cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Advocate I

Information Security FAILING Grades

Approximately 40 agencies (partial list below) received a failing grade by the Office of the Inspector General (OIG) in its independent assessment of information security practices. Read the entire report to US Congress here. I expect that a lot of Agency CIO's and CISO's will be looking for "gainful employment" after congressional representatives rip through the report and ask WHY are agencies failing to deliver on information security effectiveness?

 

  1. Department of State
  2. Department of Commerce
  3. Department of Health and Human Services
  4. Department of Homeland Security
  5. Department of Agriculture
  6. Department of Commerce
  7. Department of Education
  8. Department of Health and Human Services
  9. Department of Justice
  10. Department of Labor
  11. Department of the Interior
  12. Department of the Treasury
  13. Department of Transportation
  14. Department of Veterans Affairs
  15. Federal Communications Commission
  16. Federal Deposit Insurance Corporation
  17. General Services Administration
  18. National Aeronautics and Space Administration
  19. National Archives and Records Administration
  20. Office of Personnel Management
  21. Securities and Exchange Commission
  22. Social Security Administration
2 Replies
Community Champion

Re: US Government Agency FISMA FAILING Grades

> AppDefects (Contributor III) edited a topic in Industry News on 08-26-2019 03:03

> Department of Homeland Security
> Department of Justice

OK, now *this* is hilarious ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
In the middle of difficulty lies opportunity. - Albert Einstein
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Advocate II

Re: Information Security FAILING Grades


@AppDefects wrote:

Approximately 40 agencies (partial list below) received a failing grade by the Office of the Inspector General (OIG) in its independent assessment of information security practices. Read the entire report to US Congress here. I expect that a lot of Agency CIO's and CISO's will be looking for "gainful employment" after congressional representatives rip through the report and ask WHY are agencies failing to deliver on information security effectiveness?

...


As one of many who have had to deal with U.S. government Certification & Accreditation (C&A, Old Risk Management Framework, RMF) / Assessment and Authorization (A&A, new RMF) under FISMA, and the resultant compliance reporting (the basis for the linked report), here are aspects worth knowing:

 

  1. FISMA compliance is not about making systems more secure, it is about showing compliance with a particular type of audit, specifically including whether each IT system is operating under a current Authorization to Operate (ATO). Getting an ATO is a PITA of paperwork, and says little about the actual security of the system. Holders of the CISSP-ISSEP and CAP should understand this distinction of paperwork versus security. 
  2. Agencies' grades are based on the percentage of identified systems that show a high level of compliance. Thus, very small agencies with only a few IT systems tend to score high, and humongous agencies with almost uncountable IT systems, such as Homeland Security and Defense, end up with lower scores. 

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile