Federal agencies boost scores in security
Posted On Tuesday, March 4, 2008 at at 3/04/2008 06:32:00 AM by nullTheir grades have not been posted, but government agencies have generally improved their security this year, as measured by compliance to the Federal Information Security Management Act (FISMA) of 2002, a report issued by the Office of Management and Budget stated on Saturday.
In the report (pdf), the OMB stated that, overall, the government did better in fiscal 2007 with certifying systems and testing security controls and contingency plans than the previous year. The Inspectors General for 22 of the 25 agencies required to comply with FISMA inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. While an improvement over the previous year, only two-thirds of the IGs claimed that their auditing processes were rated "satisfactory" or better.
The increased awareness of their systems have also caused the agencies to report more attacks, the report stated. In 2007, incidents reported to the US Computer Emergency Readiness Team (US-CERT) jumped to 12,986, an increase of 150 percent over the previous year. While nearly a third of the incidents were alarms created by the US-CERT's EINSTEIN network monitoring system and remain uncategorized, about a quarter were classified as improper usage and about 15 percent classified as unauthorized access, according to the OMB report.
In 2006, most of the U.S. government agencies required to file compliance reports by FISMA scored sub-par grades in computer security. The Federal Information Security Management Act of 2002 requires that the agencies secure their information systems according to guidelines developed by the National Institute of Standards and Technology and file annual reports about their compliance. Congress later issues a report assigning letter grades to each agency's performance.
Already, members of Congress and security experts are drafting a report to advise the next president on ways of improving cyber security.
The OMB report noted that four agencies -- the National Aeronautics and Space Administration (NASA) and the Departments of State, Treasury and Defense -- all did significantly better in complying with FISMA. The Department of Defense, however, did not present audits for its compliance nor did it submit a privacy impact assessment, according to the OMB report.