A recent report by the Government Accountability Office indicates that federal agencies are moving slow to implement information security policies and procedures as mandated by the Federal Information Security Management Act of 2002 (FISMA), and that improved metrics are needed to better track progress.
FISMA requires by law that every federal agency needs to to establish a comprehensive information security program that includes eight key components. the GAO study revealed that the extent to which agencies have successfully implemented the required security program components showed only mixed progress from fiscal year 2011 to fiscal year 2012.
|Component||Agencies Fully Implemented||Agencies Partially Implemented|
|Establishing a program for managing security risk||18||6|
|Documenting policies and procedure||10||12|
Selecting security controls for systems
|Establishing a security training program||22||2|
|Monitoring controls on an ongoing basis||13||10|
|Establishing a remediation program||19||5|
Establishing an incident response and reporting program
Establishing a continuity of operations program
Meanwhile, the government shutdown has led to a significant number of agency personnel being furloughed, many from the IT departments, meaning that implementation of these key FISMA-mandated security components will languish even longer than previously expected.
“The speed and accessibility that create the benefits of the computer age, if not properly controlled, can allow unauthorized individuals and organizations to inexpensively eavesdrop on or interfere with these operations from remote locations for potentially malicious purposes, including fraud or sabotage,” the GAO report states.
“Increasingly sophisticated cyber threats have underscored the need to manage and bolster the cybersecurity of key government systems as well as the nation’s critical infrastructure.”
Read More Here… (PDF)