Secure Elements Contact: Stephanie Stadler O'Keeffee & Company Contact: Jan Cornelius Phone: (703) 287-7819 Phone: (703) 883-9000 ext. 102
e-mail: sstadler@sheahedges.com e-mail: jcornelius@okco.com
Merlin International, Inc. Contact: Maria Moore
Phone: (703) 883-9000 ext. 102 Phone: (703) 752-9953
e-mail: jcornelius@okco.com e-mail: mmoore@merlin-intl.com
IS FISMA MAKING THE GRADE? CHIEF INFORMATION SECURITY OFFICER SURVEY SAYS FEDERAL COMPUTER SECURITY GRADES IMPROVING, BUT CHALLENGES WITH REPORT CARD PROCESS PERSIST
Report Cards More Accurate for Large Agencies; CISOs Communicate the Process Still Needs Improvement
HERNDON, VA -
Apr 12, 2007
- The Merlin International Federal Research Consortium (MFRC), a group of leading Information Assurance solution providers, today announced the availability of its new report, Is FISMA Making the Grade? Based on a survey of Federal Chief Information Security Officers (CISOs), the study reveals that CISOs report their Federal Computer Security Report Card grades for 2007 have improved over 2006, but challenges persist with the process.
Despite progress, CISOs still struggle with language ambiguities related to the Federal Information Security Management Act (FISMA) guidelines, according to the study. In addition, CISOs from large and small agencies hold divergent opinions on the value of the Report Card process. The full report is available for download at http://www.merlin-intl.com/IAstudy.asp
Report Card Grades Improving, Information More Secure
The MFRC study, based on a March 2007 survey of Federal CISOs, reveals that 75 percent of CISOs state their agencys Federal Computer Security Report Card grade improved in 2007. A majority of Federal CISOs identify streamlining certification and authentication (C&A) efforts as the primary factor promoting higher grades.
In line with Report Card grades, 75 percent of CISOs say that their IT security environment has improved or significantly improved since the House of Representatives Government Oversight and Reform Committee released the 2006 Report Card. Looking forward, the report identifies increased auditing and authorization efforts as a key trend for 2007. Eighty three percent of Federal CISOs plan to increase IT audit trails and authorization efforts during the next year.
Large-Agency CISOs Give Report Card Higher Grades
CISOs from large agencies (more than 10,000 employees) have higher confidence in the Report Cards accuracy than their counterparts at smaller agencies. Sixty percent of CISOs from large agencies say the Report Card provides real insight into their agencys IT security; however, just 36 percent of CISOs from small agencies concur.
The findings suggest that the Report Card is not one size fits all, and that small agencies face different IT security challenges than their larger counterparts. Based on the CISO feedback, the current Report Card process does not take these differences into account. The study recommends considering a separate Report Card for small agencies.
Report Card-Funding Disconnect and Guidance Ambiguities Challenge CISOs
Federal CISOs identified ambiguities in FISMA language requirements as a continued challenge, negatively impacting Report Card grades.
In addition, the report sheds light on two persistent problems with the Federal Computer Security Report Card process and highlights the need to establish a more linear connection between an agencys IT security performance and the associated funding the agency receives.
First, Report Card grades have a questionable impact on an agencys IT security funding 75 percent of respondents say they found little correlation between their agencys FISMA grade and their agencys IT security funding.
Second, Federal IT security professionals believe the Report Card grades have a negligible bearing on overall IT funding 79 percent of CISOs say they have found no link between their agencys FISMA grades and their agencys overall IT budget.
By shining a light on the governments IT security environment, the Federal Computer Security Report Card empowers CISOs to continuously evaluate and improve security for their agencys information assets, said John Trauth, executive vice president of Federal government systems at Merlin International. That said, the Report Card process needs continuous improvement. Our report recommends several next steps, including modifications for small versus large agencies, and a continued effort to clarify requirements language.
###
About the Federal Computer Security Report Card
Largely based on security evaluations defined in the 2002 FISMA regulations; the House of Representatives Committee on Government Oversight and Reform issues the Federal Computer Security Report Card annually. The Office of Management and Budget administers the initial FISMA evaluations.
About the Is FISMA Making the Grade? Report
The report, commissioned by the Merlin International Federal Research Consortium, is based on a survey of 30 out of a total of 117 CISOs conducted in March 2007. The full study is available for download at http://www.merlin-intl.com/IAstudy.asp.
About the Merlin International Federal Research Consortium
The Merlin International Federal Research Consortium is a group of leading Information Assurance solution providers committed to bringing insightful and timely market intelligence and best practices information to the Federal IT marketplace. Through research, education, and training the coalition works to empower government agencies to optimize their IT security environments.
About Secure Elements
Secure Elements develops innovative products that help organizations achieve IT security compliance. We enable organizations to audit, evaluate, and comply with internal, industry, and regulatory policies. Our solutions reduce business risk and IT management costs while improving systems performance and maintaining business continuity. Based in Northern Virginia, Secure Elements serves organizations in the federal government and critical infrastructure markets, as well as the Global 1000. http://www.secure-elements.com |
