According to Kundra, “[W]e can’t simply make this an exercise in federal agency reporting, that is why we started this blog. We want to hear from you about what works and what doesn’t with the site. Is there a more innovative approach that an investment should consider? Does the contract data look incorrect to you? Is there an application that we should add? This is a site to serve you, and to do that, we need to hear from you.”

The Federal IT Dashboard, http://it.usaspending.gov tracks U.S. government spending on information technology and the progress of various IT projects.

Researchers from Carnegie Melon University have found that Social Security numbers can be guessed based on easy to access information, such as individual’s birthday and the town in which they were born.

Social Security  uses the same formula for all of the numbers, the first three numbers are based on the zip code on the application, the forth and fifth are based on regional numbers that change slowly over several years, and the last four are assigned in sequential order. In the study, researchers used these commonly known facts about the Social Security numbers combined with the public “DeathMaster file” to guess SSNs. They were able to guess the first 5 numbers 40 percent of the time and all 9 numbers 8.5 percent of the time, in less than 1000 tries.

The numbers were even more accurate for people who have been born more recently, as the Enumeration at Birth Initiative of 1989 encouraged parents to sign their children up at birth. It was also easier to guess numbers in less populated states.

One of the Carnegie Melon researchers, Alessandro Acquisti stated, “Our work shows that Social Security numbers are compromised as authentication devices because if they are predictable from public data, then they can not be considered sensitive.”

Vish Sankaran, Director of the Federal Health Architecture for the Office of the National Coordinator, called FISMA “a showstopper for us.”

Under FISMA regulations, private-sector healthcare would have to meet FISMA standards before receiving information from the National Health Information Network (NHIN). Government officials are looking to the Office of Management and Budget to set lower guidelines that would allow private-sector providers to exchange information with federal agencies without full adoption of FISMA.

Julie Boughn, the CIO for the Center for Medicaid Services (CMS), believes that health providers should have strict FISMA-like standards because it is a good business practice, yet she does not want government agencies to be stuck with the job of certifying all of the companies. She thinks that they should set their own standards, similar to the way that online stores set theirs.

Boughn said “we should be doing this because if the public would lose confidence in us, then we would set this goal of electronic health records back,” but she also believes that “scaling FISMA oversight to millions of healthcare providers would be a daunting and expensive challenge.”

What officials are calling for is some sort of compromise between the two sets of regulations. Sankaran has suggested a “HIPAA-plus” or “FISMA-lite” set of standards that would create a realistic system for certifying private healthcare providers. HIPAA, which was designed for hospitals and doctors before the electronic age, has only 101 security controls while FISMA has 171 controls.

The Government Accountablitity Office has written a letter, to the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee, proposing changes to the Federal Information Security Management Act of 2002. They believe that the changes would decrease the amount of risk involved in federal information security.

The GAO has proposed that although FISMA has sound risk-management principles, the testing, reporting, and oversight requirements need to be more specific. They also believe that Congress should require Agency heads to give written guarantees that their information security programs are effective.

 FISMA was designed to provide a standardized way of securing government information technology resources but in the last three years security incidents have tripled and at least 20 of 24 government agencies have weak information system programs and security controls.

According to the letter, “Clarifying or strengthening FISMA and its implementing guidance for determining the frequency, depth and breadth of security control tests and evaluations could help agencies better assess the effectiveness of the controls protecting the information and systems supporting their programs, operations and assets.”

In their letter GAO suggested the following changes:

• Developing a national strategy that clearly articulates strategic objectives, goals and priorities.
• Establishing White House leadership on the issue.
• Publicizing and raising awareness about the seriousness of the cybersecurity problem.
• Focusing more efforts on prioritizing assets, assessing vulnerabilities and reducing them than on developing additional plans.
• Bolstering public/private partnerships through an improved value proposition and use of incentives.
• Focusing greater attention on addressing the global aspects of cyberspace.
• Placing greater emphasis on cybersecurity research and development, including how to better coordinate government and private-sector efforts.
• Increasing the cadre of cybersecurity professionals.