“Is FISMA Making the Grade?” Chief Information Security Officer Survey Says Federal Computer Security Grades Improving, but Challenges with Report Card Process Persist
Report Cards More Accurate for Large Agencies; CISOs Communicate the Process Still Needs Improvement
WASHINGTON--(BUSINESS WIRE)--The Merlin International Federal Research Consortium (MFRC), a group of leading Information Assurance solution providers, today announced the availability of its new report, “Is FISMA Making the Grade?” Based on a survey of Federal Chief Information Security Officers (CISOs), the study reveals that CISOs report their Federal Computer Security Report Card grades for 2007 have improved over 2006, but challenges persist with the process.
“That said, the Report Card process needs continuous improvement. Our report recommends several next steps, including modifications for small versus large agencies, and a continued effort to clarify requirements language.”
Despite progress, CISOs still struggle with language ambiguities related to the Federal Information Security Management Act (FISMA) guidelines, according to the study. In addition, CISOs from large and small agencies hold divergent opinions on the value of the Report Card process. The full report is available for download at http://www.merlin-intl.com/IAstudy.asp.
Report Card Grades Improving, Information More Secure
The MFRC study, based on a March 2007 survey of Federal CISOs, reveals that 75 percent of CISOs state their agency’s Federal Computer Security Report Card grade improved in 2007. A majority of Federal CISOs identify streamlining certification and authentication (C&A) efforts as the primary factor promoting higher grades.
In line with Report Card grades, 75 percent of CISOs say that their IT security environment has “improved” or “significantly improved” since the House of Representatives’ Oversight and Government Reform Committee released the 2006 Report Card. Looking forward, the report identifies increased auditing and authorization efforts as a key trend for 2007. Eighty three percent of Federal CISOs plan to increase IT audit trails and authorization efforts during the next year.
Large-Agency CISOs Give Report Card Higher Grades
CISOs from large agencies (more than 10,000 employees) have higher confidence in the Report Card’s accuracy than their counterparts at smaller agencies. Sixty percent of CISOs from large agencies say the Report Card provides real insight into their agency’s IT security; however, just 36 percent of CISOs from small agencies concur.
The findings suggest that the Report Card is not one size fits all, and that small agencies face different IT security challenges than their larger counterparts. Based on the CISO feedback, the current Report Card process does not take these differences into account. The study recommends considering a separate Report Card for small agencies.
Report Card-Funding Disconnect and Guidance Ambiguities Challenge CISOs
Federal CISOs identified ambiguities in FISMA language requirements as a continued challenge, negatively impacting Report Card grades.
In addition, the report sheds light on two persistent problems with the Federal Computer Security Report Card process and highlights the need to establish a more linear connection between an agency’s IT security performance and the associated funding the agency receives.
First, Report Card grades have a questionable impact on an agency’s IT security funding – 75 percent of respondents say they found little correlation between their agency’s FISMA grade and their agency’s IT security funding.
Second, Federal IT security professionals believe the Report Card grades have a negligible bearing on overall IT funding – 79 percent of CISOs say they have found no link between their agency’s FISMA grades and their agency’s overall IT budget.
“By shining a light on the government’s IT security environment, the Federal Computer Security Report Card empowers CISOs to continuously evaluate and improve security for their agency’s information assets,” said John Trauth, executive vice president of Federal government systems at Merlin International. “That said, the Report Card process needs continuous improvement. Our report recommends several next steps, including modifications for small versus large agencies, and a continued effort to clarify requirements language.”
About the Federal Computer Security Report Card
Largely based on security evaluations defined in the 2002 FISMA regulations, the House of Representatives’ Committee on Oversight and Government Reform issues the Federal Computer Security Report Card annually. The Office of Management and Budget administers the initial FISMA evaluations.
About the “Is FISMA Making the Grade?” Report
The report, commissioned by the Merlin International Federal Research Consortium, is based on a survey of 30 out of a total of 117 CISOs conducted in March 2007. The full study is available for download at http://www.merlin-intl.com/IAstudy.asp.
About the Merlin International Federal Research Consortium
The Merlin International Federal Research Consortium is a group of leading Information Assurance solution providers committed to bringing insightful and timely market intelligence and best practices information to the Federal IT marketplace. Through research, education, and training the coalition works to empower government agencies to optimize their IT security environments. Members of the Merlin International Federal Research Consortium include BMC Software, F5 Networks, Layer 7 Technologies, Liquid Machines, Merlin International, NetApp, and Secure Elements.