Wyatt Kash | The Measure of FISMA

Editor's Desk'commentary: FISMA has the right intentions. It just needs better measures

PCI is not the answer to FISMA

While I agree with Mr. Kash that the formal way to measure FISMA should be changed, I disagree with the notion of moving to another security model such as PCI. Just ask Hannaford Bros. Co. who recently had their data breached. They were required to subscribe to PCI and were found to be in compliance just last month. However, over 4.2 million credit and debit cards were exposed between December 2007 and March of this year.


While security is the issue, the burden of managing our information systems is the real root of the problem. What we need is an overhaul on how we think and manage our ever increasing amount of electronic data and interconnected information systems. I don't know an agency or a private organization that doesn't struggle with this very real problem.


Instead of worrying about how many systems are accredited and certified (which I contend if they were truly certified and accredited they would be secured), we should be more concerned with how our information systems are designed, implemented, and managed. Maybe we should take a hard look at the groups managing these systems to ensure that they truly have the skills and knowledge to manage the keys to all our kingdoms, our data.


Jorgen T. Lazo

Federal Reserve Board of Governors

Washington

Wyatt Kash

Rick Steele

AS MIGHT HAVE BEEN expected, the Office of Management of Budget's annual Federal Information Security Management Act report to Congress earlier this month drew the usual criticism despite apparent improvements in information security and privacy practices.

FISMA, as most of our readers know, requires each agency to protect the government's information, operations and assets. That includes documenting and implementing procedures for detecting, reporting and responding to security incidents.

The FISMA report is one of those federal exercises critics love to hate. The primary complaint: Too much energy goes into documenting compliance and too little goes to protecting information.

The root of the criticism ' and the issue facing critics and proponents alike ' lies in what FISMA measures.

For instance, the latest report shows that among 10,304 systems at 25 major federal agencies, 92 percent have been certified and accredited, and 95 percent have been tested for security ' up from 47 percent and 60 percent respectively on 7,957 systems five years ago. At face value, that's an impressive increase.

Unfortunately, so is the quadrupling of security incidents from two years ago, to 12,986. The FISMA report takes pains to credit improved awareness and reporting practices. But the truth is, the number of actual security attacks on and breaches in agency systems is substantially higher than what's reported and growing daily.

What's wrong with both sets of figures is that neither measures the ingredients of security effectiveness.

That's partly because of the way FISMA is worded. But even guidelines from the National Institute of Standards and Technology lack the specificity to attack the problem.

That's why it's time to reassess what FISMA should measure.

One model worth considering: the audit guide used by the payment card industry. Those measures won't thwart every security problem, but they do focus on core ingredients: Maintain a firewall configuration to protect data; don't use vendor-supplied defaults for system passwords and other security parameters; protect stored data; encrypt transmission of cardholder data and sensitive information across public networks; use and regularly update antivirus software; restrict physical and logical access to cardholder data; assign a unique identifier to each person with computer access; track and monitor all access to network resources and cardholder data; and regularly test security systems and processes. That is just part of what gets measured.

FISMA has the right intentions. It just needs better measures.

About the Author

Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above