Officials eye 50-percent mark on cyber compliance

HERNDON, Va. -- A survey of information technology officials found that most expect to be 50 percent compliant with federal cyber-security guidelines within the next year.

Government agencies report that most progress has been made in dealing with personnel security and identifying who is accessing various technology systems.

The biggest challenge has been configuring software, hardware and other features for security and certifying that the systems meet federal standards. Nearly a quarter of respondents said they expect to be less than 50 percent compliant with those standards in the next year.

The biggest issue occupying federal IT professionals is data loss due to security breaches.

The independent research company Market Connections also asked what the obstacles are to better security at federal agencies. The top answer was budgets, followed by other projects getting a higher priority.

"Linking budget to performance has become more important as they roll out solutions," said Aaron Heffron, vice president of Market Connections. "Overall, folks are feeling more secure than two years ago, but they realize their job is not done. They're spending more time on compliance issues and security issues."

Heffron said there is also a trend for agencies to keep security matters in-house, whether due to budget or trust factors, and that places "a real burden on internal agency staff."

He said challenges vying for the staffers' time include compliance with the Federal Information Security Management Act, which sets the cyber-security guidelines, and meeting the Homeland Security Department directive to develop security access cards for federal buildings and databases.

Of those federal IT professionals involved in FISMA, nearly half reported spending at least 25 percent of their time on compliance. "It's a matter of priority setting," Heffron said. "Different agencies are setting different priorities."

The survey is a follow-up to one Cisco Systems funded in November 2005. At that time, 50 percent of those surveyed said they expected to be compliant with FISMA by this time. Even then, before this year's series of highly publicized data losses by the Veterans Affairs Department and others, the loss of employee data was ranked among the top concerns of federal IT officials.

"For federal IT managers, the question is no longer 'if' they can meet their security requirements, it is 'how,' and that makes security a much more manageable challenge," said Gerald Charles, executive adviser for Cisco's Internet business unit. "They also believe that software automation, integrated and embedded in their infrastructures, will provide them the tools they need."

Heffron said the biggest change from the survey last year was that agencies have moved from planning to implementing security solutions.