Feds cram before 2005 FISMA scores arrive

Top information technology officials from all over the federal government met Wednesday to bone up on best IT security practices.

Chief information officers, chief information security officers and inspectors general met to share tips on how to make federal information and information systems more secure, as required by law under the Federal Information Security Management Act (FISMA) of 2002. FISMA scores for the 2005 fiscal year are expected soon.

“We want to give them some actionable items they can use soon after their scores come out,” said Charles Havekost, CIO for the Department of Health and Human Services.

The Federal CIO Council sponsored the conference in Washington, D.C., to discuss how federal agencies can improve their FISMA scores.

“The goal is not to get a good grade,” said Karen Evans, OMB's administrator of e-government and IT. “The goal is to secure our systems to protect our national assets. We’re asking you not just to crank out paperwork, but to produce results.”

Federal IT offices must work with their inspectors general to show that the offices are proactively managing risk and have created secure systems that are verifiable and trackable, Evans said.

All agencies must have continuity-of-operations plans and communications plans in case an incident happens, Evans said.

Agencies should also report any potential incident to the Homeland Security Department, which can analyze and coordinate enterprisewide responses throughout the federal government, Evans said.

Support from chief financial and acquisition officers as well as department chiefs is essential to improving FISMA scores, said Lisa Schlosser, CIO for the Department of Housing and Urban Development (HUD).

As CISO at the Transportation Department, Schlosser guided DOT from an “F” FISMA grade in the 2002 fiscal year to an “A-“ in the 2004 fiscal year. She became HUD CIO six months ago.

CIOs and others responsible for IT must speak leaders’ language and frame their requests in terms of meeting business needs, Schlosser said. For instance, HUD must keep data on $500 billion in loan information safe and accessible, she said.

“When you start talking about half a trillion dollars, you get people’s attention,” Schlosser said.

IT shops should also look around the federal government for successful applications and practices to modify for their own use, Schlosser said. For example, DOT uses a program from the Environmental Protection Agency, called ASSERT, to automate FISMA testing, she said.

Federal agencies should include IT security requirements in their procurements to ensure that cybersecurity is already built into systems when they arrive, both Evans and Schlosser said.