William Jackson | How about a little love for FISMA?
Federal Information Security Management Act has its faults, but no one seems to mention the good it has done
The Federal Information Security Management Act is an ambitious law that attempts to codify basic principles for securing information systems without specifying technologies. As a new administration and Congress look at ways to improve information technology security, there are calls for revamping or replacing the law, which seldom gets credit for what it has accomplished.
“There are a lot of things in the act that are foundational,” said Matthew Scholl, supervisor for the National Institute of Standards and Technology's management and assistance group. For example, the law established agency chief information security officers and set requirements for maintaining an IT security program and an incident response capability, testing and monitoring of systems, and assessing risk. “These are all givens now, but they were codified in FISMA,” Scholl said.
On the other hand, the law also receives blame for things that have nothing to do with it, such as the FISMA score cards handed out annually by Congress. “They are not FISMA at all,” Scholl said.
The most damning criticism is that FISMA has not improved the government’s IT security. But that is not an easy call to make.
“The metrics are difficult,” Scholl said, but he does not believe they support the condemnation of FISMA. Consider two complicating factors since the law was enacted in December 2002: Agencies have rushed to move government information and resources online while, at the same time, online threats have become more sophisticated. By many standards government IT security remains inadequate, but “I don’t know where we would be if we hadn’t had” FISMA, he said.
This is not to say FISMA can’t be improved. But when you consider technological and security changes during the past seven years, the law has done a good job of laying stable foundations for IT security. Since FISMA was written, IT security has moved from firewalls and intrusion detection systems focused on protecting a network perimeter to an environment of mobile and wireless devices that has all but eliminated the perimeter and moved the focus to data security. But because the law focuses on management practices rather than technology, its requirements are still appropriate today, even if they are not completely adequate. That is not a bad record.
FISMA’s management practices often are dismissed as paperwork drills and checkbox security. And it is true that an agency could comply with FISMA without improving security. But it also is true that an agency in compliance should find it easier to take the next steps to bolster its defenses.
No one would argue that FISMA is perfect. But as Congress revisits the legislation, FISMA deserves credit for what it has accomplished.
“There is nothing wrong with going on to the next level,” Scholl said. “But I really think the legislation did a lot to improve the situation.”