FISMA's future may lie in State Department security model
FISMA re-working is increasingly likely
- By William Jackson
- Mar 03, 2010
SAN FRANCISCO — Agencies spend an estimated 10 percent of their information technology budgets to comply with the Federal Information Security Management Act (FISMA), and Congress is beginning the question the return on that $8 billion annual investment.
“Are we getting what we pay for?” asked Erik Hopkins, a staff member on the Senate Homeland Security and Governmental Affairs Committee. The consensus of opinion of a panel at the RSA Security Conference Wednesday was no.
“The law is a bad law,” said Alan Paller, director of research for the SANS Institute.
“There is no longer any debate about what needs to be done,” said Brude Brody, chief executive officer of New Cyber Partners. The needed end-state is continuous monitoring of systems and real-time evaluation of security status, as opposed to the annual snapshots required under FISMA.
A number of cybersecurity bills are pending in the House and Senate, and it is likely that FISMA eventually will be replaced, but when is difficult to say. For now, the economy, health care reform and upcoming midterm elections are higher priorities, Hopkins said.
Meanwhile, the State Department is an example of what can be done to improve operational security under FISMA and with current resources. Chief Information Security Officer John Streufert outlined results achieved over the last two years in moving from the paperwork of compliance to real-time operational security.
With a program of continuous monitoring, distributed responsibility for IT security and focusing on critical controls and vulnerabilities, the department has significantly improved its security posture while lowering the cost, Streaufert said.
The number of high-risk security vulnerabilities was reduced by 90 percent from July 2008 to July 2009 and the cost of certifying and accrediting IT systems required under FISMA was cut by 62 percent by continuously updating security data.
The department changed its policies to put responsibility for security status in the hands of local officials who have direct control of systems and applying scanning tools that use the Consensus Audit Guidelines of critical security controls. They perform scans every two to 15 days rather than every three years, and each of the department’s 260 embassies and 40 domestic offices are regularly scored on their security posture and assigned a grade every 36 hours on a scale of A+ to F-.
By scoring each site and making local administrators responsible for security status, the department has been able to use a broader workforce than the dedicated IT security staff, Streufert said. Focusing on a set of critical controls allows work to be prioritized and done more cost effectively.
“Most people agree on the destination of continuous monitoring,” Streufer said. “The question is what road do we take and who is going to pay for it.” He said the greater efficiency of automating security scans can free up money for development of needed scripts and tools.
Brody said the job can be started with existing tools and scripts that are available from the State Department. The challenge is not the tools, but the people, he said.
“It’s not hard to do from a management and technology standpoint,” he said. “It is hard to do in some agencies from a cultural standpoint.”
William Jackson is freelance writer and the author of the CyberEye blog.