[ISN] GAO recommends changes to FISMA reporting

From: InfoSec News (alerts@private)
Date: Mon Jul 30 2007 - 22:22:54 PDT


By Jason Miller
July 30, 2007

Agency computer systems are vulnerable because many lack basic controls, 
and one of the best ways to improve information technology security is 
to improve the metrics for how departments measure how these basic 
controls are implemented.

That was the conclusion of the Government Accountability Office, which 
on Friday issued a tell-tale report [1] identifying widespread IT 
security weaknesses across the government.

Weaknesses exist predominantly in access controls, including 
authentication and identification, authorization, cryptography, audit 
and monitoring, boundary protection and physical security, the report 
said. Weaknesses also exist in configuration management, segregation of 
duties and continuity of operations.

Auditors said the metrics under the Federal Information Security 
Management Act are not effective enough and offer only limited assurance 
of the quality of agency evaluations.

[A]gencies are required to test and evaluate the effectiveness of the 
controls over their systems at least once a year and to report on the 
number of systems undergoing such tests, the report said. However there 
is no measure of the quality of agencies test and evaluation processes.

GAO recommended that the Office of Management and Budget improve FISMA 
in three general ways. The audit agencys most specific recommendation 
was for OMB to require agencies to report how they perform patch 
management. OMB previously required this in 2004, but since dropped it 
from FISMA guidance.

Auditors said patch management is one area of weakness among agencies.

OMB and Congress lack information that could demonstrate whether or not 
agencies are taking appropriate steps for protecting their systems, the 
report said.

Sen. Joe Lieberman (I-Conn.), Homeland Security and Governmental Affairs 
Committee chairman and author of the E-Government Act of 2002, which 
included FISMA, said agencies need to do more to protect their systems.

He said that the federal government is not doing enough to guarantee the 
security of its computers and the vast databases within them. Lieberman 
added that as technology moves forward so should the methods by which IT 
is secured.

In addition to the patch management suggestion, GAO recommended that OMB 
develop additional performance metrics, and request agency inspectors 
general to report on the quality of additional agency security 
processes, such as system test and evaluation, and risk categorization.

Karen Evans, OMBs administrator for IT and e-government, said in a 
letter to GAO that her office would review GAOs recommendations. But 
Evans said the certification and accreditation process does provide a 
systematic approach for determining whether appropriate security 
controls are in place, functioning properly and producing the desired 

Evans added that the IGs have flexibility to tailor their evaluation 
based on the agencys documented weaknesses and plans for improvement.

If OMB were to request quality reviews on specific control groups, we 
would require qualitative reviews on certain areas where agencies may 
already be effective, Evans wrote. We would also reduce the flexibility 
needed by agencies to tailor their evaluations to address documented 

[1] http://www.gao.gov/new.items/d07837.pdf

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 30 2007 - 22:33:39 PDT