Homeland Security Releases FISMA Compliance Metrics

The Obama administration, by focusing on continuous monitoring, comes closer to assessing the thoroughness of federal agencies cybersecurity efforts, says SANS Institute.

(click image for larger view)
Slideshow: Inside DHS Classified Cyber-Coordination Headquarters
The Department of Homeland Security (DHS) has released new reporting metrics for agency compliance with the Federal Information Security Management Act (FISMA) that focus on continuous cybersecurity monitoring.
The new metrics should bolster the federal governments strategy to keep closer and more constant track of security vulnerabilities and threats as it moves forward with improvements to overall cybersecurity across agencies.
The annual CIOs FISMA Reporting Metrics report for fiscal year 2011 requires federal agencies to detail progress theyve made to automate daily metrics on critical security risks. FISMA is the National Institute of Standards and Technology (NIST) security standard for IT products and solutions used in the federal government, as well as for how agencies comply with cybersecurity requirements.
The
11-page document
asks agencies to provide a current inventory of automated monitoring capabilities in overall systems; asset, configuration, vulnerability, identity, and access management; and other categories.
This years metrics document also contains an entire section asking agencies to report on
continuous monitoring
itself, asking what percentage of data from various data feeds are being monitored at appropriate frequencies and levels in the agency, according to the document. Data feeds included in the questioning include application logs, patch status, vulnerability scans, failed logins for privileged accounts, and data loss prevention data, among others.
Over the last couple of years, the Obama administration has required agencies to report on FISMA compliance by asking numerous questions that didnt necessarily address key security concerns.
This years metrics document, however, moves away from that with a smaller, more focused series of questions on key security controls that address the real objective of FISMA compliance requirements--to assess thoroughness and effectiveness of agencies
cybersecurity efforts
.
While not a massive leap forward, this years FISMA metrics requirements are a step in the right direction to improving overall cybersecurity at federal agencies, according to one cybersecurity expert.
Alan Paller, director of research for the SANS Institute, called the metrics a huge improvement that should result in rapid risk reduction and potentially allow the government to lead by example in showing how to manage cybersecurity effectively. The SANS Institute offers cybersecurity training.
As opposed to previous metrics requirements, the 2011 document assesses agency progress in implementing systems needed for continuous monitoring of key controls defined by agencies and companies--such as the National Security Agency and the DHS itself--that are aware of how cyber attacks are executed and whats needed to block or mitigate them or the damage they cause, he said.
Its the first time they have included effectiveness measures and a major focus on the 20 critical controls, so it saves agencies millions of dollars by enabling them to use the money on what matters most, Paller said in an interview via email Monday. That means radically better security.
In the new, all-digital issue of InformationWeek Government: More than half of federal agencies will use cloud computing within 12 months, our new survey finds. Security, ROI, and management challenges await them.
Download it now
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Homeland Security Releases FISMA Compliance Metrics