Cybersecurity is a major concern for private companies, individuals, and the federal government. Hearing about large hacks and security breaches on the news is almost commonplace today, but that doesn’t make it any less frightening when it happens. Humanity is quickly reaching a point where a hack in the right place could compromise the safety of nations. To keep tech usage secure, the government follows a protocol outlined in FISMA, but is FISMA as effective as it needs to be?
What Is FISMA?
Two acts comprise FISMA: the 2002 Federal Information Security Management Act, and the 2014 Federal Information Security Modernization Act. These two acts outline in specific detail how federal government departments are to keep information safe. The 2002 act provided a long list of guidelines for government departments, including outlining risk assessment procedures, requiring certain security controls, and monitoring security efforts for effectiveness.
The 2014 act adds relevant updates to FISMA, which include defining Homeland Security’s role in FISMA. You may not know that FISMA also applies to any private companies who do work with the federal government. That means each small business, healthcare agency, and advertiser with a government contract needs to comply with FISMA, too.
What Are Government Audits Revealing?
Last year, a FISMA audit on the Department of the Interior revealed testing problems with the department’s emergency planning. The poor testing could lead to damaged data centers and other important IT implements in the event of a disaster for which the department is not prepared. The audit revealed that the problem came from one bureau within the department, and that it didn’t pervade the rest of the Department of the Interior.
One department failing to meet FISMA standards is the VA. The Department of Veterans Affairs has had numerous cybersecurity issues in the past few years, and OIG hearings that took place in March of this year revealed that the problems with the VA’s security systems indicate issues with department-to-department communication. Some of the problems revolved around access, passwords, and planning. The department has since taken initiatives to close its security holes.
How Do CISOs Fit In?
This year, new White House plans for better cybersecurity included creating positions for a federal Chief Information Security Officers (CISOs). Government departments under FISMA have, however, already have CISOs with varying degrees of effectiveness.
Another government audit from mid-September of this year had astounding results: out of 24 federal departments with CISOs, 13 of those had trouble with the CISO role. The lacking departments haven’t defined the exact role of their CISO, leaving these chief officers with large responsibilities to shoulder but without the required power or procedure to effectively perform their jobs. Departments also have problems coordinating with each other on cybersecurity.
According to California Representative Ted Lieu, cybersecurity attacks aimed at the U.S. government have gone up 1,300 percent in the past decade. That chilling number gives us all an idea how vulnerable our nation’s data is. FISMA is certainly a powerful initiative, but is it doing enough? The question remains: how is the federal government going to handle cybersecurity in the years to come?
Image via Flickr by perspec_photo88