Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

FISMA Security Approach Falls Short, Fed IT Pros Say

Primary tool for defending government information systems is inadequate in the battle against cyber threats and attacks, federal IT security managers say.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
The primary statutory framework for defending government information systems -- the Federal Information Security Management Act (FISMA) -- is falling short in the battle against cyber threats and attacks, creating a compelling need for new strategies, such as continuous monitoring, to improve security at agencies, federal cybersecurity professionals say.

Only about half of the federal IT security managers polled in a survey released this week said that FISMA has improved security at their agencies. Just 27% reported that their agencies are "currently perfectly compliant" with FISMA.

The polling figures suggest that efforts to push FISMA compliance have made little headway since a March 2012 assessment conducted by the Office of Management and Budget.

While 62% of respondents in the new survey believed that increased FISMA compliance would improve security, the survey also revealed that many security managers lack overall confidence in FISMA. They said FISMA is antiquated (11%), is insufficient in dealing with today's increasingly sophisticated threat landscape (21%), and encourages compliance rather than risk identification and assessment (28%). Moreover, 86% reported that FISMA compliance increases costs.

[ Warning about trouble isn't the same as stopping trouble. Read Federal DDoS Warnings Are Outdated. ]

The findings were based on an online survey of more than 200 federal IT managers conducted in July, and made available in a report, "FISMA Fallout," produced by MeriTalk and underwritten by NetApp.

An effort to reform FISMA, which was signed into law in 2002 and requires the head of each agency to implement policies and procedures to reduce IT security risks, is underway in Congress. The Federal Information Security Amendments Act of 2013 (HR 1163) was passed unanimously by the House last April and referred to the Senate. The bill, introduced by Rep. Darrell Issa (R-Calif.), establishes stronger oversight of federal agency IT systems by focusing on "automated and continuous monitoring" of cybersecurity threats and by regular "threat assessments."

Approximately one-fourth of the respondents in the survey (27%) agreed that FISMA could be improved with new requirements such as continuous monitoring.

Asked how FISMA can be reformed, managers in the survey recommended:

-- Get rid of the scorecard mindset and improve metrics as whole;

-- Take into account a realistic picture of agency budgets in light of sequestration;

-- Require less rote compliance documentation and more assessment and risk analysis;

-- Establish clear requirements that need to be met for different risk levels; and

-- Develop a consistent tool to capture data, store documents, and continually update and maintain information.

Beyond issues directly related to FISMA, only 22% of federal security pros in the survey rated their current cybersecurity as sustainable. Another 22% said their security systems were sustainable -- but for only the next 12 months. And 21% said their systems were currently near the limit of sustainability.

In addition, current network capacity is also hindering security efforts, the survey found. More than half (55%) of IT professionals polled said their agency networks are either increasingly overloaded with data or they were not able to keep up with the amount of data already crossing their networks.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
9/25/2013 | 9:56:23 PM
re: FISMA Security Approach Falls Short, Fed IT Pros Say
While these findings may be a fresh take on an antiquated law, the reality is that IT security pros -- and NIST -- have long since dismissed relying on FISMA to address security threats in favor of risk-based assessments and continuous monitoring. The irony is, by the time Congress updates FISMA to require continuous monitoring, agencies will be on to a more comprehensive approach. The Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) approach is where agenies need to be headed. In the meantime, let's hope Congress gets agencies out of the business of creating binders of paper documents every year to comply with FISMA's current requirements.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.
CVE-2020-13868
PUBLISHED: 2020-06-05
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity.
CVE-2020-13869
PUBLISHED: 2020-06-05
An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name.
CVE-2020-13870
PUBLISHED: 2020-06-05
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.