Interior wants broader measurements in FISMA reporting

The Interior Department is looking for new ways to illustrate how agencies are complying with the Federal Information Systems Management Act, a key official said yesterday.

Hord Tipton, the agency's CIO, said his office has been consulting with Interior's inspector general about how to create metrics that consider broader methods of whether and how agencies are meeting FISMA requirements.

'We need to do something different than just checking boxes' to denote FISMA compliance, Tipton said at a breakfast Tuesday sponsored by the annual Armed Forces Communications and Electronics Association's Bethesda, Md., chapter.

FISMA reform is a hot topic right now, and Tom Davis, House Government Reform chairman, has already offered legislation to shore up and bolster the government's information security policies.

Under the act, agencies must report to Congress on their cybersecurity efforts, and these scores are tabulated by Davis' committee. In its most recent report card, the government overall received a 'D-plus.'

In his comments, Tipton echoed concerns raised by several federal officials earlier this year that FISMA is evolving into little more than a check-the-box exercise that focuses on granular details and not the bigger picture of how agencies are deterring cyberattacks.

Tipton noted that his agency did not score well on the most recent report card but said Interior's cybersecurity has never been stronger.

'We look at FISMA and I noted that we fended off four billion probes, scans, attacks last year without any significant breaches,' Tipton said after his speech. 'It doesn't show up in the FISMA report. What shows up in FISMA is, 'Did I do all my paperwork? Did I do the annual reviews?' That is important, I'm not discounting that, but there needs to be some balance as to what's working.'

Interior has been in contact with the National Institute of Standards and Technology and the National Security Agency as well as other groups like the SANS Institute of Bethesda, Md., to discuss its ideas, Tipton said.

If the groups can reach agreement on a few new metrics, Tipton said they hope to meet with the Office of Management and Budget as well.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.