Most federal agencies get passing marks for meeting the Federal Information Security Management Act, the primary regulation dictating cybersecurity practices in the federal government. Even so, the ground rules for cybersecurity keep changing, and federal systems are anything but bulletproof.

The Office of Management and Budget's FISMA implementation report for fiscal 2008 gave 92% of major agencies satisfactory or better grades for the quality of their certification and accreditation processes. It noted high percentages of inventoried systems and systems with tested contingency plans and security controls, and said 84% of major agencies had "effective" cybersecurity plans.

That's the good news. The other side of it is that threats to government computer systems are more worrisome than ever. Federal agencies reported to the U.S. Computer Emergency Readiness Team (US-CERT) that they experienced 18,050 cybersecurity attacks in fiscal 2008, triple the number from 2006. "Terabytes of data are being exfiltrated out of government networks," warns Greg Garcia, assistant secretary of cybersecurity and communications at the Department of Homeland Security under President George W. Bush.

Government security pros find themselves having to comply with myriad specifications and regulations, compounding the challenges of getting it right. A diagram that used to hang on the wall at the Defense Information Systems Agency detailing every agency with authority over cybersecurity "looked like a bowl of spaghetti," says Vic Maconachy, former director of the National Security Agency's cybersecurity education and training program.

Mandates Galore
Passed in 2002, FISMA requires every federal agency to inventory its information systems, categorize them according to risk, carry out contingency planning and risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

The White House, meanwhile, is carrying out a cybersecurity review, due any day, and new cybersecurity bills are being introduced in Congress. What's more, the government likely will begin releasing over the next few months more details of the still-classified Comprehensive National Cyber Security Initiative created under Bush.

"There's a high level of interest in cybersecurity, and that's a good thing, but for the implementers in the agencies, it can be a bit confusing with all the things being proposed," says Matt Scholl, who oversees several government-wide cybersecurity programs, including FISMA implementation, as security management and assurance group manager at the National Institute of Standards and Technology.

As part of the Comprehensive National Cyber Security Initiative, a multibillion-dollar program introduced 16 months ago, the government hopes to create and enforce security best practices and technology guidance that can be implemented across agencies. First, though, the government has to lay out the program in more detail. "One of the problems with the development of the Cyber Initiative is that it was over-classified, and we couldn't proactively share with the public and the Congress, so there remains a dearth of useful information about it," says Garcia.

Among the CNSCI requirements is implementation of intrusion-detection and -prevention systems. According to a recent InformationWeek survey of 309 government IT professionals, 65% plan to increase use of intrusion detection over the next year. "The private-sector capabilities are very sophisticated now. There's no reason every department and agency shouldn't be using them," says Rod Beckstrom, until recently director of the National Cyber Security Center at the Department of Homeland Security.

Scholl warns, however, that further mandates shouldn't be too far-reaching in mandating specific technologies, given how different various agencies are. "We have wide and unique use cases that really must be considered," he says.