The Federal Information Security Management Act of 2002 (FISMA) came at a time when government officials were first making the connection between digital technologies and the economic and national security interests of the the United States. Ten years later, a new report from the Office of Management and Budget (OMB) has revealed that several agencies have actually begun to regress in their quest to achieve full compliance with the law.
The inspector generals of 24 large federal agencies were asked to complete a comprehensive management of their current FISMA compliance progress across 11 categories ranging from data security training and remote access management to incident reporting and contingency planning.
The findings indicated that just seven of the 24 agencies surveyed have achieved greater than 90 percent compliance with FISMA protocol, with the average across all agencies standing at 72.8 percent.
There were several success stories, as more than one-third of offices surveyed were able to boost compliance compared last year's report. NASA, for example, gained a remarkable 32.1 percentage points. However, nearly half of those surveyed indicated that their FISMA compliance standing had regressed in the past 12 months. The U.S. Agency for International Development (USAID) experienced a drop of 36.6 percentage points, showing just how quickly the data protection landscape can evolve.
The Department of Justice, Department of Homeland Security and Social Security Administration were among the top performers, while other critical institutions such as the Department of Veterans Affairs, Department of Health and Human Services and Department of Transportation all garnered failing grades. One notable absence from the report was the Department of Defense, which, for the second consecutive year, was unable to provide answers containing the requisite level of detail.
Aside from ensuring the integrity and security of information related to their own operations, most public sector organizations are also trusted with sensitive data of private citizens. And as internal breaches and outsider threats such as hacktivist plots continue to threaten the privileged status of these records, the section on data privacy contained in the OMB report has received additional inspection.
"Ensuring the privacy of personal information for all American remains a top administration priority, especially as federal agencies leverage emerging technologies such as cloud computing, mobile computing devices and social media," report authors explained. "The privacy implications in the use of these technologies must be considered, and agencies should collaborate on solutions and best practices to mitigate privacy risks."
Despite a marked increase in the number of systems governed by compliance regulations, most agencies improved their data privacy standing in the past 12 months. All but one agency now has a written policy for conducting a Privacy Impact Assessment (PIA), a procedure which addresses such issues as determining what types of record merit analysis, evaluating the implications of evolutions in technology or business practices and facilitating public disclosure of report findings.
Moving forward, the OMB suggests that agencies should remain focused on delivering data security improvements by developing and using quantifiable metrics, repeatable processes and interoperable solutions to minimize technical barriers to implementation.
There will also be an increased emphasis on cost-efficiency, according to the report, as several agencies are slated to receive significant additions to their cybersecurity research and development budgets. One specific goal is the adoption and implementation of continuous monitoring solutions across all agencies to enable real-time analysis and response and contribute accurate, actionable information to collaborative efforts.
Security News from SimplySecurity.com by Trend Micro