60 likes | 210 Views
The FISMA Secret. October 29, 2009. Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA Certification and Accreditation (C&A) paperwork. .
E N D
The FISMA Secret October 29, 2009
Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA Certification and Accreditation (C&A) paperwork. *OMB’s Fiscal Year 2008 Report to Congress on Implementation of the Federal Information Security Management Act of 2002:http://www.whitehouse.gov/omb/assets/reports/fy2008_fisma.pdf **Average across the three FISMA system categories’ C&A costs applied to the population of “not categorized” systems to monetize the dangling element. 2
Is the cost of FISMA in line with its value? 73% 27% CISOs Say: “There is no correlation between money spent to meet FISMA compliance and improvements in an agency’s security posture.” “While FISMA has provided us great insight into system vulnerabilities, there is little money left over to actually fix anything.” * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs
Could we reinvest these funds in a proactive versus paper approach to better secure America? 9% 91% CISOs Say: “Many of the same vulnerabilities appear in multiple systems/applications. A more proactive approach would be to reinvest these funds in enterprise-wide solutions as opposed to a system-by-system approach.” “Yes. Using a risk management approach, which means assessing risk and applying the majority of funding to mitigate against those risks that can ‘hurt’ the most.” * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs
Federal CISOs: What do you recommend? “Take a more risk-based approach that looks at what the actual vulnerabilities/threats are that exist and use the money to address these specifically rather than produce volumes of documentation of test results that don’t necessarily help us improve our security. FISMA should spend more time making sure the activities in question are actually being performed, as opposed to just confirming that the paperwork exists.” “Use a risk management approach to security – investing in innovation and technologies that mitigate what we know about future attack vectors.” “We need to move away from paperwork and toward actual demonstration of security. We always joke that FISMA compliance is nothing but a stack of paperwork.” “We need to figure out a better way to relate investment to security, which we’re not currently doing. We’re analyzing compliance, not risk, which is not the right path.”
Thank You Steve O’Keeffe (703) 883-9000 ext. 111 sokeeffe@meritalk.com