Enhancing FISMA Pegged at $710 MillionCBO Assesses Costs to Improve Federal IT Security
Continuous monitoring comes at a cost, and a bill before Congress to shore up cyber defenses in the federal government - including continuous monitoring - would add $710 million to the cost of implementing the Federal Information Security Management Act over the next five years, according to an estimate by the Congressional Budget Office.
CBO based its cost estimates on an analysis of the Federal Information Security Amendments Act, or HR 4257, a bill before the House that would update FISMA, the law that governs the way the federal government secures IT. The proposed legislation would establish a mechanism for stronger oversight of IT systems by focusing on automated and continuous monitoring of cybersecurity threats and regular threat assessments.
In fiscal 2013, which begins Oct. 1, CBO estimates FISMA spending would increase by $50 million, reaching an extra $215 million for fiscal 2017. The estimated outlays would equal $710 million from fiscal 2013 through 2017.
Here's what went into the CBO's calculation:
The bill, if enacted, would expand the requirements in FISMA to strengthen and coordinate security controls for computer systems across federal agencies. Some of those new requirements include establishing uniform standards across agencies' information systems, implementing automated and continuous monitoring of systems to secure information, conducting threat assessments and maintaining secure facilities.
CBO estimates that when fully implemented, the new activities specified in the bill would add about 2 percent - roughly $200 million a year - to the annual cost of implementing FISMA. CBO expects that it would take about four years to reach that level of effort for the thousands of federal computer systems now operating.
The CBO estimate cited Office of Management and Budget reports that show the two dozen largest departments and agencies spent more than $13 billion on IT security in fiscal 2011, accounting for 2 percent of all federal spending on information technology. That included spending for testing, training, equipment and personnel costs.
One reason CBO projects higher FISMA spending in the coming years is the failure of many agencies to employ properly continuous monitoring. CBO cites agencies' inspectors general reviews that show fewer than half of federal agencies have implemented adequate continuous monitoring operations of their computer systems and about half have unresolved security problems involving alternative computer processing sites, contingency planning for emergencies and adequate backup of computer information.