Graphical Look at Fed Infosec Performance

Graphical Look at Fed Infosec Performance

OMB Issues Its FY 2011 FISMA Report Card

By Eric Chabrow, March 17, 2012. Follow Eric @GovInfoSecurity
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.

The White House Office of Management and Budget, in its yearly Federal Information Security Management Act report to Congress, gives departments and agencies mixed grades in their efforts to secure federal IT for fiscal year 2011, which ended last Sept. 30.

*** See series of charts and tables below. ***

Enacted a decade ago, FISMA requires agencies to provide information security protections commensurate with risks and their potential harms to governmental IT systems.

Among the accomplishments OMB touts in the FISMA report are the first CyberStat reviews with agencies that examined the metrics reported through a system known as CyberScope and the development of in-depth remediation plans to quickly address and correct any weaknesses identified in their cybersecurity program.

CyberStat reviews consist of face-to-face, evidence-based meetings between agencies and the Department of Homeland Security, OMB and/or the national security staff to ensure agencies are accountable for their cybersecurity posture and at the same time assist them in developing focused strategies to improve their information security position.

OMB in 2010 designated DHS as the lead agency to establish baseline cybersecurity metrics for the federal government departments and agencies. With this charge, the report says, DHS cybersecurity experts [see Building DHS's All-Star Cybersecurity Team: A Conversation with Deputy Undersecretary Mark Weatherford] continued to improve the metrics and collected the associated data which have provided the administration greater insights into strengths and weaknesses of agencies' information security posture. In the last fiscal year, agencies reported that security capabilities remained the same or improved, with the exception: controlled incident detection.

Why controlled incident detection? According to DHS, several agencies misinterpreted the control incident detection metric question the previous year, and that resulted in inaccurate data reported last year. The definition for this capability area has been revised to clarify the question.

Comparison of FISMA Capabilities
Source: Office of Management and Budget

Analyzing cybersecurity audits conducted by the inspectors general of the 24 Chief Financial Officer Act agencies - basically, the biggest two dozen federal departments and agencies - the agencies performed best in security capital planning, and incident response and reporting and remote access management, according to the report issued earlier this month.

The weakest performances occurred in continuous monitoring management, configuration management, plan-of-action-and-milestones remediation and identity and access management

CFO Act Agencies by Cybersecurity Area
Source: Office of Management and Budget

Here's how individual agencies performed:

CFO Act Agencies' Compliance Scores, Based on IG's Reviews
Source: Office of Management and Budget.
*DOD did not provide answers.

OMB said it saw improvements in agencies' FISMA efforts, helped by automated submission and collection of quantitative FISMA data, the establishment of a year-to-year baseline through the continuation of outcome-based fiscal year 2010 FISMA metrics and the narrowing of FISMA efforts to allocate limited resources to the most pressing Federal cybersecurity challenges. "These improvements have greatly informed our understanding of current cybersecurity posture and have helped to drive accountability towards improving the collective effectiveness of our cybersecurity capabilities," the OMB report said.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE OCR, ONC Get Flat Fiscal 2015 Budgets

The fiscal 2015 federal budget provides two agencies responsible for health information security...

Latest Tweets and Mentions

ARTICLE OCR, ONC Get Flat Fiscal 2015 Budgets

The fiscal 2015 federal budget provides two agencies responsible for health information security...