From: CSO
General Accounting Office report finds no government agencies have met all key requirements of act
A recent government report found that major federal agencies are struggling to meet U.S. data protection regulations, a finding that is less about competence and more about the ineffectiveness of the requirements.
The General Accounting Office report found “mixed progress” toward fully implementing the Federal Information Security Management Act. Of the 24 agencies the government watchdog evaluated, none had met all eight key requirements of the act, which Congress enacted in 2002.
The GAO compared the progress of putting FISMA into practice from fiscal year 2011 to fiscal year 2012. During that time period, the number of agencies able to track identified weaknesses in computer systems declined from 20 to 15, while the number that had analyzed, validated and documented security incidents increased from 16 to 19.
In addition, the GAO found weaknesses in specific security controls. For example, 23 of the agencies had vulnerabilities in controls meant to limit or detect access to computer systems.
Under FISMA, the National Institute of Standards and Technology (NIST) sets the specifications, guidelines and associated methods and techniques for information security, which includes defending against cyberattacks. The act requires the GAO to do regular progress reviews for the law’s overseer, the Office of Management and Budget, which reports the findings to Congress.
The government spends roughly $12 billion a year, or 15% of its overall IT budget, on security, the OMB has reported. The amount spent, as well as the national security interests, makes data protection a top priority.
While FISMA is supposed to bolster security; its effectiveness is in question. A recent survey of more than 200 federal cybersecurity pros found just half saying FISMA improved security at their agencies, according to MeriTalk, a public-private partnership focused on improving government IT.
The poll also found that the majority of respondents believed their agencies were vulnerable to cyberthreats, and nearly three-quarters said the security in place would not be sufficient beyond the next year.
Leave a Reply