Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

FISMA Security Approach Falls Short, Fed IT Pros Say

Primary tool for defending government information systems is inadequate in the battle against cyber threats and attacks, federal IT security managers say.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
The primary statutory framework for defending government information systems -- the Federal Information Security Management Act (FISMA) -- is falling short in the battle against cyber threats and attacks, creating a compelling need for new strategies, such as continuous monitoring, to improve security at agencies, federal cybersecurity professionals say.

Only about half of the federal IT security managers polled in a survey released this week said that FISMA has improved security at their agencies. Just 27% reported that their agencies are "currently perfectly compliant" with FISMA.

The polling figures suggest that efforts to push FISMA compliance have made little headway since a March 2012 assessment conducted by the Office of Management and Budget.

While 62% of respondents in the new survey believed that increased FISMA compliance would improve security, the survey also revealed that many security managers lack overall confidence in FISMA. They said FISMA is antiquated (11%), is insufficient in dealing with today's increasingly sophisticated threat landscape (21%), and encourages compliance rather than risk identification and assessment (28%). Moreover, 86% reported that FISMA compliance increases costs.

[ Warning about trouble isn't the same as stopping trouble. Read Federal DDoS Warnings Are Outdated. ]

The findings were based on an online survey of more than 200 federal IT managers conducted in July, and made available in a report, "FISMA Fallout," produced by MeriTalk and underwritten by NetApp.

An effort to reform FISMA, which was signed into law in 2002 and requires the head of each agency to implement policies and procedures to reduce IT security risks, is underway in Congress. The Federal Information Security Amendments Act of 2013 (HR 1163) was passed unanimously by the House last April and referred to the Senate. The bill, introduced by Rep. Darrell Issa (R-Calif.), establishes stronger oversight of federal agency IT systems by focusing on "automated and continuous monitoring" of cybersecurity threats and by regular "threat assessments."

Approximately one-fourth of the respondents in the survey (27%) agreed that FISMA could be improved with new requirements such as continuous monitoring.

Asked how FISMA can be reformed, managers in the survey recommended:

-- Get rid of the scorecard mindset and improve metrics as whole;

-- Take into account a realistic picture of agency budgets in light of sequestration;

-- Require less rote compliance documentation and more assessment and risk analysis;

-- Establish clear requirements that need to be met for different risk levels; and

-- Develop a consistent tool to capture data, store documents, and continually update and maintain information.

Beyond issues directly related to FISMA, only 22% of federal security pros in the survey rated their current cybersecurity as sustainable. Another 22% said their security systems were sustainable -- but for only the next 12 months. And 21% said their systems were currently near the limit of sustainability.

In addition, current network capacity is also hindering security efforts, the survey found. More than half (55%) of IT professionals polled said their agency networks are either increasingly overloaded with data or they were not able to keep up with the amount of data already crossing their networks.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
9/25/2013 | 9:56:23 PM
re: FISMA Security Approach Falls Short, Fed IT Pros Say
While these findings may be a fresh take on an antiquated law, the reality is that IT security pros -- and NIST -- have long since dismissed relying on FISMA to address security threats in favor of risk-based assessments and continuous monitoring. The irony is, by the time Congress updates FISMA to require continuous monitoring, agencies will be on to a more comprehensive approach. The Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) approach is where agenies need to be headed. In the meantime, let's hope Congress gets agencies out of the business of creating binders of paper documents every year to comply with FISMA's current requirements.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
CVE-2020-25646
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
CVE-2020-26205
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.
CVE-2020-14323
PUBLISHED: 2020-10-29
A null pointer dereference flaw was found in samba's Winbind service in versions before 4.11.15, before 4.12.9 and before 4.13.1. A local user could use this flaw to crash the winbind service causing denial of service.
CVE-2020-27886
PUBLISHED: 2020-10-29
An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php).