Agencies say standards needed for assessing FISMA compliance

Agencies say standards needed for assessing FISMA compliance

Much of the progress reported on federal IT security in the last year could be illusory, officials charged with overseeing cybersecurity told a House committee Thursday.

Both agencies and overseers agreed on the need for better standards in assessing agency compliance with the Federal Information Security Management Act.

A key metric for FISMA compliance is certification and accreditation of IT systems. The percentage of systems certified and accredited under FISMA in 24 major agencies rose to 77 percent in fiscal 2004, up from 62 percent the year before, according to the Office of Management and Budget.

But seven inspectors general called their agencies' certification and accreditation processes poor, according to the Government Accountability Office. One requirement for certifying and accrediting an IT system is having in place a tested contingency plan for problems. But agencies reported plans in place for only 57 percent of their systems.

'You need to question those statistics,' Greg Wilshusen, GAO director of information security issues, told the House Government Reform Committee.

Karen Evans, OMB's e-government and IT administrator, acknowledged the questionable value of numbers reported by agencies. But she said FISMA itself did not need to be reworked.

'We believe FISMA is adequate in its current form,' she told the committee. 'We see no need at this time to revise it in any significant way. In fact, substantial revision could delay additional progress.'

OMB is responsible for overseeing FISMA compliance and makes annual status reports to Congress. Despite overall improvement in many metrics reported for 2004, the committee gave the government an overall grade of D+ for the year, and seven agencies received failing grades.

Chairman Tom Davis (R-Va.) called the hearing to examine the need for changes in FISMA in the face of continued poor performance.

Agency compliance reports are analyzed by inspectors general, and OMB relies largely on that analysis in making its own report. But there are no standards for that analysis.

The law allows IGs to either audit or evaluate FISMA reports. Audits must meet government auditing standards, but evaluations do not have to.

Officials from the U.S. Agency for International Development and the departments of Homeland Security and Transportation agreed on the need for a common framework for FISMA IG evaluations.

'A more standard approach is needed,' said Frank Deffer, DHS assistant IG for IT. Evans said she would support a more consistent IG analysis framework.

Agencies also want more OMB guidance on FISMA reporting and compliance. Evans said development of a cybersecurity line of business, which will identify best practices and centers of excellence for IT security, are OMB's response to that demand.

She said the goal of an interagency task force that in March began a six-month study on cybersecurity is to identify 'what is working and how it can be moved governmentwide.'

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.