Government IT Leaders Not Keen on FISMA

Although FISMA is designed to aid agencies in addressing various threats, survey results indicated it might be doing more harm than good.

Federal cyber-security professionals lack confidence in the Federal Information Security Management Act (FISMA), and do not believe their agencies’ current cyber-security solutions are sufficient and sustainable, according to a survey by MeriTalk, a public-private partnership focused on improving the outcomes of government IT.

In the past 12 months, agencies defended against insider threats or leaks (64 percent), non-state actors (60 percent) and state-sponsored threats (48 percent). Given the growing number and increasing sophistication of the attacks, just one in five (22 percent) cyber-security professionals rate their agency’s cyber-security solutions as sufficient and sustainable.

Although FISMA is designed to aid agencies in addressing these threats, survey results indicated it might be doing more harm than good. Just 53 percent of federal cyber-security professionals say FISMA has improved security at their agency, while 86 percent report that FISMA compliance increases costs.

As a result of security challenges, just 40 percent of cyber-security professionals are confident in their agency’s security. Those confident in their agency’s security are more likely to say their agency has an adequate budget (83 percent), their users are compliant with cyber-security policies (80 percent), and their cyber-security department can identify and implement new cyber-security technology effectively (91 percent).

"FISMA’s compliance model is not keeping up with the evolving security landscape or the security demands," Mark Weber, president of NetApp’s U.S. Public Sector, said in a statement. "There is a shift in the industry from compliance to continuous monitoring, and a vast number of new technologies exist to support this change. Our federal cyber-professionals should be given the resources, regulation and management support to take advantage of these technologies to help thwart cyber-security attacks."

In addition, 28 percent view FISMA as encouraging compliance rather than risk identification and assessment, 21 percent believe it is insufficient in dealing with today’s cyber-threat landscape, and 11 percent believe it is an antiquated law.

The survey reveled that to improve security, federal cyber-security professionals are looking beyond FISMA. The majority of cyber-security professionals (83 percent) believe continuous monitoring will improve security at their agency, and while most agencies (81 percent) have a system in place to continuously monitor their networks for cyber-threats, one in four lack the capabilities and resources to effectively execute continuous monitoring.

The deluge of data is also having an adverse effect on government security--more than half of cyber-security professionals (55 percent) say their agency is either overloaded or cannot keep up with the amount of data already crossing their network, and 18 percent of respondents said the network and security monitoring infrastructure cannot keep up with the network itself.