FISMA Grades and Funding – Declared Ineligible

I’m simply amazed that federal agencies continue to average below a passing grade on their annual FISMA scores. Any student knows that anything below a 2.0 (C) means you do not pass and are not eligible to compete in sports or other extracurricular activities. 

We should do the same with federal agencies until they not only receive a passing grade but do so for two consecutive grading periods (you know, like auditors require demonstrating the relative maturity of the program, repeatable/defined/managed). No federal agency can spend on any new initiatives until their security grade is brought up to acceptable standards, a minimum 2.0. Funding levels increase as grades increase. Yes, that means you too DHS. Your three year running grade is now at a dismal .33 with an improved rating this year to a D after two consecutive F years. Bluto Blutarsky you are not.

Real ID is back in the news again with states starting to push back on the creation of national IDs. The most disturbing thing for me is that each state must agree to share its motor vehicle database with all other states. This database must include, at a minimum, all the data printed on the state drivers’ licenses and ID cards, plus drivers’ histories (including motor vehicle violations, suspensions, and points on licenses).

Any state that does not link its database, containing records on all drivers and ID holders, to the database of the other states loses its federal funding. As a parent I understand the mentality of forced compliance.

Since most federal agencies (including DHS who drove this initiative), do not have passing FISMA grades, they too should be subjected to the loss of federal funding, or at least reduced funding. A bit of an oxymoron since they need the funding to improve their security posture and overall grade but maybe they get the funding under extreme scrutiny forcing them to move to the head of the class with an A. I don’t know anyone who rewards a student for getting a D. It is hard to get behind or look up to the country’s lead security agency when they can’t get their own study habits together.

Before DHS forces states to link DMV databases, why not ensure databases are capable of supporting such a connection; have unnecessary sensitive data removed from the databases; classify the data and ensure safeguards are applied at inception and stay with the data until destruction; stop using sensitive data in test and development; ensure a secure structure is in place for the transmission of this data; and actually have a plan ensuring security is considered throughout the SDLC of this project?  It sure looks like security is once again taking a bolt-on, after-the-fact, back seat to another IT initiative. 

DHS should be declared ineligible for any Real ID consideration until their grades are brought up (do I hear summa cum laude anyone?). Sorry, you’re grounded.