Prescription for Faster FISMA Compliance

When the Federal Information Security Management Act (FISMA) was introduced in 2002, federal agencies began complying in the best way available at the time: deploying different "point" solutions for each of the functional controls defined by the National Institute of Standards and Technology (NIST). While this approach did improve security, results have fallen short of expectations for many agencies. Federal IT groups today struggle to manage and audit a diverse collection of security products as a single system, a challenge that escalates with each new product added. Now Cisco offers an integrated approach to network security that is more effective and helps federal agencies accelerate compliance with FISMA and other security regulations. In a Cisco Self-Defending Network, solution components work together and are managed as a cohesive system that is distributed across and embedded within the network infrastructure. The benefits: better security, less management overhead, and greatly simplified audit preparation.

Why Adopt an Integrated Approach to Information Security?

As the role of the IP network in delivering agency services expands, so, too, does the importance of information security. Recognizing this, the government has introduced a spate of security regulations such as FISMA, Department of Defense (DoD) Directive 8500, and Homeland Security Presidential Directive 12 (HSPD-12). To comply, agencies are adopting specified security practices and undergoing regular audits to assess the effectiveness of their tactics. Information security has improved since FISMA was introduced in 2002-but not as much as agencies might expect given the time and money they have invested. In a 2005 survey of federal agencies, no more than 35 percent of respondents said they would be fully compliant in any of the 17 areas of FISMA within 12 months; and nearly 25 percent said they would be less than 50 percent compliant in certification and configuration management (see Figure 1). In addition, the enormous effort required to manage security and prepare for annual security audits consumes IT resources that could otherwise be assigned to projects that further the agency's mission objectives.