Agencies Still Behind in FISMA Compliance, Survey Says
Network security--particularly privacy of employee and citizen data--tops the list of concerns expressed by federal government IT decision makers, according to a security survey released by Cisco yesterday. Despite that, only 35 percent of respondents expect to be fully compliant with the 2002 Federal Information Security Management Act (FISMA) in the next year.
FISMA requires each federal agency to develop, document and implement an agency-wide program to provide information security across systems. Many agencies achieved compliance with some of the 17 security areas noted in FISMA; but the more technical areas, such as personal security, identification and authentication, and access control, have yet to be conquered, according to more than half of the 239 respondents from civilian and defense agencies.
"[Agencies] are really stuck in a lot of the day-to-day battles, buying point products to solve the issue de jour, rather than taking a step back to achieve an overall secure architecture," says Dan Kent, director of systems engineering at Cisco. "That makes it very difficult for them to get to that next level."
The survey also revealed a lack of understanding of how components play in the security architecture. Often, the IT folks in the trenches know exactly what's needed to meet FISMA requirements from a technical standpoint, but the information assurance teams that generally make the purchasing decisions do not.
"There needs to be a mapping of the technology to compliance itself," Kent says. To help in that, Cisco announced it's Network Admission Control (NAC) framework, which starts to ship next month. The set of technologies uses the network infrastructure to enforce security policy compliance on all devices trying to gain access. A core component of that is the Cisco Trust Agent, which is installed on the host for validation before network access is permitted.
"We're working with partners to make them aware that this issue of [network security] is out there for federal agencies," Kent says. "Together we can help them achieve the more operational and technical requirements. Our strategy is mapping our products and solutions with FISMA compliancy, and we are educating our partners about mapping their services to that as well."