FISMA News

“Is FISMA Making the Grade?” Chief Information Security Officer Survey Says Federal Computer Security Grades Improving, but Challenges with Report Card Process Persist

(April 12, 2007)-- The Merlin International Federal Research Consortium (MFRC), a group of leading Information Assurance solution providers, today announced the availability of its new report, “Is FISMA Making the Grade?” Based on a survey of Federal Chief Information Security Officers (CISOs), the study reveals that CISOs report their Federal Computer Security Report Card grades for 2007 have improved over 2006, but challenges persist with the process.

Despite progress, CISOs still struggle with language ambiguities related to the Federal Information Security Management Act (FISMA) guidelines, according to the study. In addition, CISOs from large and small agencies hold divergent opinions on the value of the Report Card process. The full report is available for download at http://www.merlin-intl.com/IAstudy.asp.

Report Card Grades Improving, Information More Secure

The MFRC study, based on a March 2007 survey of Federal CISOs, reveals that 75 percent of CISOs state their agency’s Federal Computer Security Report Card grade improved in 2007. A majority of Federal CISOs identify streamlining certification and authentication (C&A) efforts as the primary factor promoting higher grades.

In line with Report Card grades, 75 percent of CISOs say that their IT security environment has “improved” or “significantly improved” since the House of Representatives’ Oversight and Government Reform Committee released the 2006 Report Card. Looking forward, the report identifies increased auditing and authorization efforts as a key trend for 2007. Eighty three percent of Federal CISOs plan to increase IT audit trails and authorization efforts during the next year.

Large-Agency CISOs Give Report Card Higher Grades

CISOs from large agencies (more than 10,000 employees) have higher confidence in the Report Card’s accuracy than their counterparts at smaller agencies. Sixty percent of CISOs from large agencies say the Report Card provides real insight into their agency’s IT security; however, just 36 percent of CISOs from small agencies concur.

The findings suggest that the Report Card is not one size fits all, and that small agencies face different IT security challenges than their larger counterparts. Based on the CISO feedback, the current Report Card process does not take these differences into account. The study recommends considering a separate Report Card for small agencies.

Report Card-Funding Disconnect and Guidance Ambiguities Challenge CISOs

Federal CISOs identified ambiguities in FISMA language requirements as a continued challenge, negatively impacting Report Card grades.

In addition, the report sheds light on two persistent problems with the Federal Computer Security Report Card process and highlights the need to establish a more linear connection between an agency’s IT security performance and the associated funding the agency receives.

First, Report Card grades have a questionable impact on an agency’s IT security funding – 75 percent of respondents say they found little correlation between their agency’s FISMA grade and their agency’s IT security funding.

Second, Federal IT security professionals believe the Report Card grades have a negligible bearing on overall IT funding – 79 percent of CISOs say they have found no link between their agency’s FISMA grades and their agency’s overall IT budget.

“By shining a light on the government’s IT security environment, the Federal Computer Security Report Card empowers CISOs to continuously evaluate and improve security for their agency’s information assets,” said John Trauth, executive vice president of Federal government systems at Merlin International. “That said, the Report Card process needs continuous improvement. Our report recommends several next steps, including modifications for small versus large agencies, and a continued effort to clarify requirements language.”

Share or bookmarklet this web page at: