http://itknowledgeexchange.techtarget.com/security-bytes/feds-get-c-minus-on-security/ A SearchSecurity.com blog Fri, 27 Nov 2009 03:31:10 +0000 http://wordpress.org/?v=2.6.2 http://itknowledgeexchange.techtarget.com/security-bytes/feds-get-c-minus-on-security/#comment-299 David Funk Sat, 28 Apr 2007 13:47:02 +0000 http://security.blogs.techtarget.com/2007/04/12/feds-get-c-minus-on-security/#comment-299 Everyone responsible for computers in the government knows that FISMA grades paper by the pound, not information system security. Which of the significant problems encountered in the Federal government over the last two years, from DoD's massive PLA intrusion, to lost laptops here, there, and everywhere, would have been stopped if the agency had a better FISMA grade? None. Fact is that DoD has done a lot to get the Peoples Liberation Army out of its computers, but almost none of it has a 'box' in FISMA to check. DoD has done much to fix their problems, and they got an F. That is a huge condemnation of the system in and of itself. The government needs to start firing responsibile officials. Start with OMB auditors who confuse FISMA annual requirements with an agrarian cycle, "it's March so it must be time to do security traning, if the training isn't done in May, it isn't done for 2007". Closest try was firing the CIO at VA who was six months on the job. The previous one quit because he had responsibility but no authority. VA didn't quite hit the nail on the head with that one. There may be a lot wrong with information security in the government, but good FISMA compliance has absolutely nothing to do with the solution. OMB, NIST, go heal thyself. Otherwise, take two asprin, drink lots of orange juice and don't call me again. Rep Davis, Please put your monster out of it's agony. Everyone responsible for computers in the government knows that FISMA grades paper by the pound, not information system security. Which of the significant problems encountered in the Federal government over the last two years, from DoD’s massive PLA intrusion, to lost laptops here, there, and everywhere, would have been stopped if the agency had a better FISMA grade? None. Fact is that DoD has done a lot to get the Peoples Liberation Army out of its computers, but almost none of it has a ‘box’ in FISMA to check. DoD has done much to fix their problems, and they got an F. That is a huge condemnation of the system in and of itself.
The government needs to start firing responsibile officials. Start with OMB auditors who confuse FISMA annual requirements with an agrarian cycle, “it’s March so it must be time to do security traning, if the training isn’t done in May, it isn’t done for 2007″. Closest try was firing the CIO at VA who was six months on the job. The previous one quit because he had responsibility but no authority. VA didn’t quite hit the nail on the head with that one. There may be a lot wrong with information security in the government, but good FISMA compliance has absolutely nothing to do with the solution.
OMB, NIST, go heal thyself. Otherwise, take two asprin, drink lots of orange juice and don’t call me again. Rep Davis, Please put your monster out of it’s agony.

]]>