5 Ways to Strengthen FISMA

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The nation's federal and private-sector infrastructure systems remain at risk of not being adequately protected unless action is taken, the Government Accountability Office said in a letter issued Tuesday to a House panel.

"The need for improved cybersecurity in the federal government is clear," wrote Wilshusen GAO's information security issues director.

In the letter, GAO offers five ways Congress can strengthen the Federal Information Security Management Act, the law that governs IT security in the federal government. The five proposals:

1. Clarify requirements for testing and evaluating security controls.
2. Require agency heads to provide an assurance statement on the overall adequacy and effectiveness of the agency's information security program.
3. Enhance independent annual evaluations.
4. Strengthen annual reporting mechanisms.
5. Strengthen OMB oversight of agency information security programs.

Wilshusen was responding to two follow-up questions by members of the House Committee on Oversight and Government Reform's Subcommittee on Government Management, Organization and Procurement, stemming from a May 19 hearing on federal information security. One question solicited the views of GAO, the investigative arm of Congress, on how FISMA could be improved; the other solicited GAO's view on the Cybersecurity Act of 2009, a bill sponsored by Senators Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Wilshusen says the bill, known as S. 773, is intended to improve cybersecurity in the United States. According to the bill, America's failure to protect cyberspace is one of the most urgent national security problems facing the country, a point Wilshusen didn't dispute. In the last fiscal year, he says, GAO determined that 23 of the government's top 24 agencies did not have adequate controls in place to ensure that only authorized individuals could access or manipulate data on their systems and networks. "The present cybersecurity strategy and its implementation had not been fully effective in mitigating the threat," he wrote. He reported that the number of IT security incidents reported by federal agencies has increased dramatically over the past three years, tripling from 5,503 incidents reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008.

To remediate these problems, GAO recommended:

• Developing a national strategy that clearly articulates strategic objectives, goals and priorities;
• Establishing White House leadership;
• Publicizing and raising awareness about the seriousness of the cyber security problem;
• Focusing more actions on prioritizing assets, assessing vulnerabilities and reducing vulnerabilities than on developing additional plans;
• Bolstering public/private partnerships through an improved value proposition and use of incentives;
• Focusing greater attention on addressing the global aspects of cyberspace;
• Placing greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts; and
• Increasing the cadre of cyber security professionals.