Federal Agencies Lagging on FISMA Compliance

March 16, 2012

Federal agencies are having a difficult time meeting the cybersecurity requirements of the Federal Information Security Management Act (FISMA), according to a recently released Office of Management and Budget (OMB) report.

According to an article from Information Week, half of the 24 agencies reviewed slipped past their compliance rating from last year. Only seven agencies achieved more than 90 percent compliance.

Inspector generals were asked to assess IT security programs in 11 areas, including risk management, configuration management, security training, contingency planning and identity and access management, the article says.

The National Science Foundation topped the list with 98.8 percent compliance, which is still a slight slip from last year's 98.9 percent, the article reports. Other high-achieving organizations include the Social Security Administration, the Environmental Protection Agency, the Nuclear Regulatory Commission, the Department of Homeland Security, NASA and the Department of Justice, all of which scored above 90 percent.

Eight agencies achieved 66 percent or higher compliance, but nine scored at a 65 percent or less. The Department of Transportation (44.2 percent), the Department of Interior (44.2 percent) and the Department of Agriculture (32.5 percent) were all at the bottom of the list. The Department of Defense was not even included in the OMB report because it did not provide enough detail for FISMA compliance scoring, according to the article.

Despite the low scores, more than 75 percent of the agencies can now provide automated data feeds through Cyberscope, an online compliance tool. According to the article, only 17 percent could use it in 2010. The DHS plans to analyze the Cyberscope data to help mitigate risks across agencies.

Three priorities have also been identified in the report: trusted Internet connections, continuous monitoring and HSPD-12, which requires agencies to upgrade their physical and logical access control infrastructure to require HSPD-12 PIV credentials to access IT systems and facilities, the article says.

Agencies are already making progress against these priorities, as 89 percent of employees and contractors requiring PIV credentials have received them. Sixty-six percent of government user accounts are also configured to require PIV cards to authenticate to agencies' networks, an increase from fiscal year 2010's 55 percent, according to Information Week.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Federal Agencies Lagging on FISMA Compliance

Related Articles

Report Abusive Comment