Kundra, GAO eager to plug FISMA-IT security gap

New tools for measuring agencies' IT security being considered to make FISMA more effective

Federal CIO Vivek Kundra is spearheading an effort to update agency-reporting requirements under the Federal Information Security Management Act and to streamline the process by replacing spreadsheets with an online database.

The security metrics used by agencies to measure compliance with security regulations are outdated, Kundra wrote in a letter to the Government Accountability Office.

“While these metrics may have made sense when FISMA was enacted [in 2002], they are largely compliance based. They are trailing, rather than leading, indicators,” Kundra wrote. “We need metrics that give insight into agencies’ security postures and possible vulnerabilities on an on‐going basis.”

Kundra’s statement came into a response to the findings of a GAO report detailing major gaps that persist between reported FISMA compliance and actual information security status.

“Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies,” despite reported progress by agencies, GAO said in its annual report to Congress on government information security. Inadequate security controls were reported material weaknesses in 20 of 24 major agencies in fiscal 2008, and information security remains a high-risk area according to GAO.

FISMA is the primary regulatory tool for federal information security, requiring implementation of risk-based security programs and regular assessments of their effectiveness. But despite seven years of effort, most agencies still are struggling to both meet FISMA requirements and to implement adequate security controls on IT systems and networks that are constantly growing more complex while being targeted by increasingly sophisticated attacks. The most recent GAO report included a familiar litany of security weaknesses and lapses, and noted that security incidents reported by agencies to the U.S. Computer Emergency Readiness Team (US-CERT) increased from 5,503 in fiscal 2006 to 16,843 in 2008.

GAO faulted both the FISMA reporting process and agencies’ lack of adequate programs.

“The current reporting process does not produce information to accurately gauge the effectiveness of federal information-security activities,” GAO said.

At the same time, “an underlying cause for information-security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented agencywide information-security programs,” GAO said. Twenty-three of 24 major agencies examined by GAO had not fully implemented programs. “Until agencies fully and effectively implement information-security programs and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at an increased and unnecessary risk of attack or compromise.”

The hundreds of recommendations cited by GAO illustrate the scope of the challenge facing agency chief information officers and information technology administrators in bringing security up to grade. But GAO did identify a series of government initiatives intended to improve IT security. These include the 60-day cyber review conducted earlier this year, the Comprehensive National Cybersecurity Initiative from last year, the Office of Management and Budget’s Information Systems Security Line of Business initiative, the Federal Desktop Core Configuration for Microsoft operating systems, the SmartBUY procurement program, and the Trusted Internet Connections Initiative.

GAO recommended that OMB update and clarify its FISMA reporting instructions to agencies, include more detail in its reports to Congress, and begin using its authority to disapprove information-security programs that do not meet requirements.

Kundra disagreed with GAO’s contention that OMB is not using its authority to review and disapprove programs. “OMB reviews all agency and IG FISMA reports annually,” he wrote. “For the major agencies, OMB also receives and review quarterly information on their security programs. OMB uses this information, and other reporting, to evaluate agencies’ security management programs. Concerns are communicated directly to the agencies.”

GAO also included in its report the results of a meeting of security experts held in March on how to improve national cybersecurity. The experts, who included former federal officials, academics and private-sector executives, recommended 12 improvements essential to improving the nation’s cybersecurity strategy and posture:
  • Develop a national strategy that clearly articulates strategic objectives, goals and priorities.
  • Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy.
  • Establish a governance structure for strategy implementation.
  • Publicize and raise awareness about the seriousness of the cybersecurity problem.
  • Create an accountable, operational cybersecurity organization.
  • Focus more actions on prioritizing assets and functions, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.
  • Bolster public/private partnerships through an improved value proposition and use of incentives.
  • Focus greater attention on addressing the global aspects of cyberspace.
  • Improve law enforcement efforts to address malicious activities in cyberspace.
  • Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private-sector efforts.
  • Increase the cadre of cybersecurity professionals.
  • Make the federal government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • analytics (Wright Studio/

    3 data strategies to help crackdown on internal corruption

Reader Comments

Fri, Jul 24, 2009 Jeffrey A. Williams Frisco Texas

I don't see much substance so far in .GOV web sites or Domain Name DNS specificantions that would indicate clearly that Viveck is as serious as he says he is in pluging the many holes that government domain name DNS has or that their networks also have. So far DNSSEC still is not implimented on very few of the legacy root servers and none of the government TLD servers. Nor has IPSEC been implimented anywhere throughout the government Internet enterprise.

Wed, Jul 22, 2009 FedSecurityGuy

It's clear that Kundra is not serious about security. All of us our being pushed to field Web 2.0 technologies, and anybody who raises any issue about security gets blown out of the water as being an obstructionist. OMB needs to get its act together. Their automated tool for FISMA reporting (developed without any inputs from the community) will not help. Wonder if their wonderful new tool could pass an OIG or GAO FISMA compliance audit. I doubt it.

Wed, Jul 22, 2009 tcompton Newport News

FISMA today doesn't prevent an Agency CIO from: - Keeping 'forward looking' metrics of their own design that they feel better reflect their security, - Making use of automation tools in configuration, remediation, or reporting compliance - Following the CAG guidelines on their own Are these CIO's really asking to expand FISMA mandates to cover these things or is the hope that once we start 'reforming' FISMA, they can remove the basic requirements for a system inventory and documented security controls for each system? -T

Tue, Jul 21, 2009 Bill Mee Rosslyn

Kundra may know technology, but it doesn't appear that he's familiar with FISMA despite now being in charge with enforcement as head of OMB/eGov. The disconnect is very clear where Kundra argues with the GAO recommendation for OMB use its authority to disapprove failing security programs; this hasn't ever happen, should be the tool for OMB to get agencies to produce "real world" rather than checkbox plans, and yet Kundra says OMB is doing fine as-is... Ha!

Tue, Jul 21, 2009 John David NOVA

This is great news. But it does concern me if Mr. Kundra can pull this off. During his term in Virginia, he had wonderful IT goals, but they never quite hit the ground with application. Neither he nor Mr. Choppa were able to manage the now publized Virginia VITA NorthrupGrummon story. IT services and program support have suffered much since state legislature and Governor Warner initiated the project. We can thank Virginia's Governors Allen and Gillmore for starving IT budgets into a no win situation. Like Education, IT investments are the future. Thank you for permitting comments; and good luck to Mr. Kundra.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group