Cybereye | Time to focus on security, not compliance
"FISMA compliance does not necessarily mean improved security, but improving security can lead to FISMA compliance." William Jackson
It is hard to avoid the conclusion that the Federal Information Security Management Act is not working.
I am not a big fan of the A-through-F report cards handed out each year by the House Government Reform Committee, because they are not very meaningful indicators either of FISMA compliance or actual IT security posture.
But after a five-year drumbeat of Ds and Fs, it's hard to argue that much real progress is being made.
In the latest report card handed out last month, eight departments, including some of the largest and most sensitive, received failing grades. Although seven departments and agencies received an A, the government as a whole has managed in five years to struggle up to a D+ in IT security.
Either FISMA is an effective tool and accurate indicator of security, in which case government clearly is failing to implement it, or it's not a meaningful indicator, in which case it is a paper drill that consumes resources without telling us anything we need to know.
Bruce Brody, vice president of information security for Input Inc. in Reston, Va., leans toward the paper drill explanation, although he calls FISMA a good start.
'The legislation was the most important awareness tool that any security practitioner could get,' he said. But it focuses on paperwork.
Still, he said, 'it is possible to improve FISMA.' To do so requires focusing on technology and empowering agency CIOs to really enforce its requirements.
As it is, FISMA is just another bureaucratic rule, Brody said. 'When you're in the executive branch doing this work, you dread another process you have to comply with.'
The Agency for International Development, which received its second FISMA A+ this year, has found a way around this.
'We tried to get out of the compliance game and get into a risk-based operation,' said USAID chief information security officer Philip M. Heneghan. 'We drove a lot of the decision-making to the system owners. My office has become a policy and measurement office reporting regularly to the executives.'
The executives are not told what to do. 'They're told, 'Here's your security posture.' ' Their motivation is to improve security.
So does a good FISMA grade mean good security? 'No,' Heneghan said flatly. 'But I would go out on a limb and say we have excellent security.'
In other words, FISMA compliance does not necessarily mean improved security, but improving security can lead to FISMA compliance.
An added benefit of this approach is that it is cheaper to let compliance follow security than trying to achieve both separately.
'It wasn't that many years ago (in 2002) that we had an F,' Heneghan said. Fixing security seemed impossible at the time, given his budget. 'If you are in a compliance mode, it is undoable. But with a risk management approach, we can make it doable,' by moving the work to the people with the budget.
'I didn't need to get more resources,' Heneghan said. 'I just started reporting to the people' who had the resources for their own systems.
Tying responsibility to budget is an important step toward getting any job done, because in federal agencies, money speaks. Your job is to do what Congress gives you money to do. If you don't get the money, it's not your job.
William Jackson is a GCN senior writer. E-mail him at firstname.lastname@example.org.