The annual release of cybersecurity grades are helping to improve U.S. government security, but the law the grades are based on needs to be more specific, U.S. agency chief information security officers (CISO) said in a survey.
Sixty-seven percent of CISOs surveyed said they believe their agency's IT security has improved since their Federal Information Security Management Act (FISMA) grades were released a year ago. The CISO survey was part of the report, Is FISMA Making the Grade?, published by the Merlin International Federal Research Consortium, representing a group of IT security vendors.
On Thursday, Rep. Tom Davis, a Virginia Republican, released the 2006 FISMA scores, with eight of 24 agencies getting A-minus grades or better. Eight agencies, including the Department of Defense, the Department of State, and the Department of the Treasury, received F grades. FISMA, passed by Congress in 2002, requires agencies to take several actions, including conducting inventories of their IT equipment.
Although federal CISOs acknowledged that their agencies' cybersecurity has improved under FISMA, 46 percent of those surveyed said FISMA could be improved by clearer guidelines. Another 42 percent said FISMA could provide better guidance for yearly security controls tests. Only 54 percent of respondents said FISMA reporting provides real insight into their agency's IT security.
"High-level policies are nice -- to say, 'thou shalt be more secure,'" said Mark Zalubas, CTO at Merlin International, a consulting firm associated with the consortium. "It's better when you provide specific language about how far you need to go."
Ambiguity in FISMA language requirements and funding issues were the two top reasons CISOs gave for decreases in FISMA grades this year, although 75 percent of those surveyed said their FISMA scores improved. Five of the agencies saw declines in their final letter-grade scores, released by Davis.
The funding issue isn't an easy one to fix, Zalubas said. "That's one you struggle with all the time," he added. "Do you give additional funding to folks who are doing poorly?"
Davis and Karen Evans, administrator of e-government and information technology in the White House Office of Management and Budget (OMB), both defended FISMA at a Thursday press conference. FISMA is a tool that helps agencies move forward on cybersecurity, Evans said.
"We want to get beyond the metrics," Evans said. "What we really want to do is make these results real. We want to make sure [agencies] are protecting the information they're gathering on behalf of the citizens."
The U.S. government is making progress toward specific goals, said Ned Miller, president and CEO of Secure Elements, another member of the Merlin consortium. Late last month, OMB issued guidelines for security configurations of the Windows XP and Vista operating systems, and the National Institute of Standards and Technology is working on security checklists that agencies can use, he said.
"What we're seeing is OMB taking a very proactive role," Miller said.