As Agencies Struggle with FISMA Compliance, Security Professionals Question Costs

Over the past 12 months, federal agencies have continued to face cyber attacks from state-sponsored threats, non-state actors, as well as insider threats. The Federal Information Security Management Act (FISMA) has improved agency security; however, some components of these information security programs have only been partially established and capabilities to track identified weaknesses lag at a number of agencies. In fact, according to the survey, only 22% of information security professionals rated their defenses as sufficient and sustainable. Further, 86% of those respondents suggested that FISMA compliance increases costs.

Compliance with FISMA requires agencies to establish security programs that incorporate eight key elements:
• Establishing a program for managing information security risk,
• Documenting policies and procedures,
• Selecting security controls for systems,
• Establishing a security training program,
• Monitoring controls on an ongoing basis,
• Establishing a remediation program,
• Establishing an incident response and reporting program, and
• Establishing a continuity of operations program.

According to a recent report from the Government Accountability Office (GAO), none of the 24 major federal agencies reviewed had fully implemented all of the components.

Even as the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) continue development of reporting metrics to provide support to agencies improving their information security programs, these metrics do no fully address all FISMA requirements. Further, according to security professionals, FISMA poses a strategic challenge by emphasizing compliance rather than risk identification and assessment.

The balance between these objectives is particularly noteworthy in light of public sector progress in risk management highlighted in a study released at the beginning of this month. Non-compliance related objectives achieved by risk-based security management include decreasing costs and operating efficiencies, protecting intellectual property, and maximizing productivity. These other business objectives align with strategic goals the government has stressed related to transforming its use of technology. Yet, it remains a challenge for organizations to align business objectives with risk-based security management.  As agencies continue to invest in information security solutions and overhaul their use of information technology, vendors can strengthen their competitive position and grow opportunities by helping government organizations to address compliance and business objectives at the same time.