Kundra, GAO eager to plug FISMA-IT security gap
New tools for measuring agencies' IT security being considered to make FISMA more effective
Federal CIO Vivek Kundra is spearheading an effort to update agency-reporting requirements under the Federal Information Security Management Act and to streamline the process by replacing spreadsheets with an online database.
The security metrics used by agencies to measure compliance with security regulations are outdated, Kundra wrote in a letter to the Government Accountability Office.
“While these metrics may have made sense when FISMA was enacted [in 2002], they are largely compliance based. They are trailing, rather than leading, indicators,” Kundra wrote. “We need metrics that give insight into agencies’ security postures and possible vulnerabilities on an on‐going basis.”
Kundra’s statement came into a response to the findings of a GAO report
detailing major gaps that persist between reported FISMA compliance and actual information security status.
“Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies,” despite reported progress by agencies, GAO said in its annual report to Congress on government information security. Inadequate security controls were reported material weaknesses in 20 of 24 major agencies in fiscal 2008, and information security remains a high-risk area according to GAO.
FISMA is the primary regulatory tool for federal information security, requiring implementation of risk-based security programs and regular assessments of their effectiveness. But despite seven years of effort, most agencies still are struggling to both meet FISMA requirements and to implement adequate security controls on IT systems and networks that are constantly growing more complex while being targeted by increasingly sophisticated attacks. The most recent GAO report included a familiar litany of security weaknesses and lapses, and noted that security incidents reported by agencies to the U.S. Computer Emergency Readiness Team (US-CERT) increased from 5,503 in fiscal 2006 to 16,843 in 2008.
GAO faulted both the FISMA reporting process and agencies’ lack of adequate programs.
“The current reporting process does not produce information to accurately gauge the effectiveness of federal information-security activities,” GAO said.
At the same time, “an underlying cause for information-security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented agencywide information-security programs,” GAO said. Twenty-three of 24 major agencies examined by GAO had not fully implemented programs. “Until agencies fully and effectively implement information-security programs and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at an increased and unnecessary risk of attack or compromise.”
The hundreds of recommendations cited by GAO illustrate the scope of the challenge facing agency chief information officers and information technology administrators in bringing security up to grade. But GAO did identify a series of government initiatives intended to improve IT security. These include the 60-day cyber review conducted earlier this year, the Comprehensive National Cybersecurity Initiative from last year, the Office of Management and Budget’s Information Systems Security Line of Business initiative, the Federal Desktop Core Configuration for Microsoft operating systems, the SmartBUY procurement program, and the Trusted Internet Connections Initiative.
GAO recommended that OMB update and clarify its FISMA reporting instructions to agencies, include more detail in its reports to Congress, and begin using its authority to disapprove information-security programs that do not meet requirements.
Kundra disagreed with GAO’s contention that OMB is not using its authority to review and disapprove programs. “OMB reviews all agency and IG FISMA reports annually,” he wrote. “For the major agencies, OMB also receives and review quarterly information on their security programs. OMB uses this information, and other reporting, to evaluate agencies’ security management programs. Concerns are communicated directly to the agencies.”
GAO also included in its report the results of a meeting of security experts held in March on how to improve national cybersecurity. The experts, who included former federal officials, academics and private-sector executives, recommended 12 improvements essential to improving the nation’s cybersecurity strategy and posture:
- Develop a national strategy that clearly articulates strategic objectives, goals and priorities.
- Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy.
- Establish a governance structure for strategy implementation.
- Publicize and raise awareness about the seriousness of the cybersecurity problem.
- Create an accountable, operational cybersecurity organization.
- Focus more actions on prioritizing assets and functions, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.
- Bolster public/private partnerships through an improved value proposition and use of incentives.
- Focus greater attention on addressing the global aspects of cyberspace.
- Improve law enforcement efforts to address malicious activities in cyberspace.
- Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private-sector efforts.
- Increase the cadre of cybersecurity professionals.
- Make the federal government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services.