RESTON, Va., 20 March 2006. According to INPUT's "2005 FISMA Grade Analysis TargetView" report, revealing the annual Federal Information Security Management Act (FISMA) grades for federal departments and agencies, the first five years of the legislation and its effect on information security posture of the Executive Branch can be assessed as largely ineffective.
FISMA is criticized for measurings paper-based processes, rather than technical processes, for implementing information security.
"FISMA has become a largely paperwork drill among the departments and agencies, consuming an inordinate amount of resources for reporting progress while putting in place very little in the way of actual security improvements," says Bruce Brody, vice president of information security at INPUT. "Moreover, the current system-by-system and site-by-site approach to reporting information security issues does not recognize the importance of backbone infrastructure security improvements."
According to INPUT, federal departments and agencies that are truly seeking to become more secure, regardless of FISMA credit, will need to focus
on five objectives:
-- know the network, including any and all interconnections and wireless connections;
-- know the traffic on the network;
-- eliminate passwords and move to two-factor authentication;
-- deploy host-based intrusion prevention systems;
-- and perform vulnerability and configuration management.
The existing situation is said to present substantial opportunities for business development, such as in assisting departments and agencies in achieving FISMA
compliance and in becoming secure.
"Companies that are positioned to assist departments and agencies in truly achieving security will gradually receive more business as the government struggles to transform its approach to information security from paper-based FISMA compliance, to technical processes that reduce vulnerabilities, mitigate risk, and improve overall security posture," recognizes Brody.
INPUT's 2005 FISMA Grade Analysis TargetView report is available to INPUT Network members subscribing to the Federal Information Security Analysis program.
