Federal Agencies using newer and even stricter standards
According to a report done by the Office of Management and Budget on compliance to the Federal Information Security Management act or FISMA, the majority of federal agencies meet the minimum standard in adherence to FISMA – the main regulatory guideline for cyber security practices and standards in the federal government.
The FISMA implementation report for the 2008 fiscal year reported 92% compliance among all federal agencies scoring satisfactory or higher.
Many had tested backup plans and security checks, citing 84% of agencies having effective cyber security plans.
Gov agencies adapting stricter standards
However, despite good adherence to the federal best practices list, the landscape of cyber security keeps changing and federal agencies may still need to keep up with the changing pace.
The United States Computer Emergency Readiness Team (US-CERT) has already received reports of 18,050 cyber security attacks from various federal government agencies in 2008, three times the number from 2006.
However, even just following standards and protocols can prove to be difficult for agencies, with the FISMA laying out numerous different specifications and regulations for them to follow.
FISMA also requires agencies to keep a record of all their information systems and rank them according to potential risks.
They also need to prepare contingency plans and train staff to handle information security incidents and report them to the authorities.
They are also required by the FISMA to conduct regular risk assessment and to verify and accredit their cyber security processes.
To compound the agencies problems, more cyber security legislation are on the way from Congress.
Among these is the nearly-complete Comprehensive National Cyber Security Initiative (CNCSI), a project under progress since the Bush administration.
A 16-month-old directive in the making, the CNCSI has been shrouded in so much misery that details about it are few and far between. It is supposedly a government solution for implementing best practices across the government.
However not even those implementing FISMA nor the government agencies that are supposed to follow CNCSI know much about the upcoming initiative.
Experts worry however that the CNCSI may serve to limit agencies when it comes to dealing with individual threats.
They worry that extremely specific and far-reaching technology mandates may prove to cripple the agencies, as individual cases may require very unique responses and tools required to deal with the threat.