Questions raised about FISNA effectiveness

Published 16 March 2006

In 2002 the Federal Information Security Management Act (FISMA) was passed, making it mandatory for civilian agencies to deal with cybersecurity issues. The Office of Management and Budget (OMB) through its President’s Management Agenda assessments gives these agencies a quarterly scorecard on their FISMA compliance, and Congress issues a similar scorecard once a year. These scores attract much attention in Washington. Attention or not, skepticism has been growing about FISMA as a result of the manner OMB has chosen to guide the Act’s execution at civilian agencies. “FISMA compliance does not necessarily mean you’re secure. It means you’ve put together a lot of documentation,” Bruce Brody told Brody recently left his security position at the Energy Department to become vice president at INPUT, a Reston, Virginia-based government market analysis firm. A key compliance element is certification and accreditation (C&A), whereby at least once every three years agencies establish information systems’ security according to their risk potential, and authorize their continued use.

Critics charge that going through a C&A often is more expensive than it should be. Including the Defense Department, but not intelligence agencies, the federal government spent $5.1 billion on cybersecurity during fiscal 2005, according to OMB. Much of that money is wasted on cookie-cutter C&A paper reports, says Alan Paller, director of research at the Bethesda, Maryland-based SANS Institute, a nonprofit cybersecurity research organization. “We’re blowing 90 percent of the money,” he says, and preventing those resources from being spent on measures that actually harden networks.

-read more in David Perera’s very detailed report