The May 2018 Federal Information Technology Acquisition Reform Act (FITARA) scorecardreported dismal cybersecurity preparedness for U.S. federal agencies. FITARA now includes a metric for grading agency cybersecurity postures, tied to the Federal Information Security Management Act (FISMA).
Of the 23 agencies:
9 — Failed (grade F)
9 — Received a D
5 — Earned a C which was the highest grade achieved by any agency
The report also indicated federal IT systems are increasingly obsolete with outdated software and hardware. In at least one case an agency was using systems over 50 years old.
There is significant room for improvement. Until then, the U.S. federal infrastructure and services are at significant risk from digital attacks.
The upside is the fact that cybersecurity postures are being measured consistently and reported. It is tough to make headway if decent metrics do not exist. Quantifying the problem is a step in the right direction.
Watch the Congressional Committee on Oversight & Government Reform hearing
Subcommittee on Information Technology and subcommittee on Government Operations announce and discuss the latest results:
Ego Beyond Reality
It is easy to believe your organization is doing well if there aren’t any credible audit results to the contrary. The FITARA report card should help federal agencies understand where they truly stand.
For example, it is tough to reconcile how the Department of Homeland Security wants to train businesses on cybersecurity, yet themselves score so poorly. Most recently, they scored a D grade on FITARA for cyber.
A realistic understanding of the landscape and threats is necessary to properly manage risk. Knowing your deficiencies is a crucial part necessary for success.
The May 2018 FITARA 6.0 Scorecard can be found here: https://oversight.house.gov/wp-content/uploads/2018/05/OGR-Scorecard-6.0-v2.pdf
Interested in more? Follow me on your favorite social sites for insights and what is going on in cybersecurity: LinkedIn, Twitter (@Matt_Rosenquist), YouTube, Information Security Strategy blog, Medium, and Steemit