1 / 6

The FISMA Secret

The FISMA Secret. October 29, 2009. Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion  on FISMA Certification and Accreditation (C&A) paperwork. .

rana-england
Download Presentation

The FISMA Secret

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The FISMA Secret October 29, 2009

  2. Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA Certification and Accreditation (C&A) paperwork.  *OMB’s Fiscal Year 2008 Report to Congress on Implementation of the Federal Information Security Management Act of 2002:http://www.whitehouse.gov/omb/assets/reports/fy2008_fisma.pdf **Average across the three FISMA system categories’ C&A costs applied to the population of “not categorized” systems to monetize the dangling element.  2

  3. Is the cost of FISMA in line with its value? 73% 27% CISOs Say: “There is no correlation between money spent to meet FISMA compliance and improvements in an agency’s security posture.” “While FISMA has provided us great insight into system vulnerabilities, there is little money left over to actually fix anything.” * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs

  4. Could we reinvest these funds in a proactive versus paper approach to better secure America? 9% 91% CISOs Say: “Many of the same vulnerabilities appear in multiple systems/applications. A more proactive approach would be to reinvest these funds in enterprise-wide solutions as opposed to a system-by-system approach.” “Yes. Using a risk management approach, which means assessing risk and applying the majority of funding to mitigate against those risks that can ‘hurt’ the most.” * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs

  5. Federal CISOs: What do you recommend? “Take a more risk-based approach that looks at what the actual vulnerabilities/threats are that exist and use the money to address these specifically rather than produce volumes of documentation of test results that don’t necessarily help us improve our security. FISMA should spend more time making sure the activities in question are actually being performed, as opposed to just confirming that the paperwork exists.” “Use a risk management approach to security – investing in innovation and technologies that mitigate what we know about future attack vectors.” “We need to move away from paperwork and toward actual demonstration of security. We always joke that FISMA compliance is nothing but a stack of paperwork.” “We need to figure out a better way to relate investment to security, which we’re not currently doing. We’re analyzing compliance, not risk, which is not the right path.”

  6. Thank You Steve O’Keeffe (703) 883-9000 ext. 111 sokeeffe@meritalk.com

More Related