Has FISMA improved IT security
It is safe to say we are better off than we would have been without it
The Federal Information Security Management Act is going on seven years old now and is due for a tune-up. Critics and advocates alike say the act, which focuses on process rather than technology, needs to move beyond a list of compliance check-offs to a more operational focus on risk management.
So the big question right now is, has FISMA made us more secure? It depends on your perspective.
Art Coviello, president, RSA, The Security Division of EMC, answered recently with an unequivocal “no.” It is not due to a lack of effort, he said, but the defenders of government information systems have not kept pace with the increased sophistication of their adversaries or the growing number of vectors for delivering attacks. He is optimistic about the future of IT security but said that the openness of our systems that has increased productivity also has increased risk.
Laura Taylor, CEO of Relevant Technologies and author of the “FISMA Certification and Accreditation Handbook,” disagrees.
“Government security is most definitely better than it was five years ago,” she said to GCN. “I say this from experience. I have been a government security consultant for five years and I have seen numerous improvements and many vulnerabilities mitigated.”
The difficulty in measuring security is that you are essentially trying to prove a negative. If you do it right, nothing happens. Security usually is evident only in hindsight, and then by its absence. There also is the difficulty of deciding what kind of a scale to use in measuring security. In an environment where the threats are multiplying and changing as quickly as they are in IT security, there is an awful lot to be said for just holding your ground. Maybe the team that manages to keep its systems as secure today as they were five years ago deserves a lot of credit for not losing ground.
This is why FISMA has focused so much on procedural compliance. You can measure compliance a lot more easily than security.
The right question to ask about FISMA is: Are we better off today that we would have been without it? The answer to that is an unequivocal yes, I believe.
As I have said before, FISMA compliance does not equal security and security does not equal compliance; but FISMA compliance can be an essential tool in managing IT risk in a systematic, repeatable way. The act might need some updating, but that it has remained relevant for seven years in such a rapidly changing world is a testament to the wisdom of focusing first on basic processes such as building an inventory of assets, assessing impact and risk levels and certifying and accrediting systems.
Another industry executive, Core Security Technologies' vice president of security awareness Tom Kellermann, has called FISMA a good first step. The standards and specifications produced by the National Institute of Standards and Technology under the act “have been transformational,” he said.
The IT community is expecting an increased focus on cyber security in the new administration, and it is likely that we will see a FISMA II from the next Congress. But despite the continuing challenges to the nation’s and the world’s IT systems, let’s acknowledge that the original FISMA has laid important groundwork for building a systematic process for managing risk and improving security.