[ISN] Interior wants broader measurements in FISMA reporting

From: InfoSec News (alerts@private)
Date: Thu Oct 19 2006 - 03:18:33 PDT


http://www.gcn.com/online/vol1_no1/42328-1.html

By Rob Thormeyer
GCN Staff
10/18/06

The Interior Department is looking for new ways to illustrate how 
agencies are complying with the Federal Information Systems Management 
Act, a key official said yesterday.

Hord Tipton, the agencys CIO, said his office has been consulting with 
Interiors inspector general about how to create metrics that consider 
broader methods of whether and how agencies are meeting FISMA 
requirements.

We need to do something different than just checking boxes to denote 
FISMA compliance, Tipton said at a breakfast Tuesday sponsored by the 
annual Armed Forces Communications and Electronics Associations 
Bethesda, Md., chapter.

FISMA reform is a hot topic right now, and Tom Davis, House Government 
Reform chairman, has already offered legislation to shore up and bolster 
the governments information security policies.

Under the act, agencies must report to Congress on their cybersecurity 
efforts, and these scores are tabulated by Davis committee. In its most 
recent report card, the government overall received a D-plus.

In his comments, Tipton echoed concerns raised by several federal 
officials earlier this year that FISMA is evolving into little more than 
a check-the-box exercise that focuses on granular details and not the 
bigger picture of how agencies are deterring cyberattacks.

Tipton noted that his agency did not score well on the most recent 
report card but said Interiors cybersecurity has never been stronger.

We look at FISMA and I noted that we fended off four billion probes, 
scans, attacks last year without any significant breaches, Tipton said 
after his speech. It doesnt show up in the FISMA report. What shows up 
in FISMA is, Did I do all my paperwork? Did I do the annual reviews? 
That is important, Im not discounting that, but there needs to be some 
balance as to whats working.

Interior has been in contact with the National Institute of Standards 
and Technology and the National Security Agency as well as other groups 
like the SANS Institute of Bethesda, Md., to discuss its ideas, Tipton 
said.

If the groups can reach agreement on a few new metrics, Tipton said they 
hope to meet with the Office of Management and Budget as well.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 19 2006 - 03:32:45 PDT