CYBEREYE—Commentary

William Jackson | How about a little love for FISMA?

Federal Information Security Management Act has its faults, but no one seems to mention the good it has done

The Federal Information Security Management Act is an ambitious law that attempts to codify basic principles for securing information systems without specifying technologies. As a new administration and Congress look at ways to improve information technology security, there are calls for revamping or replacing the law, which seldom gets credit for what it has accomplished.

“There are a lot of things in the act that are foundational,” said Matthew Scholl, supervisor for the National Institute of Standards and Technology's management and assistance group. For example, the law established agency chief information security officers and set requirements for maintaining an IT security program and an incident response capability, testing and monitoring of systems, and assessing risk. “These are all givens now, but they were codified in FISMA,” Scholl said.

On the other hand, the law also receives blame for things that have nothing to do with it, such as the FISMA score cards handed out annually by Congress. “They are not FISMA at all,” Scholl said.

The most damning criticism is that FISMA has not improved the government’s IT security. But that is not an easy call to make.

“The metrics are difficult,” Scholl said, but he does not believe they support the condemnation of FISMA. Consider two complicating factors since the law was enacted in December 2002: Agencies have rushed to move government information and resources online while, at the same time, online threats have become more sophisticated. By many standards government IT security remains inadequate, but “I don’t know where we would be if we hadn’t had” FISMA, he said.

This is not to say FISMA can’t be improved. But when you consider technological and security changes during the past seven years, the law has done a good job of laying stable foundations for IT security. Since FISMA was written, IT security has moved from firewalls and intrusion detection systems focused on protecting a network perimeter to an environment of mobile and wireless devices that has all but eliminated the perimeter and moved the focus to data security. But because the law focuses on management practices rather than technology, its requirements are still appropriate today, even if they are not completely adequate. That is not a bad record.

FISMA’s management practices often are dismissed as paperwork drills and checkbox security. And it is true that an agency could comply with FISMA without improving security. But it also is true that an agency in compliance should find it easier to take the next steps to bolster its defenses.

No one would argue that FISMA is perfect. But as Congress revisits the legislation, FISMA deserves credit for what it has accomplished.

“There is nothing wrong with going on to the next level,” Scholl said. “But I really think the legislation did a lot to improve the situation.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Jun 1, 2009 Anonymous Washington DC

I don't care what anyone says, FISMA has and continues to provide the foundation for good security. The issue is not with the law but with those responsible for adhering to it. The biggest problem is that we do not have enough enforcement which allows senior level staff to make claims of compliance without being validated thus making it a paper drill.

While there is obviously room for improvement in the NIST guidance, if agencies were to actually implement the controls outlined in the Special Publications provided by NIST, we would be in much better shape than we are. Think about it, the vast majority of cyber threats (present and future) can be successfully defended against if passwords and other authentication credentials were managed correctly and computers patched in a timely fashion. These and other simple concepts can improve our cyber security immensely yet they remain so hard to enforce. It doesn’t matter what the laws say, if you are not willing to aggressively enforce these and other equally simple security controls, then the paper drill syndrome will continue to prevail.

Mon, Jun 1, 2009 Fed Security Guy

Agree that overall, FISMA has been a positive step in the right direction. My complaint is that it has turned into a huge never ending paperwork exercise, based on guidance developed by a bunch of folks at NIST who have lost touch with the realities of day to day IT systems operations in the government. They need to step out of the academic and research mode, and put themselves into the shoes of the staff who get stuck trying to implement their pubs. NIST should try "eating your own dog food" in an operational real world environment, and not in the pristine lab and academic/research environment.

Mon, Jun 1, 2009 FISMAguy

Good article -- FISMA has accomplished a lot. A lot of the current criticism is politically motivated, and based in ignorance of what existed pre-FISMA.

Fri, May 29, 2009 Tyler Compton Newport News, VA

In particular, it should be recognized that just the existence of FISMA resulted in agencies building an maintaining an inventory of their IT systems, which amazingly wasn't happening in many agencies before FISMA's introduction. That step alone insures that FISMA has improved the security posture of nearly every agency.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above