Has FISMA helped?

Powered by SC Magazine

After blasting federal agencies with an average grade of D+ in information security practices last year, the U.S. House of Representatives Government Reform Committee will announce on Thursday whether the federal government has improved its preparedness against major cyber attacks.

Chaired by U.S. Rep. Tom Davis, R-Va., the committee will release 2005 federal computer security scorecards during an oversight hearing scheduled tomorrow morning. The scorecards are based on a review of reports submitted by federal agencies in response to requirements of the Federal Information Security Management Act of 2002 (FISMA). 

Davis wrote the bill to compel government workers to better protect systems from potential cyber attacks. It requires each federal agency's CIO to give Congress a yearly report on how it is working to implement risk-based methods to manage information security. The committee then compiles the scorecards based on agency security practices documented in the reports. 

The objective of Thursday's review is to see how well government agencies advanced their information security practices in 2005, said Drew Crockett, committee spokesperson.

 "Tomorrow we'll see which agencies have improved security, answering one big question," he said. "Is the government ready for a digital Pearl Harbor?" 

Crockett said that certain agencies have been better than others at improving their security management. The committee plans to explore the reasons why certain agencies are still not able to meet guidelines set out by the FISMA framework.

Committee members will also discuss whether improvements need to be made on the FIMSA requirements themselves. Some federal CIOs have questioned the usefulness of FISMA reports and the resultant scorecards. In the release of its annual Survey of Federal CIOs last month, the International Technology Association of America noted that, "one CIO cited FISMA reporting as a paper exercise and a 'forced march without value.'"

Crockett said that the committee is aware of the criticisms and will look at whether they have any merit. 

"The goal of FISMA was to establish a broad framework for security," he said. "The last thing we want is it to turn into a paperwork exercise. We need to know whether that is a valid criticism or not and whether there are any changes that we need to make to reporting requirements." 

Copyright © SC Magazine, US edition

Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
IBM denies plans to cut 112k jobs
But admits to further restructuring.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.