CSIA Urges Congress and the Administration to Strengthen the Federal Information Security Management Act

Disappointing FISMA Grades Underscore Need for Improved Information


Apr 12, 2007, 01:00 ET from Cyber Security Industry Alliance

    ARLINGTON, Va., April 12 /PRNewswire-USNewswire/ -- The Cyber Security
 Industry Alliance (CSIA) today called upon all government agencies to
 significantly bolster efforts in 2007 to comply with the Federal
 Information Security Management Act (FISMA) of 2002. The ranking member of
 the House Committee on Oversight and Government Reform, U.S. Representative
 Tom Davis (R-VA) today issued the annual FISMA report card for all Federal
 government agencies, reporting an average grade of C- for securing computer
 systems and networks in 2006. Since 2003, the overall average grade for
 agencies has never exceeded a D+.
     "We are somewhat encouraged by the slight improvement over last year's
 grades, however, there is still a lot of work to be done," said Liz
 Gasster, acting executive director and general counsel of CSIA. "While
 FISMA is an important first step in providing heightened information
 security awareness for agencies, there are not nearly enough consequences
 for those agencies who fail to comply. CIOs and CISOs must be given more
 authority to take action to enforce and implement the Act, or security will
 continue to suffer."
     Several grades worth noting from the 2006 report card include:
     -- Agency for International Development (USAID): A+
     -- Department of Commerce: F
     -- Department of Defense (DoD): F
     -- Department of Homeland Security (DHS): D
     -- Department of Justice: A-
     -- Department of Veterans Affairs: No report submitted
     -- Social Security Administration: A
     -- Department of State: F
     -- Department of Treasury: F
     Added Gasster, "As part of the release, Congressman Davis announced the
 intention of reintroducing his legislation from last year, which would
 strengthen and clarify the important roles that CIOs and CISOs play in
 government agencies. This bill also expressly required government agencies
 to notify individuals when sensitive personal information contained in
 government systems is compromised. CSIA supports this legislation and other
 efforts that enhance information security employed by the government. In
 addition, agencies are currently required to report on privacy performance
 under FISMA, but the grades do not reflect this important data."
     Earlier this year, CSIA released its annual report, the 2007 Agenda for
 U.S. Government Action, which identified specific actions for Congress and
 the Administration to focus on for improving information security for
 citizens, industry and governments globally. As part of the Agenda, CSIA
 issued its Federal Progress Report for 2006 on the government's limited
 advancements in these same areas. CSIA offered a D grade in the area of
 federal information assurance and suggested that Congress and the
 Administration work more closely together to strengthen FISMA
 implementation and enforcement.
     CSIA's report outlines the following recommendations for government
 improvement in this area:
     -- To effectively establish and maintain a comprehensive information
        security program, the power of federal CIOs should be strengthened so
        that they can better enforce authority concerning budgets and personnel
     -- Federal agencies should increase their assessments and testing of
        information security controls, and be required to adhere to acquisition
        regulations to ensure that all federal contractors comply with FISMA
        requirements; and
     -- All agencies should establish a common requirement to notify citizens
        in case of a breach of sensitive personal information.
     About the Cyber Security Industry Alliance
     The Cyber Security Industry Alliance is the only advocacy group
 dedicated exclusively to ensuring the privacy, reliability and integrity of
 information systems through public policy, technology, education and
 awareness. Led by CEOs from the world's top security providers, CSIA
 believes a comprehensive approach to information system security is vital
 to the stability of the global economy. Visit our web site at
     Members of the CSIA include Application Security, Inc.; CA, Inc. (NYSE:  
 CA); Bharosa Inc.; BSI Management Systems; Crossroads Systems, Inc. (OTCBB
 Pink Sheets:   CRDS.PK); Entrust, Inc. (Nasdaq:   ENTU); F-Secure Corporation
 (HEX: FSC1V); IBM Internet Security Systems Inc. (NYSE:   IBM); iPass Inc.
 (Nasdaq:   IPAS); MXI Security; PGP Corporation; Qualys, Inc.; RSA, The
 Security Division of EMC (NYSE:   EMC); Secure Computing Corporation (Nasdaq:  
 SCUR); Surety, Inc.; SurfControl Plc (LSE: SRF); Symantec Corporation
 (Nasdaq:   SYMC); TechGuard Security, LLC; and Vontu, Inc.

SOURCE Cyber Security Industry Alliance