Agencies meet FISMA rules, but still face cyber threats

The Federal Information Security Management Act (FISMA) is the main law governing federal information security practices, and most agencies complied with its requirements in 2008. Unfortunately, compliance with this law is hardly enough to ensure the security of the federal government computer systems, with many experts believing it is little more than a paperwork exercise that does not really stop cyber attacks.

The Office of Management and Budget's FISMA implementation report for fiscal 2008 found that 92 percent of the federal agencies had satisfactory or better grades for the quality of their certification and accreditation processes. It said 84 percent of major agencies had "effective" cybersecurity plans, yet the number of attacks continues to grow--reaching 18,050 in fiscal 2008.

The Government Accountability Office has found that while most agencies comply with FISMA, the effectiveness of those efforts is unclear. Others say it is more an exercise of checking boxes to get a good grade, when IT staffing should be doing much more, including more closely monitoring systems in real time to detect intrusions.

Congress is considering revamping FISMA and making changes in the entire government cybersecurity arena. President Obama also has made the issue a priority, and is expected to soon release a new framework for government information security.

For more on FISMA:
- see this InformationWeek article