The Federal Information Technology Acquisition Reform Act became a law in 2014, in an attempt to boost technology...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
projects in the U.S. government, but not much has been said about it. What does FITARA entail, and what effect might it have on cybersecurity in the U.S. government?
The Federal Information Technology Acquisition Reform Act, or FITARA, was signed into law in December 2014. The act requires that the heads of many government agencies ensure their respective CIO has a significant role in all information technology decisions. This includes cybersecurity, and is especially important in light of recent government agency breaches, such as in the Office of Personnel Management and at the Federal Deposit Insurance Corporation.
However, FITARA hasn't eliminated cybersecurity issues from federal agencies. For example, a recent report from the Office of the Inspector General titled "Evaluation of DHS' Information Security Program for Fiscal Year 2015" showed that the Department of Homeland Security numerous security vulnerabilities, such as missing security patches, components with weak passwords, internal websites susceptible to XSS and cross-frame attacks, SQL injections, configuration vulnerabilities, a lack of required specialized training for privileged users, remote access issues, insufficient monitoring, and not testing contingency plans. There are other issues, as well. However, it is sufficient to state that cybersecurity in the federal government is sorely wanting.
FITARA is not a mandate for the CIO to procure cybersecurity tools or protection measures, and the allocation of these purchases is clearly at the CIO's discretion. But, if this apparent void is not addressed, and breaches continue in government agencies, the CIO for each affected agency will have many people to answer to, including the head of each agency.
Can FITARA have an effect on cybersecurity in the U.S. government? Clearly, yes. The act was designed to move agencies and departments to a more efficient system for new technology purchases, while moving away from outdated legacy products, which can certainly benefit cybersecurity. To what extent and how effective it will be is looked upon with great anticipation.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn more about important government security issues
Find out if the U.S. government needs a federal CISO
Check out information about Rule 41 changes
Dig Deeper on Government IT Security Management
Related Q&A from Mike O. Villegas
A security portfolio shouldn't be used as an alternative to a reporting structure, but it can still be beneficial to enterprises. Expert Mike O. ...continue reading
A virtual CISO is a good option for smaller organizations that want stronger security leadership, but don't have the budget. Expert Mike O. Villegas ...continue reading
Security vendor hype is a problem CISOs often have to deal with. Expert Mike O. Villegas discusses some ways to cut through the hype and make smart ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.