As word spreads about taking care before introducing new technology, such as the Skype Android warning, Molly Walker reports that iPads are falling into the hands of the United States Agency for International Development (USAID).

It’s “hard to dot all the Is and cross all the Ts,” [Jerry Horton, chief information officer at USAID] said, admitting that not all USAID networked devices are formally certified and accredited under Federal Information Security Management Act. “We are not DHS. We are not DoD,” he said.

FISMA stands for the Federal Information Security Management Act of 2002 and requires agencies of the US government to certify and accredit (C&A) their information systems for minimum security requirements and then report results to the Office of Management and Budget (OMB). The OMB then reviews this data and provides an annual compliance report to Congress. FISMA is a law but its implementation is based on recommended controls and guidelines (not requirements) developed by the National Institute of Standards and Technology (NIST).

USAID, which says it aims to promote freedom, security and opportunity, has moved from a FISMA grade of F in 2002 to an A+ in 2009. During the same period of review “the number of government FTEs whose duties are primarily security related” at USAID was so small it barely even registered on the OMB graph (see far right column, page 12 of the 2009 FISMA report).