CIO survey: FISMA is expensive but effective

The government is spending billions of dollars certifying and accrediting systems under the Federal Information Security Management Act, according to a survey of agency CIOs and chief security officers.

But tips from some CIOs could cut those costs by as much as 90 percent, said Alan Paller, research director for the SANS Institute. The study, conducted by the Bethesda, Md., security think tank, also produced practical suggestions for effectively improving information security, he said.

The on-going study questions agency officials about the nuts and bolts of implementing FISMA, the corner stone of government information security policy. Paller shared some of the results today at the Enterprise Architecture conference in Washington sponsored by GCN and the Digital Government Institute of Bethesda, Md.

IT and security chiefs identified the certification and accreditation process is the most critical piece of FISMA because it lays the foundation for all other FISMA requirements, the survey found.

'It forces the system owners to sign off on the risks,' Paller said.

But the cost is high. For high-risk systems the process costs from $150,000 to $400,000 per system, respondents said. Low-risk systems can cost as much as $50,000 each, and medium-risk systems as much as $100,000. Agencies can have hundreds of systems requiring certification and accreditation.

But agencies can see significant savings by consolidating risk categories and hardware-software platforms, and contracting for C&A services in bulk, Paller said.

Making system owners within an agency accountable for security is an effective way to improve FISMA performance, respondents said. This can be done by making rankings public within an agency and by creating a competitive environment in which security goals are systematically addressed across a department, some CIOs suggested.

Paller sited the Transportation Department as a model for this type of work. Regular vulnerability scans were instituted, trouble tickets created to track progress in remediating problems, and a specific set of critical vulnerabilities was given priority.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected