CYBEREYE

FISMA: A good idea whose time never came

Overly broad requirements prevented the law from reaching its full potential

A funny thing happened with the Federal Information Security Management Act of 2002. Critics complain that the law has created a “culture of compliance” in which administrators focus on paperwork rather than results. But in spite of this culture, agencies have not achieved real security.

“An underlying cause for information security weaknesses identified at federal agencies is that [the agencies] have not yet fully or effectively implemented key elements of an agencywide information security program, as required by FISMA,” the Government Accountability Office’s Gregory Wilshusen recently told a House subcommittee.

After seven years of progress and congressional report cards, 21 of 24 major agencies reported significant weaknesses in information system controls in 2009, Wilshusen said.

If we can’t achieve compliance with a culture of compliance, where did we go wrong?

Even most of its critics give FISMA credit for good intentions. It is an effort to bring some order out of the chaos of IT security by requiring a standardized, auditable and repeatable approach to managing information security. Nothing in FISMA is inherently bad, although there is much that is not good enough. The three-year cycle for certifying and accrediting systems and the annual snapshots of security status are woefully inadequate. But FISMA’s real failure is that it overreaches. It focuses on comprehensive procedures rather than results, which has created what former Air Force Chief Information Officer John Gilligan called a “scatter shot” approach to security. By requiring everything, it achieved nothing. Or at least not enough.

For a subject as complex and rapidly evolving as information security in an arena as diverse as the federal government, the less specific a regulation is the more effective it is likely to be. The drafters of FISMA realized this when they made that law technology neutral. It does not specify what tools or products to use and allows administrators to select controls appropriate to the level of risk presented by a system. But it still focuses on the systems and controls rather than the results desired and requires broad application rather than focused attention.

One department has reported significant success in improving its information security posture by prioritizing its defenses and continuously monitoring the status of systems, and then holding administrators responsible for their condition. State Department Chief Information Security Officer John Streufert has reported that overall risk on the department’s key unclassified network has been reduced by about 90 percent.

It is notable that Streufert said that the risk scoring and continuous monitoring has supplemented FISMA compliance, not replaced it. The State Department’s experience shows that while the law might not be adequate for achieving better security, it need not inhibit it. Although FISMA apparently is not the answer to information security, it is not necessarily the problem.

Still, why keep FISMA if it is not working? There is a growing consensus that the law should be fixed and possibly jettisoned completely. But let’s not ignore the law’s strengths.

Streufert called FISMA “game changing,” pointing out that “the establishment of a holistic information security program and the responsibility of accounting to oversight entities, including Congress, served as a valuable check in determining the health of an agency’s information security program.” It is unlikely that State would have been successful in implementing and monitoring key security controls in its information systems if it had not had an accurate inventory of those systems, one of the first requirements of FISMA.

Some rewriting of FISMA is needed and is likely to occur. A number of bills addressing cybersecurity now are pending in both houses of Congress. Whatever form the new legislation takes, it should incorporate the holistic strengths of FISMA as well as correct its weaknesses.

Reader Comments

Fri, Apr 6, 2012 RJH USA

FISMA, when the DoD put a push on FISMA metrics for annual security testing, I saw all that was in it and then of course the 111 IA controls that were listed. Overnight, many bases were reporting compliance. I looked at all of the work that would go into being compliant and thought, as I looked at the others reporting compliance...Yeah...sure they're complaint. No way, not that fast. Senior management is more concerned with a little green box rather than a red one on a stoplight chart for their metrics. If no one is really going to confirm if a base is truly compliant, what is keeping people from just plain old fudging the numbers? FISMA may be good in concept, but it needs someone to check real compliance if we're going to use tax dollars to push it.

Mon, Apr 5, 2010 Papa_K

I have been following the new FISMA changes before they occurred. Back almost 5 years ago when Alan Pallard started his Hate FISMA campaign he really never provided much else except that FISMA was not IT Security and that compliance and audits were not worth the paper they were written on. When confronted with how does one keep accountability he would just say something deep like 'if you use FISMA for IT security, that's not security, I feel sorry for you.' But many of us in IT security were not using FISMA as a way to keep our systems secure. Most of us would look at FISMA as a starting point and move the bar from there. NIST was a good area to begin to form your policy around. The Cobit. I know my manager still has a subscription to this anti-FISMA mail list which he sends to me on occasion. It's as if Alan has given people the justification not to implement IT security because it doesn't exist. And nothing is better than something. Personally I think Alan has lost his marbles and needs to go back to neverland to retrieve them. I think he's only looking to put his name on this bill so he can add it to SANS long list of accomplishments. The new FISMA will require continuous monitoring by using a tool like Cyberscope, annual audits and stricter compliance. And all done cheaper than the 38 million spend over 6 years. There is a recommendation in this bill that a new agency be created to oversee the Governments IT security. There will be changes to the criteria set forth within FISMA compliance and then finally there will be those annual audits. I think the problem is in what StrangeLoop says. It's not FISMA it's that the people don't understand the basic fundamental of how to implement IT security at it's very basic level and look at Requirements or standards as a check list. Do I have a sign in sheet, check with no more validation or authorization than that. How will a sign in sheet make us secure. Or internal controls set up by the owner and authorized by the owner. Only an idiot wouldn't realize this going to make you more secure. It's required by the standards so we set it up. I've been in the security business for 20 years and things haven't changed. We still have fools running the insane asylum. And my two cents about the certifications. FISMA didn't require the certifications, standardization did. And people who commit to becoming certified want to do a better job. Not everyone but 80% of those who go after certifications are qualified and do a better job and should be paid a premium. Those who don't should stay where they are.

Fri, Apr 2, 2010 StrangeLoop

The weakness is not with FISMA - it authorizes/enables the move toward system security. The weakness is in those that lack the commitment to follow through on its good intent: those that do just enough to get by. The same will be true of any new legislation. Those that now have the stage get to posture and spend other people's money, and act important. Any individuals that really DO the work will most likely never be recognized.

Thu, Apr 1, 2010 Curtis WA

Here's another weakess of FISMA. It's forced everyone in the IA world to put concentrated effort into obtaining commercial certifications, OR LOSE THEIR JOB. So instead of concentrating on DOING their jobs they concentrate becomming legally qualified to do their jobs. In many ways FISMA is a distraction, and in this way causes the vulnerabilities it pretends to eliminate.

Thu, Apr 1, 2010 Linden Clark Colorado

I’ve worked for the government in IT for over 20 years. Although FISMA isn’t perfect it’s a good way of tracking who indicates they are compliant. The problem is in order for FISMA to work the reporters to the system need to be knowledgeable of what they are reporting and honest enough to report what is really happening. What I have seen is people reporting thing that either don’t meet the requirements because they don’t understand the requirements or justifying what they are reporting is compliant even though it is not.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above