"Is FISMA Making the Grade?" Chief Information Security Officer Survey Says Federal Computer Security Grades Improving, but Challenges with Report Card Process Persist.Report Cards More Accurate for Large Agencies; CISOs Communicate the Process Still Needs Improvement WASHINGTON -- The Merlin Merlin, in Arthurian legend, magician, seer, and teacher at the court of King Vortigern and later at the court of King Arthur. He was a bard and culture hero in early Celtic folklore. In Arthurian legend he is famous as a magician and as the counselor of King Arthur. International Federal Research Consortium (MFRC MFRC Military Family Resource Centre (Canada) MFRC Military Family Resource Center MFRC Micro Finance Regulatory Council MFRC Model-Following Reconfigurable Control ), a group of leading Information Assurance solution providers, today announced the availability of its new report, "Is FISMA FISMA Federal Information Security Management Act of 2002 FISMA Federal Information System Management Act Making the Grade?" Based on a survey of Federal Chief Information Security Officers (CISOs), the study reveals that CISOs report their Federal Computer Security Report Card grades for 2007 have improved over 2006, but challenges persist with the process. Despite progress, CISOs still struggle with language ambiguities related to the Federal Information Security Management Act (FISMA) guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. , according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the study. In addition, CISOs from large and small agencies hold divergent di·ver·gent adj. 1. Drawing apart from a common point; diverging. 2. Departing from convention. 3. Differing from another: a divergent opinion. 4. opinions on the value of the Report Card process. The full report is available for download at http://www.merlin-intl.com/IAstudy.asp. Report Card Grades Improving, Information More Secure The MFRC study, based on a March 2007 survey of Federal CISOs, reveals that 75 percent of CISOs state their agency's Federal Computer Security Report Card grade improved in 2007. A majority of Federal CISOs identify streamlining certification and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. (C&A) efforts as the primary factor promoting higher grades. In line with Report Card grades, 75 percent of CISOs say that their IT security environment has "improved" or "significantly improved" since the House of Representatives' Oversight and Government Reform Committee released the 2006 Report Card. Looking forward, the report identifies increased auditing and authorization efforts as a key trend for 2007. Eighty three percent of Federal CISOs plan to increase IT audit trails and authorization efforts during the next year. Large-Agency CISOs Give Report Card Higher Grades CISOs from large agencies (more than 10,000 employees) have higher confidence in the Report Card's accuracy than their counterparts at smaller agencies. Sixty percent of CISOs from large agencies say the Report Card provides real insight into their agency's IT security; however, just 36 percent of CISOs from small agencies concur CONCUR - ["CONCUR, A Language for Continuous Concurrent Processes", R.M. Salter et al, Comp Langs 5(3):163-189 (1981)]. . The findings suggest that the Report Card is not one size fits all, and that small agencies face different IT security challenges than their larger counterparts. Based on the CISO See CSO. feedback, the current Report Card process does not take these differences into account. The study recommends considering a separate Report Card for small agencies. Report Card-Funding Disconnect disconnect - SCSI reconnect and Guidance Ambiguities Challenge CISOs Federal CISOs identified ambiguities in FISMA language requirements as a continued challenge, negatively impacting Report Card grades. In addition, the report sheds light on two persistent problems with the Federal Computer Security Report Card process and highlights the need to establish a more linear connection between an agency's IT security performance and the associated funding the agency receives. First, Report Card grades have a questionable impact on an agency's IT security funding - 75 percent of respondents In the context of marketing research, a representative sample drawn from a larger population of people from whom information is collected and used to develop or confirm marketing strategy. say they found little correlation between their agency's FISMA grade and their agency's IT security funding. Second, Federal IT security professionals believe the Report Card grades have a negligible  This article or section is written like a personal reflection or and may require .Please [ improve this article] by rewriting this article or section in an . bearing on overall IT funding - 79 percent of CISOs say they have found no link between their agency's FISMA grades and their agency's overall IT budget. "By shining a light on the government's IT security environment, the Federal Computer Security Report Card empowers CISOs to continuously evaluate and improve security for their agency's information assets," said John Trauth, executive vice president of Federal government systems at Merlin International. "That said, the Report Card process needs continuous improvement. Our report recommends several next steps, including modifications for small versus large agencies, and a continued effort to clarify requirements language." About the Federal Computer Security Report Card Largely based on security evaluations defined in the 2002 FISMA regulations, the House of Representatives' Committee on Oversight and Government Reform issues the Federal Computer Security Report Card annually. The Office of Management and Budget The Office of Management and Budget (OMB), formerly the Bureau of the Budget, is an agency of the federal government that evaluates, formulates, and coordinates management procedures and program objectives within and among departments and agencies of the Executive Branch. administers the initial FISMA evaluations. About the "Is FISMA Making the Grade?" Report The report, commissioned by the Merlin International Federal Research Consortium, is based on a survey of 30 out of a total of 117 CISOs conducted in March 2007. The full study is available for download at http://www.merlin-intl.com/IAstudy.asp. About the Merlin International Federal Research Consortium The Merlin International Federal Research Consortium is a group of leading Information Assurance solution providers committed to bringing insightful and timely market intelligence and best practices information to the Federal IT marketplace. Through research, education, and training the coalition works to empower government agencies to optimize their IT security environments. Members of the Merlin International Federal Research Consortium include BMC Software BMC Software, Inc. NYSE: BMC, is an American enterprise management software provider, focusing on IT infrastructure applications. BMC was founded in 1980 and is headquartered in Houston, Texas. , F5 Networks, Layer 7 Technologies, Liquid Machines, Merlin International, NetApp, and Secure Elements. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion