Has FISMA helped?

Powered by SC Magazine
 

After blasting federal agencies with an average grade of D+ in information security practices last year, the U.S. House of Representatives Government Reform Committee will announce on Thursday whether the federal government has improved its preparedness against major cyber attacks.

Chaired by U.S. Rep. Tom Davis, R-Va., the committee will release 2005 federal computer security scorecards during an oversight hearing scheduled tomorrow morning. The scorecards are based on a review of reports submitted by federal agencies in response to requirements of the Federal Information Security Management Act of 2002 (FISMA). 

Davis wrote the bill to compel government workers to better protect systems from potential cyber attacks. It requires each federal agency's CIO to give Congress a yearly report on how it is working to implement risk-based methods to manage information security. The committee then compiles the scorecards based on agency security practices documented in the reports. 

The objective of Thursday's review is to see how well government agencies advanced their information security practices in 2005, said Drew Crockett, committee spokesperson.

 "Tomorrow we'll see which agencies have improved security, answering one big question," he said. "Is the government ready for a digital Pearl Harbor?" 

Crockett said that certain agencies have been better than others at improving their security management. The committee plans to explore the reasons why certain agencies are still not able to meet guidelines set out by the FISMA framework.

Committee members will also discuss whether improvements need to be made on the FIMSA requirements themselves. Some federal CIOs have questioned the usefulness of FISMA reports and the resultant scorecards. In the release of its annual Survey of Federal CIOs last month, the International Technology Association of America noted that, "one CIO cited FISMA reporting as a paper exercise and a 'forced march without value.'"

Crockett said that the committee is aware of the criticisms and will look at whether they have any merit. 

"The goal of FISMA was to establish a broad framework for security," he said. "The last thing we want is it to turn into a paperwork exercise. We need to know whether that is a valid criticism or not and whether there are any changes that we need to make to reporting requirements." 

Copyright © SC Magazine, US edition


Tags
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 339

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 143

Vote