Small Agencies: Improving FISMA ComplianceGuidance Aimed at Big Agencies Leave Smaller Ones in Lurch
With fewer employees, and still fewer - if any - IT security experts on staff, small federal agencies face challenges not confronted by larger ones, and congressional auditors call on the Office of Management and Budget and Department of Homeland Security to give them more help.
"OMB and DHS have not consistently ensured that all small agencies have reported on their compliance with security and privacy requirements, making it more difficult to accurately assess the extent to which agencies are effectively securing their information and systems," says Gregory Wilshusen, director of information security issues at the Government Accountability Office.
GAO has issued a report, Information Security: Additional Oversight Needed to Improve Programs at Small Agencies, which shows that small and micro agencies have shown mixed results in meeting federal government IT security rules and guidance.
Hear Wilshusen discuss how DHS and OMB can help small agencies secure IT.
OMB defines a small federal agency has having 6,000 or fewer workers, with most having fewer than 500 on staff. A micro agency employs fewer than 100 people.
"Without adequate safeguards, the small agencies we reviewed will remain vulnerable to individuals and groups with malicious intentions, who may obtain sensitive information, commit fraud, disrupt operations or launch attacks against other computer systems and networks," Wilshusen says.
In an interview with Information Security Media Group, Wilshusen explains that much of the OMB and DHS advice to help agencies comply with the Federal Information Security Management Act as well as other laws and guidance aimed at securing IT is primarily tailored to the largest 24 government agencies and departments, including workshops to educate cybersecurity practitioners on government security standards.
"In some cases, these smaller organizations just don't have the expertise or even the need for some of the discussions that OMB provides during a workshop," Wilshusen says. "OMB and DHS could make improvements in their efforts to perform outreach to these smaller agencies."
Information Security Incidents at Small Agencies, Fiscal Years 2009-2013Source: GAO based on US-CERT-supplied data.
What type of help is needed? Wilshusen says some smaller agencies aren't as consistent as their larger counterparts in reporting about their IT security as required under FISMA.
OMB has exempted many smaller agencies from using CyberScope, an interactive data collection tool can receive recurring data feeds to assess the security posture of an agency's IT systems. Wilshusen says only 55 of the 129 small and micro agencies GAO reviewed for the report employed CyberScope. By not having the data collected through CyberScope, he says, agencies as well as DHS and OMB cannot don't have the metrics needed to measure the effectiveness of an agency's IT security systems.
GAO also recommends that DHS, as part of its small and micro-agency cybersecurity support initiative, develop services and guidance targeted to small and micro agencies.
"Until OMB and DHS oversee agencies' implementation of information security and privacy program requirements and provide additional assistance, small agencies will continue to face challenges in protecting their information and information systems," Wilshusen says.
Examples of DHS Services Available to Federal AgenciesSource: GAO analysis based on agency documentation
Jim Crumpacker, DHS GAO-OIG liaison officer, acknowledges that some smaller agencies may face challenges employing DHS and National Institute of Standards and Technology guidance written with large agencies in mind. He says, in a written response to the GAO report, that DHS's Office of Cybersecurity and Communcations will analyze the need to expand programs to serve smaller agencies.
As part of its hiring plan, he says the cybersecurity is establishing and expanding a new federal customer service unit within DHS's United States Computer Emegency Readiness Team to better understand the circumstnaances and needs of various civilian agencies, including small and micro ones. By April 20, Crumpacker says, the customer service unit will develop and improve services and guidance that meet the needs of agencies with 6,000 or fewer employees.