EDITOR'S DESK: FISMA challenge
Last month's flogging of federal agencies by the House Government Reform Committee over network security weaknesses was a fresh reminder of the serious work that remains to be done'and how character-building the job of federal CIO has become.
Committee chairman Tom Davis (R-Va.) deserves credit for holding up an unflattering mirror
on the progress agencies are, and are not, making to comply with the Federal Information Security Management Act.
While 10 agencies improved their scores, eight slipped backward. And though seven agencies earned A-level marks, nine received F's'two more than last year. The result: an overall FISMA grade of D+, unchanged from last year.
That unleashed the usual criticism: How secure can the country be if those charged with its protection can't protect their own networks? That's followed by the recurring concern that FISMA diverts critical resources to paperwork at the expense of actual network security.
Both contentions have merit. The reality, though, is that the FISMA scores paint only a partial, however sobering, picture.
A recent survey of federal CIOs suggests that while progress is being made'establishing security as a top priority, improving planning and training, and integrating security into architecture and application work'the bar for IT security is getting pushed continually higher.
The survey, by the Information Technology Association of America (GCN.com/553), delineates the challenges CIOs face balancing demands to share information yet safeguard privacy on one hand, while consolidating infrastructure and applications on the other. They must deal with game-changing forces: the onslaught of mobile computing, the need for self-adjusting intrusion detection and prevention systems, and pressures to outsource common business applications.
If Congress is impatient for results, perhaps it ought to revisit what it intended with FISMA and acknowledge that current funding can pay for only so many priorities.