Department of Homeland Security Hoping for a "D"
Agencies could be facing budget cutbacks unless they improve their IT security, according to the Chairman of the House Government Reform Committee. The Chairman did say that more time is needed for agencies to comply with the Federal Information Management Security Act (FISMA). However, he also stated, according to an article on GovExec.com, that "FISMA report cards are going to have to be tied to funding."

The agency that could be most severely impacted by tying budgets to FISMA report cards is the Department of Homeland Security. A DHS official indicated that he "is hoping the department achieves a D by fiscal 2006, but does not see its score improving in the next year because of the amount of time it takes to certify and accredit all of DHS' 3,600 systems." By contrast, the agencies with the best FISMA grades, AID and DOT, have a small fraction of the number of systems.

The Chairman praised OMB's efforts to standardize cybersecurity. A senior OMB official explained that "inconsistency in FISMA implementation and unnecessary duplication are areas of concern..." and that they are working on new FISMA guidance documents. OMB also warned against attempting to use a financial auditing-style framework for cybersecurity implementation. As OMB explained, "FISMA is an evaluation, not an audit. If it turns into an audit evaluation, it is less of an exchange of information."

Ultimately, the human element is more important to protecting cybersecurity than checklists and paperwork. Budget officials should take note.