GAO: Only 8 of 22 Federal Agencies Comply with Cyber Risk Management Requirements

During 2012, only eight of 22 major government agencies complied with cybersecurity risk management requirements mandated under the Federal Information Security Management Act (FISMA), down from 13 out of 24 in 2011, a top official from the General Accounting Office (GAO) told the Senate Homeland Security and Governmental Affairs Committee today during a hearing.  Citing a little-noticed report that the GAO issued last month, Gregory C. Wilshusen, Director of Information Security Issues at GAO, said that President Obama's cybersecurity executive order, also issued last month, is a good step but must be integrated into an "overarching strategy that includes a clearer process for oversight of agency risk management" based on the study's examination of weaknesses in the federal government's own cybersecurity practices.

The main attraction of the hearing, aimed at examining the executive order, was Department of Homeland Security (DHS) Secretary Janet Napolitano, who said that the just-imposed sequester cuts will no doubt disrupt DHS' cybersecurity efforts. "We do not have the luxury of making significant reductions to our capabilities without having significant impacts," she said.

Patrick Gallagher, Under Secretary for Standards and Technology at the Department of Commerce said that  Commerce's National Institute of Standards and Technology (NIST), which is charged with developing a comprehensive cybersecurity framework under the recent executive order, will likely not be as disrupted by the sequester cuts when it comes to getting that framework out the door.  "I am hopeful that there is a very minimal impact on our ability to deliver the framework," he said.

NIST plans to host  at least four workshops in order to develop the final draft of the framework within the one-year deadline established in the order, with the first workshop slated for April 3 at NIST facilities in Gaithersburg, MD.  But, how easily NIST will be able to get its arms around the thorny and intricate topic remains to be seen.

NIST plans to model its process on its earlier efforts to develop standards for the smart grid and cloud computing, although far more people will probably be involved in this cybersecurity effort, Gallagher said. "In the case of smart grid, we were up to over 1,600 people [involved in developing the standards] and this is broader than that."


Post a Comment

Note: Only a member of this blog may post a comment.

Twitter Delicious Facebook Digg Stumbleupon Favorites More