X

Patches cause headaches for federal managers

Security managers in government agencies are most worried about patches and the poor quality of commercial software, a survey finds.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
Patching is the top concern of security managers in federal government, who feel that commercial software makers aren't putting out a good enough product, according to a survey published Monday.

Two of the other top worries were network compromises and compliance with the Federal Information Security Management Act (FISMA). The survey of information security managers at federal agencies was published by Intelligent Decisions, a federal system integrator based in Washington, D.C.

In addition, almost half of the respondents said that the most important thing the private sector could do would be to improve the quality assurance of software products.

The survey comes ahead of this year's annual Federal Computer Security report card, which assesses how well 24 government agencies have secured their systems.

Complying with the measures used in the assessment, as mandated by FISMA, is a major problem, said Gino Antonelli, vice president of sales for Intelligent Decisions. It's especially a headache for information security managers with a budget of less than $500,000, he said.

"The mandate has been seen as time-consuming," Antonelli said. "The fact is that managers don't have the resources, whether it is manpower or money."

More than 60 percent of federal agencies had information security budgets of less than $500,000, and managers there spent at least three hours a day, on average, on compliance requirements, the survey found.

The amount of time spent on compliance requirements, as opposed to strategic security planning, decreased as the overall budget increased. Managers with less than $500,000 to spend on security dedicated more than 45 percent of their time on compliance issues, while managers with budgets greater than $10 million spent 27 percent of their time on compliance reporting.

More than 85 percent of federal managers surveyed said that the introduction of commercial software for compliance reporting would ease their administrative burdens.

Firewalls, intrusion-prevention products and authentication systems topped the list of most important security software for networks. Surprisingly, biometric identification--mandated by a presidential directive--sat near the bottom of the list of technologies, with less than 10 percent of federal managers classifying it as important.