With new FISMA rules, security progress can be measured
Metrics on IT security performance establish a baseline for the future
- By William Jackson
- Mar 25, 2011
How good is government IT security? Is it getting better?
The Office of Management and Budget has released its report on Federal Information Security Management Act compliance for fiscal 2010 and it’s hard to say from the report.
Most agencies are pretty much in compliance with the FISMA, but it
has become painfully clear over the past nine years that compliance does
not equal security. This year’s report does include some first-time
metrics on IT security performance, however, that are establishing a
baseline for measuring progress.
The results for 2010 are mixed, with performance being far from
perfect in any category. But the real test will be how these figures
shift in the coming years.
FISMA: A good idea whose time never came
Cyberattacks on agencies increase as preparedness lags
The report makes it clear that impetus for many of the improvements
in IT security practices in recent years has come not from FISMA reform
or improved oversight but from frustration in the agencies themselves
over the inadequacies of mere FISMA compliance.
“As a result, many agencies began to develop new methods to protect
their systems that often went well beyond what was required by policy or
regulation,” the OMB report states. “In the past few years, the federal
government as a whole has begun to harness these techniques developed
by forward-thinking agencies — as well as industry best practices — to
move FISMA implementation toward the real-time detection and mitigation
of security vulnerabilities.”
One concrete improvement last year under FISMA is reporting through
Cyberscope, an interactive data collection tool that receives data feeds
from agencies to assess the security posture of their information
“Armed with more insight into agency-level security posture, DHS
hosted individual meetings with agencies to discuss the new approach,
request additional information, and establish meaningful dialogue with
agencies’ senior leaders and key information security personnel,” the
report states. “The next step in this evolution in [fiscal] 2011 will be
the introduction of the ‘CyberStat’ management model,” which is
intended to evolve security metrics and allow DHS to correlate data on
risks across the entire federal enterprise.
Metrics collected last year to address actual information security
rather than FISMA compliance included the use of personal identity
verification credentials for identity management and IT system access,
the use of automated monitoring, laptop encryption, and incident
response and reporting. Because these figures are new, there are no
comparisons with previous years to measure progress, but they create a
Although agencies had issued more than 4.5 million PIV credentials as
of last December, covering 79 percent of the required federal and
contractor workforce, only 55 percent of user accounts are configured to
require these credentials for access. Most of those are in two
agencies, with the remaining agencies reporting from 0 to 3 percent.
Agencies have until March 31 to provide plans for fully implementing PIV
cards for access management.
A total of 66 percent of IT assets were being managed with automated
tools last year, with performance at individual agencies ranging from 22
percent to 100 percent, and the use of automated vulnerability
assessment tools averaging about 51 percent overall. Fifty-four percent
of agency laptops were encrypted to protect data. It took agencies on
average about nine hours to determine whether an anomalous activity was a
real security incident, and about 20 hours to report incidents to the
U.S. Computer Emergency Readiness Team.
Whether these numbers are good or bad is difficult to say, but there
is obvious room for improvement in every category. Measuring that
improvement will be an important part of the next OMB report when
comparative figures should be available, which should make for
William Jackson is freelance writer and the author of the CyberEye blog.