federal agency IT systems by focusing on "automated and continuous monitoring" of cybersecurity threats and by regular "threat assessments."

Approximately one-fourth of the respondents in the survey (27%) agreed that FISMA could be improved with new requirements such as continuous monitoring.

Asked how FISMA can be reformed, managers in the survey recommended:

-- Get rid of the scorecard mindset and improve metrics as whole;

-- Take into account a realistic picture of agency budgets in light of sequestration;

-- Require less rote compliance documentation and more assessment and risk analysis;

-- Establish clear requirements that need to be met for different risk levels; and

-- Develop a consistent tool to capture data, store documents, and continually update and maintain information.

Beyond issues directly related to FISMA, only 22% of federal security pros in the survey rated their current cybersecurity as sustainable. Another 22% said their security systems were sustainable -- but for only the next 12 months. And 21% said their systems were currently near the limit of sustainability.

In addition, current network capacity is also hindering security efforts, the survey found. More than half (55%) of IT professionals polled said their agency networks are either increasingly overloaded with data or they were not able to keep up with the amount of data already crossing their networks.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WKash
50%
50%
WKash,
User Rank: Apprentice
9/25/2013 | 9:56:23 PM
re: FISMA Security Approach Falls Short, Fed IT Pros Say
While these findings may be a fresh take on an antiquated law, the reality is that IT security pros -- and NIST -- have long since dismissed relying on FISMA to address security threats in favor of risk-based assessments and continuous monitoring. The irony is, by the time Congress updates FISMA to require continuous monitoring, agencies will be on to a more comprehensive approach. The Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) approach is where agenies need to be headed. In the meantime, let's hope Congress gets agencies out of the business of creating binders of paper documents every year to comply with FISMA's current requirements.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

CVE-2014-7880
Published: 2014-12-17
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

CVE-2014-8133
Published: 2014-12-17
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.