CIO survey: FISMA is expensive but effective
- By William Jackson
- Nov 18, 2003
The government is spending billions of dollars certifying and accrediting systems under the Federal Information Security Management Act, according to a survey of agency CIOs and chief security officers.
But tips from some CIOs could cut those costs by as much as 90 percent, said Alan Paller, research director for the SANS Institute. The study, conducted by the Bethesda, Md., security think tank, also produced practical suggestions for effectively improving information security, he said.
The on-going study questions agency officials about the nuts and bolts of implementing FISMA, the corner stone of government information security policy. Paller shared some of the results today at the Enterprise Architecture conference in Washington sponsored by GCN and the Digital Government Institute of Bethesda, Md.
IT and security chiefs identified the certification and accreditation process is the most critical piece of FISMA because it lays the foundation for all other FISMA requirements, the survey found.
'It forces the system owners to sign off on the risks,' Paller said.
But the cost is high. For high-risk systems the process costs from $150,000 to $400,000 per system, respondents said. Low-risk systems can cost as much as $50,000 each, and medium-risk systems as much as $100,000. Agencies can have hundreds of systems requiring certification and accreditation.
But agencies can see significant savings by consolidating risk categories and hardware-software platforms, and contracting for C&A services in bulk, Paller said.
Making system owners within an agency accountable for security is an effective way to improve FISMA performance, respondents said. This can be done by making rankings public within an agency and by creating a competitive environment in which security goals are systematically addressed across a department, some CIOs suggested.
Paller sited the Transportation Department as a model for this type of work. Regular vulnerability scans were instituted, trouble tickets created to track progress in remediating problems, and a specific set of critical vulnerabilities was given priority.
William Jackson is a Maryland-based freelance writer.