Wyatt Kash | The Measure of FISMA
Editor's Desk'commentary: FISMA has the right intentions. It just needs better measures
AS MIGHT HAVE BEEN expected, the Office of Management of Budget's annual Federal Information Security Management Act report to Congress earlier this month drew the usual criticism despite apparent improvements in information security and privacy practices.
FISMA, as most of our readers know, requires each agency to protect the government's information, operations and assets. That includes documenting and implementing procedures for detecting, reporting and responding to security incidents.
The FISMA report is one of those federal exercises critics love to hate. The primary complaint: Too much energy goes into documenting compliance and too little goes to protecting information.
The root of the criticism ' and the issue facing critics and proponents alike ' lies in what FISMA measures.
For instance, the latest report shows that among 10,304 systems at 25 major federal agencies, 92 percent have been certified and accredited, and 95 percent have been tested for security ' up from 47 percent and 60 percent respectively on 7,957 systems five years ago. At face value, that's an impressive increase.
Unfortunately, so is the quadrupling of security incidents from two years ago, to 12,986. The FISMA report takes pains to credit improved awareness and reporting practices. But the truth is, the number of actual security attacks on and breaches in agency systems is substantially higher than what's reported and growing daily.
What's wrong with both sets of figures is that neither measures the ingredients of security effectiveness.
That's partly because of the way FISMA is worded. But even guidelines from the National Institute of Standards and Technology lack the specificity to attack the problem.
That's why it's time to reassess what FISMA should measure.
One model worth considering: the audit guide used by the payment card industry. Those measures won't thwart every security problem, but they do focus on core ingredients: Maintain a firewall configuration to protect data; don't use vendor-supplied defaults for system passwords and other security parameters; protect stored data; encrypt transmission of cardholder data and sensitive information across public networks; use and regularly update antivirus software; restrict physical and logical access to cardholder data; assign a unique identifier to each person with computer access; track and monitor all access to network resources and cardholder data; and regularly test security systems and processes. That is just part of what gets measured.
FISMA has the right intentions. It just needs better measures.