Tom Olzak

The DoD still doesn’t get it

In FISMA Audit, Government on March 11, 2009 at 07:28

The U.S. Office of Management and Budget (OMB) released the 2008 FISMA grades for Federal agencies.  FISMA contains regulatory requirements for protecting information and critical systems managed by government agencies.  I was pleasantly surprised.

All but one agency received a grad of Satisfactory or better, including Health and Human Services.  The HHS rating is interesting because, although it has consistently received poor or failing FISMA grades over the past several years, it is responsible for enforcing the HIPAA.  For those of you who don’t have to protect health care information, the HIPAA contains pages of standards and guidelines with which those of us protecting patient information had to comply several years ago.  The only dark cloud in this FISMA report hovered over the Department of Defense.

We commonly put security controls in perspective at the office by commenting that we aren’t protecting national defense secrets.  This perspective allows us to back off on controls that might put too many restrictions on the business users.  Apparently the DoD has a different approach… “We DO protect national defense secrets, but we don’t really have the time to worry about it…”  You see, they were the only agency listed in the GAO report with a failing grade.

Some of the things the DoD failed to do included:

  • They have no accurate inventory of critical systems
  • No agency-wide configuration policy
  • No documented incident response and reporting process
  • The agency “rarely” ensures security training and awareness “…of all employees, including contractors with significant IT security responsibilities.”

There’s more, but you get the idea.  The DoD not only doesn’t protect national defense secrets like they’re… well… national defense secrets.  It simply doesn’t follow basic security practices.

I think in the future we’ll think of another way to provide perspective to my analysts.  In general, I want them to protect our information better than the DoD protects critical systems and defense data.

  1. Hi Tom
    Just a couple of corrections. This is the OMB annual report, they work for the White House. GAO works for Congress and will issue their own report soon enough.

    The report cards are issued by the House Committee on Government Oversight and Reform headed by Henry Waxman.

Comments are closed.

%d bloggers like this: