Related Stories

  • White House cybersecurity proposal shifts FISMA responsibility to DHS
    The Obama administration’s proposal on cybersecurity transmitted to Congress this week makes long-needed changes to the Federal Information Security Management Act (FISMA), judges Alan Paller, research director at the SANS Institute.
  • Google says GSA certified its Google Apps for Government under FISMA
    In response to theDepartment of Justice (DoJ) and Microsoft, Google said that the General Services Administration (GSA) had determined that Google Apps for Government was certified under the Federal Information Security Management Act (FISMA), a claim that GSA appears to back.
  • Justice Department questions Google's FISMA certification claims
    The US Department of Justice said in court documents that the Google Apps for Government cloud-based IT suite was not certified under the Federal Information Security Management Act (FISMA), despite claims by Google that it was.
  • Federal CIOs, CISOs struggle with CyberScope FISMA reporting tool
    Eighty-five percent of federal chief information officers (CIOs) and chief information security officers (CISOs) surveyed by MeriTalk had not used the CyberScope reporting tool developed by the Obama administration to streamline federal agency compliance reporting under the Federal Information Security Management Act (FISMA), despite a Nov. 15 implementation deadline.
  • FISMA inches closer to reform
    Legislation has been introduced into the US Senate that would reform existing cybersecurity regulations, just as federal CISOs condemned existing rules as out of touch with current security concerns.

Top 5 Stories


FISMA metrics beef up active cybersecurity monitoring

10 June 2011

The Department of Homeland Security has released Federal Information Security Management Act (FISMA) implementation metrics for civilian federal agencies that focus on automating information system monitoring and security controls.

This year, the FISMA metrics are moving away from checklist compliance with the law and toward more active cybersecurity measures and continuous monitoring of networks.

As the FISMA document explains, “the intent is to gather information on best practices and agency implementation status beyond minimal requirements.”

The document contains a series of questions and requests for information related to federal information security systems. For example, under continuous monitoring, the document asks: “What percentage of data from the following potential data feeds [e.g., vulnerability scans] are being monitored at appropriate frequencies and levels in the agency?” and “To what extent is the data collected, correlated, and being used to drive action to reduce risks?”

Alan Paller, director of research for the SANS Institute, called the FISMA metrics "a huge improvement" that should "result in rapid risk reduction and potentially allow the government to lead by example in showing how to manage cybersecurity effectively."

Paller told InformationWeek that this is the “first time [the government has] included effectiveness measures and a major focus on the 20 critical controls, so it saves agencies millions of dollars by enabling them to use the money on what matters most. That means radically better security."

This article is featured in:
Compliance and Policy  •  Internet and Network Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×