Survey finds increased FISMA reporting demands

Results from a survey of federal chief information security officers to be released today indicate growing concerns about software quality and increased reporting demands to comply with federal information security laws.

The survey found that federal CISOs spend an average of 3.75 hours a day, or 23 percent more time than a year ago, on various security reporting activities required under the Federal Information Security Management Act (FISMA) of 2002.

A desire to have software vendors improve the quality of their code ranked as a top concern of the 29 federal CISOs who participated in the study. Intelligent Decisions, a systems integration company, conducted the research.

“People have dealt with systems administration security and the network security pretty well,” said Roy Stephan, cybersecurity director at Intelligent Decisions. “They’re moving on to the next great challenge, which is the code itself. They’re learning more about how exploits work.”

Exploits that take advantage of buffer overflows and other flaws in poorly coded software render database and Web servers insecure. Better software code could make a big difference in addressing the concerns of federal information security executives, Stephan said.

Intelligent Decisions also reported that federal CISOs expect three trends to gain momentum within the next year: expanded use of wireless networks, deployment of multifactor authentication and increased spending on database security.

Meanwhile, survey participants named as their top three security concerns the threat of network attacks, software patch management and FISMA compliance.

Despite concerns about network attacks, officials in more than half of the agencies that reported having wireless networks said they do not have basic security controls on those networks.