The annual Federal Information Security Modernization Act (FISMA) report was delivered to Congress in May and contained encouraging news. The report, tracking agencies' ability to meet the guidelines set forth in FISMA, showed that there were 8% fewer cybersecurity incidents across government in fiscal year 2019. Additionally, the report showed that 73 agencies meet the highest FISMA rating, up from 62 in 2018.
All of this improvement comes at a time when more attacks are being carried out against agencies and those attacks are becoming more and more sophisticated. The government's ability to stay ahead of the increasing attack vectors can be attributed to compliance with federal regulations and mandates including Continuous Diagnostics and Mitigation program and the National Cybersecurity Protection System.
Additionally, a focus on educating federal employees about spear phishing, the practice of sending emails that look like they are coming from a known or trusted sender to intice targeted individuals to reveal confidential information, has also paid off. The report showed that the U.S. Department of State, U.S. Department of Health and Human Services, and the U.S. Department of Commerce had the largest reduction in phishing-related security incidents via email. Fittingly, the Department of Education earned a proverbial gold star, reporting zero phishing incidents. They attributed this success to employing "increasingly complex phishing scenarios" to improve spam filtering and implementing anti-phishing policies with their email provider. Continue reading
The ninth Federal Information Technology Acquisition Reform Act (FITARA) Scorecard, released in December, showed promising progress in meeting goals and in holding agencies accountable for their modernization efforts. For the first time, three different agencies earned an "A" or higher. The General Services Administration and Department of Education both received an "A+" and The United States Agency for International Development got an "A." This scorecard was the only time a failing grade was not handed out. Overall, agencies have upped their scores from a "D" average on the first scorecard in 2015 to a current "C+" average.
Scores are not the only thing that has increased. What is being measured has also grown. The first scorecard only measured four areas -- data center consolidation, IT portfolio review savings, incremental development, and risk assessment transparency. The latest version has nine subcategories that include measuring progress against recently enacted legislation.
Big gains in scores were found in regard to compliance with the Megabyte Act, legislation that aims to improve the way agencies manage their software licenses. Gains were also found in giving CIOs more authority. In fact, the reporting found that 22 agencies had permanent CIOs, two had acting CIOs and, of those, 16 reported directly to leadership.
Progress on data center consolidation also continues, though not without controversy. Rep. Gerry Connolly (D-Va.) voiced concern with the Office of Management and Budget's latest guidance on data center consolidation that changes the language to "optimization" and not "consolidation." He argued that consolidation is what frees up capital and drives cost savings, an area where agencies still struggle. Continue reading