Regulation Hasn’t Improved Security at Fed Agencies: Survey

Only 53 percent of federal information-security specialists believe their agencies have seen any real benefit from a 2002 law designed to create enforceable standards for federal cybersecurity during the past decade.

The Federal Information Security Management Act of 2002 was designed to recognize the importance of digital security, create standards federal agencies could follow to make sure their data protection was up to snuff, and help document both the effort to secure digital data and the improvements that resulted.

After more than a decade, however, only 22 percent of federal IT security people believe the security procedures at their own agencies are “sufficient and sustainable,” let alone adequate to meet the demands of an increasingly risky digital landscape, according to a study sponsored by security vendor NetApp and conducted by Federal-agency-oriented IT social networking site MeriTalk.

The situation for most agencies is far more dire now than when FISMA was passed.

During the past 12 months, 64 percent of Federal agencies have had to defend themselves against leaks or insider threats, according to the survey. Another 48 percent had to defend against a state-sponsored threat and 60 percent were attacked by non-state-sponsored groups.

Money, for once, is not a problem. Eighty-three percent said their agency has a budget adequate to produce acceptable levels of security; 89 percent said their end users comply with security requirements; 91 percent said their information security department can identify and implement new technology as needed.

All of those results are far above the norm for corporate IT security, compliance with which (and budgets for which) are consistently rated lower in surveys of security professionals at corporations.

The main problem, according to MeriTalk survey respondents, is that the security regulation itself isn’t up to helping agencies keep themselves up to speed with the environment they face.

Twenty-eight percent of respondents said FISMA requirements encourage processes designed to produce documentation showing compliance with FISMA itself, rather than on those designed to improve risk identification or assessment.

Twenty-one percent said FISMA guidelines didn’t take into account all the relevant threats agencies currently face; 11 percent thought FISMA itself is too antiquated to be useful.

Eighty-six percent of respondents said FISMA increased the cost of maintaining their networks, but only 53 percent said it did much to actually improve security.

Only 40 percent said they felt confident in their agency’s level of security.

Eighty-three percent of the security pros surveyed said they believed continuous monitoring would improve the security at their agencies; 81 percent have at least some monitoring capabilities in place.

A quarter of the agencies either have no monitoring systems, or lack the resources to monitor security continually, however; 55 percent said they were too busy or too underequipped even to keep pace with the volume of data crossing their networks, let alone take proactive steps to improve anything.

The results stem from a July 2013 online survey that netted cyber security pros from 203 federal agencies, with a margin-of-error of 6.8 percent.

The full report is available for download here (free registration required).

 

Image:MeriTalk.com