OMB releases its annual FISMA security report to Congress

It's report-card time again for government agencies as the Office of Management and Budget released its fiscal year 2008 report to Congress on Wednesday in accordance with the Federal Information Security Management Act (FISMA).

The report (PDF available here) covers 25 major and dozens of small and independent agencies and includes, as usual, qualitative and quantitative testing. Area measured include certification and accreditation, controls testing, and contingency plan testing, along with privacy protection.

Overall, the report's authors say, things continue to improve, just as they have since evaluations began in 2002. Across all agencies, the percentage of certified and accredited (C&A) systems rose four percentage points to 96%, testing of security controls and contingency plans is up six percentage points to (respectively) 93% and 92%, and the percentage of systems with a Privacy Impact Assessment in place rose eight percentage points to 92%. It's not all good: A few areas of effort showed decreases, including a slight (2%) drop in security controls testing.

And going forward, OMB says, it may be time to switch from periodic reporting on compliance to more continuous monitoring, since most agencies have their boots on now. Such a system would help to address the concerns of critics who argue that the periodic checks are essentially just exercises in paperwork, rather than security.

The report drills down to specific agencies, and the OMB authors took pains to point out notable and dubious achievements. The Nuclear Regulatory Commission brought up its game this year, improving its percentage of systems with a C&A from 17% in 2007 to 59% last year, and 83% improvement in contingency-plan testing. DHS improved its C&A percentage by 10 points, and the Department of Defense broke the 90% barrier despite adding 158 C&A-requiring systems to the department over the last 12 months. The Department of Veterans Affairs reported an 57% increase in contingency plan testing.

Others failed to impress. Contingency-plan testing appears to have undone the Department of Education and the perennially under-performing Department of Agriculture, which reported testing decreases of 23% and 13% respectively. Oddly, Agriculture is one of just three departments reporting spending of more than $72 million on security awareness training for employees; the other two are Defense, a department so large and complex that the OMB's evaluation process warps in the vicinity of its gravity field, and Treasury, home of the IRS. And three agencies don't warn their people about the dangers of peer-to-peer file-sharing: Agriculture, Labor, and Transportation.

Defense, by the way, could give a casual observer a coronary on page 9 of the report, where the fabled "report card" rankings are -- failing grades for C&A and privacy, a score of zero (on a scale of 1-100) for completeness of system inventory, and a thumbs-down for an agency-wide plan of action and milestones (POA&M) for fixing problems. DoD observers are encouraged to drill down to reports from the DoD's CIO and IG (inspector general); after reading, they are encouraged to send an aspirin to the IG, who clearly did not like what s/he saw.

Aside from Defense, the report card this year had just one "Poor" grade, awarded to Agriculture for its C&A process, and five "Satisfactory-minus" scores, awarded variously to the Departments of Health and Human Services (C&A process) and Housing and Urban Development (privacy), the Office of Personnel Management (C&A), the Smithsonian (privacy), and Transportation (privacy). Health and Human Services also scored relatively low on the completeness of its system inventories, and Agriculture, the Department of the Interior, and Transportation need to get their POA&Ms in order.

Otherwise, though, it was all "Satisfactory" and "Good" and "Excellent" with FISMA in 2008. And one department, the Agency for International Development, came shining through with simply stellar scores -- 100% C&A, 100% for security controls, 100% for tested contingency plans, 100% for employees receiving security awareness training, 100% of systems covered by an existing PIA, and the list goes on. The humanitarian assistance agency's clearly got it going on; do you suppose its people would consider sending a rescue team over to Agriculture?