The next version of FISMA
The first version of the Federal Information Security Act (FISMA) of 2002 placed much emphasis on auditing and reporting; it is time to move on beyond checking compliance boxes and concentrate on making sure that the security of government departments is not compromised
The Federal Information Security Act (FISMA) of 2002 caused many government entities to show concern over cybersecurity — concern that was not much in evidence earlier. FISMA was announced in a section of the E-Government Act of 2002. It outlines a set of mandatory processes for compliance for information systems used by or on behalf of the U.S. federal government.
Beta News’s Angela Gunn writes that security is a good thing, but the FISMA’s initial emphasis on compliance should now give way to an emphasis on real security. FISMA, as is the case with other federal program, created lots of paperwork. By focusing on security reports and the auditing thereof rather than on actual security measures — compliance, in other words, not performance — “FISMA made it easy for federal CISOs to quantify their work in a way the bureaucracy at large could understand,” Gunn writes. “Rather than trying to demonstrate that their systems prevented X number of attacks or deflected Y number of intrusions… departments could demonstrate that they’d reached their proper level of FISMA compliance — or tried, anyway — and thereby justify their various budgets,” she adds. Visibility for cybersecurity increased, and Congress issued a widely publicized “report card” on the various agencies’ compliance scores every year.
Yes, something is better than nothing, but it is high time for FISMA to move past its first incarnation and into an era when actual performance is measured and evaluated. “In other words, it shouldn’t be enough to check the compliance boxes; you have to actually not have your department getting pawned,” Gunn argues.
The Senate’s Homeland Security and Governmental Affairs Committee saw and approved an updated FISMA (S.3474, the FISMA Act of 2008) near the end of the session that ended in October. That bill is scheduled to appear on the next legislative calendar after the turn of the year. The bill refocuses CISO efforts on performance and risk management. Audits will still be part of the process — and real, independent audits annually, not the current “evaluations.”
Gunn notes that FISMA 2 has a friend — the Consensus Audit Guidelines project (CAG), an initiative developed by former Air Force CIO John Gilligan and co-developed by a number of the agencies that are affected by FISMA, including DHS, the NSA, and the GAO. Gilligan has spoken at length on the CAG project and its twenty proposed controls, but he describes the two most significant “missing ingredients” in the current FISMA as a lack of structure for identifying effective attack-deterrent controls, and the ability to continuously measure whether the controls are working. The group’s hope is that the two projects can “dovetail” for maximum effectiveness.
“The most pressing task of all?” Gunn asks, and replies: “Finding the biggest holes and patching them first — simple and obvious procedure, genuine security payoff.”
