Graphical Look at Fed Infosec Performance
OMB Issues Its FY 2011 FISMA Report CardThe White House Office of Management and Budget, in its yearly Federal Information Security Management Act report to Congress, gives departments and agencies mixed grades in their efforts to secure federal IT for fiscal year 2011, which ended last Sept. 30.
*** See series of charts and tables below. ***
Enacted a decade ago, FISMA requires agencies to provide information security protections commensurate with risks and their potential harms to governmental IT systems.
Among the accomplishments OMB touts in the FISMA report are the first CyberStat reviews with agencies that examined the metrics reported through a system known as CyberScope and the development of in-depth remediation plans to quickly address and correct any weaknesses identified in their cybersecurity program.
CyberStat reviews consist of face-to-face, evidence-based meetings between agencies and the Department of Homeland Security, OMB and/or the national security staff to ensure agencies are accountable for their cybersecurity posture and at the same time assist them in developing focused strategies to improve their information security position.
OMB in 2010 designated DHS as the lead agency to establish baseline cybersecurity metrics for the federal government departments and agencies. With this charge, the report says, DHS cybersecurity experts [see Building DHS's All-Star Cybersecurity Team: A Conversation with Deputy Undersecretary Mark Weatherford] continued to improve the metrics and collected the associated data which have provided the administration greater insights into strengths and weaknesses of agencies' information security posture. In the last fiscal year, agencies reported that security capabilities remained the same or improved, with the exception: controlled incident detection.
Why controlled incident detection? According to DHS, several agencies misinterpreted the control incident detection metric question the previous year, and that resulted in inaccurate data reported last year. The definition for this capability area has been revised to clarify the question.
Comparison of FISMA Capabilities
Source: Office of Management and Budget
Analyzing cybersecurity audits conducted by the inspectors general of the 24 Chief Financial Officer Act agencies - basically, the biggest two dozen federal departments and agencies - the agencies performed best in security capital planning, and incident response and reporting and remote access management, according to the report issued earlier this month.
The weakest performances occurred in continuous monitoring management, configuration management, plan-of-action-and-milestones remediation and identity and access management
CFO Act Agencies by Cybersecurity Area
Source: Office of Management and Budget
Here's how individual agencies performed:
CFO Act Agencies' Compliance Scores, Based on IG's Reviews
Source: Office of Management and Budget.
*DOD did not provide answers.
OMB said it saw improvements in agencies' FISMA efforts, helped by automated submission and collection of quantitative FISMA data, the establishment of a year-to-year baseline through the continuation of outcome-based fiscal year 2010 FISMA metrics and the narrowing of FISMA efforts to allocate limited resources to the most pressing Federal cybersecurity challenges. "These improvements have greatly informed our understanding of current cybersecurity posture and have helped to drive accountability towards improving the collective effectiveness of our cybersecurity capabilities," the OMB report said.
The FISMA report provided a snapshot of the size of the federal government IT workforce by fulltime equivalent (FTE) positions - 84,426 - broken down by employees (60 percent) and contractors (40 percent).
Total IT Security FTEs Reported by Agency
The 24 CFO Act agencies spent $13.3 billion on IT security in 2011, and OMB showed how those dollars were divvied up (SP 800-37 is the National Institute of Standards and Technology's risk management framework guidance) ...
Total IT Security Costs by Category Reported by Agency
Note: The percentages are the average of 23 agencies, excluding Department of Defense.
... and the percentage of total IT spending by agency.
IT Security Spending as a Percentage of Total IT Spending Reported by Agencies
Source: Office of Management and Budget