Agencies want standards for assessing IT security
Flexible rules for measuring FISMA compliance leave some in the dark
OMB's Karen Evans says FISMA guidance is designed to give agencies flexibility, but agencies sometimes see that as ambiguity.
Henrik G. de Gyor
As agencies struggle to comply with the Federal Information Security Management Act, overseers are struggling with how to measure that compliance.
Vague requirements for FISMA reporting and a lack of standards for evaluating agency reports have raised questions about the accuracy of information sent to Congress.
'A more standardized approach is needed,' for evaluating FISMA reports, Frank Deffer, assistant inspector general at the Homeland Security Department, recently told a House committee.
Agencies report their FISMA progress annually to the Office of Management and Budget, which then reports to Congress. For the past five years, several House committees have issued annual report cards on progress under FISMA and its predecessor, the Government Information Security Reform Act.
Although the House Government Reform Committee rated the government's overall performance as only a D+ for fiscal 2004, OMB reported that progress continues to be made.
But testimony to the committee indicated that much of the progress could be illusory.
'There is limited assurance of the accuracy of the data reported,' said Gregory C. Wilshusen, director of information security issues for the Government Accountability Office.
Data reported by agencies is evaluated by each agency's inspector general, and OMB relies heavily on those evaluations in assessing progress. But there are no standards for the evaluations and little consistency. 'A commonly accepted framework for the annual reviews conducted by the IGs could help ensure the consistency and usefulness of their evaluations,' Wilshusen said.Certification and accreditation
A key metric for FISMA compliance is certification and accreditation of IT systems. The percentage of systems certified and accredited under FISMA in 24 major agencies rose to 77 percent in fiscal 2004, up from 62 percent the year before, according to OMB.
But seven IGs called their agencies' C&A processes poor, GAO found. And agencies reported that tested contingency plans were in place for only 57 percent of IT systems, a requirement for the C&A process.
'You need to question those statistics,' Wilshusen said. 'The results of these evaluations call into question the reliability and quality of the performance data reported by several agencies.'
Agency officials testifying before the committee supported standards for IG evaluations.
'There is a need for a standard audit framework for information security similar to that used in financial audits,' Deffer said.
An IG working group is formulating a framework for FISMA reviews. The President's Council on Integrity and Efficiency, which also maintains the Financial Audit Manual, is working with OMB and GAO to develop the standards.
Karen Evans, OMB's administrator for e-government and IT, gave cautious support for an IG evaluation framework, 'to the extent [it] would promote greater consistency.'
But in testifying before the Government Reform Committee, Evans drew the line at establishing a formal audit process for FISMA reports. FISMA allows IGs to either audit or simply evaluate FISMA reports. Audits have to meet government auditing standards, but evaluations do not.
'By requiring an evaluation but not an audit, FISMA intended to provide IGs flexibility as to the degree of cooperation with CIOs and program officials,' she said.
The U.S. Agency for International Development, which went from a grade of C- on the 2003 report card to an A+ in 2004, used an audit rather than an evaluation to analyze FISMA compliance. USAID's IG office spent 610 hours over three months performing the audit and also used other system audits within the agency.
'Our goal was to not only validate USAID's responses to OMB's questionnaire, but to also verify actions that USAID has taken to comply with FISMA,' said assistant IG Bruce N. Crandlemire. The extra step gave the agency a clear vision of where it stood on FISMA compliance, Crandlemire said.Guidance counselors
Each year OMB provides guidance for completing FISMA reports, and agencies say they want better guidance. What OMB calls flexible, for instance, agencies often see as vague.
Deffer said DHS has struggled with the definition of an IT 'system,' which under OMB guidelines can be anything from a single server to an entire network. That has hampered the department's efforts to inventory its IT systems, he said.
Evans said the deliberately ambiguous definition lets agencies identify each system based on its criticality and the risk it presents.
Crandlemire also said agencies need more time to respond to the annual OMB FISMA reporting questionnaire. In 2002, under GISRA, OMB issued its guidance 76 days before responses were due. In 2003 that response time shrank to 47 days, and in 2004 it was down to 44 days.
The recent hearing was part of a larger effort by the Government Reform Committee to fine-tune FISMA, said committee spokesman Drew Crockett.
Evans acknowledged that some fine-tuning of the reporting process might be needed but said FISMA itself did not need to be reworked.
'We believe FISMA is adequate in its current form,' she told the committee. 'We see no need at this time to revise it in any significant way. In fact, substantial revision could delay additional progress.'