Grafvision - Fotolia

What effect does FITARA have on U.S. government cybersecurity?

FITARA became a law in 2014, but government cybersecurity continues to struggle. Expert Mike O. Villegas discusses the effects of the law.

The Federal Information Technology Acquisition Reform Act became a law in 2014, in an attempt to boost technology projects in the U.S. government, but not much has been said about it. What does FITARA entail, and what effect might it have on cybersecurity in the U.S. government?

The Federal Information Technology Acquisition Reform Act, or FITARA, was signed into law in December 2014. The act requires that the heads of many government agencies ensure their respective CIO has a significant role in all information technology decisions. This includes cybersecurity, and is especially important in light of recent government agency breaches, such as in the Office of Personnel Management and at the Federal Deposit Insurance Corporation.

However, FITARA hasn't eliminated cybersecurity issues from federal agencies. For example, a recent report from the Office of the Inspector General titled "Evaluation of DHS' Information Security Program for Fiscal Year 2015" showed that the Department of Homeland Security numerous security vulnerabilities, such as missing security patches, components with weak passwords, internal websites susceptible to XSS and cross-frame attacks, SQL injections, configuration vulnerabilities, a lack of required specialized training for privileged users, remote access issues, insufficient monitoring, and not testing contingency plans. There are other issues, as well. However, it is sufficient to state that cybersecurity in the federal government is sorely wanting.

FITARA is not a mandate for the CIO to procure cybersecurity tools or protection measures, and the allocation of these purchases is clearly at the CIO's discretion. But, if this apparent void is not addressed, and breaches continue in government agencies, the CIO for each affected agency will have many people to answer to, including the head of each agency.

Can FITARA have an effect on cybersecurity in the U.S. government? Clearly, yes. The act was designed to move agencies and departments to a more efficient system for new technology purchases, while moving away from outdated legacy products, which can certainly benefit cybersecurity. To what extent and how effective it will be is looked upon with great anticipation.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn more about important government security issues

Find out if the U.S. government needs a federal CISO

Check out information about Rule 41 changes

Dig Deeper on Security operations and management