Second Federal CISO Study Reveals Concerns

CISOs concerned over wireless security standards, software quality concerns

Ashburn, VA – Intelligent Decisions, one of the fastest growing systems integrators in the Washington, D.C. metropolitan area, today announced the results of its second annual Federal Chief Information Security Officer (CISO) Study. Across the board, Federal CISOs ranked increasing software quality assurance as the number-one area on which the private sector needs to focus, pointing directly to continuing major issues with software quality. The study highlights network compromise, patch management, and FISMA compliance among the major concerns that keep Federal CISOs up at night.

The Intelligent Decisions' second annual Federal CISO Study, based on telephone interviews and online surveys with 29 Federal agency CISOs from civilian and defense agencies of all sizes, follows the first annual empirical survey of these executives released in November 2004. The goal of the second study was to measure progress against the results of the first study and to capture a better understanding of the Federal CISO role, daily duties, budget, and management responsibilities. In addition to outlining current and future IT security priorities, trends, and concerns, the second study also queried Federal CISOs on issues relating to the security of their agency's wireless networks.

The second study reveals that Federal CISOs across the board are now spending 23 percent more time on FISMA compliance reporting than last year. Compared to the first study, Federal CISOs controlling more than $10 million in annual information technology (IT) expenditures are now devoting 48 percent more time on FISMA compliance reporting, while Federal CISOs controlling less than $500,000 are devoting 13 percent more time on these activities. This suggests that since the first study, the Federal CISOs at large agencies are becoming just as challenged as Federal CISOs at small agencies to carry out the strategic security management functions FISMA intended.

Federal CISOs also identified the expanding use of wireless networks and mobile devices as the number one trend anticipated to increase momentum over the next year. The study highlights unauthorized wireless access points, preventing unauthorized wireless deployments, and rogue WiFi devices among the major wireless security concerns that keep Federal CISOs up at night.

Yet, despite these and other concerns, 54 percent of Federal CISOs at agencies that maintain wireless networks indicated their agency has not implemented the four basic wireless security controls recommended in the Special Publication 800-48 by the National Institute of Standards and Technology (NIST). These controls include: comprehensive polices in the implementation and use of wireless networks, configuration requirements for deployment of wireless security tools, monitoring programs to ensure policy compliance, and wireless security policy training for employees and contractors

This finding suggests that the absence of clear, mandatory controls has led to a FISMA disconnect on wireless security, with many Federal agencies failing to ensure that proper controls were in place before rolling out wireless networks. To address the scattered implementation of these four basic controls, NIST plans to release revised wireless security guidelines for comment in September. These revised guidelines will form the basis for a new mandatory Federal Information Processing Standard (FIPS). Once issued, the new FIPS will mandate the adoption of these basic controls, among other standards, that will have a major impact on an agency's IT investment and FISMA compliance obligations.

This content continues onto the next page...