Ever since Congress passed the 2002 Federal Information Security Management Act to improve the security of federal networks, security analysts and federal information technology managers have complained that the law has failed to make government systems more secure. The reason, they say, is that it is largely a reporting exercise that agencies must follow certain processes such as certifying and accrediting systems. What it doesn‚'t do is require agencies to measure how secure their systems actually are by taking actions such as conducting penetration tests to identify holes in networks that allow hackers in -- and then fixing them quickly.
For those reasons, security analysts say the report cards agencies receive on their compliance with FISMA are meaningless. In fact, Congress and others have charged that FISMA simply hasn't worked.
To begin a dialogue on potentially better ways to measure how secure an agency's systems are, Nextgov and the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., have teamed up on a Web-based tool. It's designed to provide federal officials a means to compare how secure FISMA says their systems are to what professional security analysts would say. As Alan Paller, director of research at SANS, points out, an agency can get an A on FISMA compliance, but receive an F from security analysts on how secure its systems are.
To find out how your FISMA grade stacks up with a grade that a SANS security consultant would give you, we invite you to take the FISMA vs. Security Perspective Test. The first part of the test grades your compliance with certain FISMA requirements. The second measures how well you follow what security analysts say are some of the best practices to secure systems. You'll receive a grade for each test and at the end you can compare which the two.
After taking the test, let us know your opinions about and insights from the test by going to The Forum to discuss your results and those of others. Just follow the link at the end of the test, or go The Forum by clicking here.
No comments:
Post a Comment