FISMA's future may lie in State Department security model

FISMA re-working is increasingly likely

SAN FRANCISCO — Agencies spend an estimated 10 percent of their information technology budgets to comply with the Federal Information Security Management Act (FISMA), and Congress is beginning the question the return on that $8 billion annual investment.

“Are we getting what we pay for?” asked Erik Hopkins, a staff member on the Senate Homeland Security and Governmental Affairs Committee. The consensus of opinion of a panel at the RSA Security Conference Wednesday was no.

“The law is a bad law,” said Alan Paller, director of research for the SANS Institute.

“There is no longer any debate about what needs to be done,” said Brude Brody, chief executive officer of New Cyber Partners. The needed end-state is continuous monitoring of systems and real-time evaluation of security status, as opposed to the annual snapshots required under FISMA.

A number of cybersecurity bills are pending in the House and Senate, and it is likely that FISMA eventually will be replaced, but when is difficult to say. For now, the economy, health care reform and upcoming midterm elections are higher priorities, Hopkins said.

Meanwhile, the State Department is an example of what can be done to improve operational security under FISMA and with current resources. Chief Information Security Officer John Streufert outlined results achieved over the last two years in moving from the paperwork of compliance to real-time operational security.

With a program of continuous monitoring, distributed responsibility for IT security and focusing on critical controls and vulnerabilities, the department has significantly improved its security posture while lowering the cost, Streaufert said.

The number of high-risk security vulnerabilities was reduced by 90 percent from July 2008 to July 2009 and the cost of certifying and accrediting IT systems required under FISMA was cut by 62 percent by continuously updating security data.

The department changed its policies to put responsibility for security status in the hands of local officials who have direct control of systems and applying scanning tools that use the Consensus Audit Guidelines of critical security controls. They perform scans every two to 15 days rather than every three years, and each of the department’s 260 embassies and 40 domestic offices are regularly scored on their security posture and assigned a grade every 36 hours on a scale of A+ to F-.

By scoring each site and making local administrators responsible for security status, the department has been able to use a broader workforce than the dedicated IT security staff, Streufert said. Focusing on a set of critical controls allows work to be prioritized and done more cost effectively.

“Most people agree on the destination of continuous monitoring,” Streufer said. “The question is what road do we take and who is going to pay for it.” He said the greater efficiency of automating security scans can free up money for development of needed scripts and tools.

Brody said the job can be started with existing tools and scripts that are available from the State Department. The challenge is not the tools, but the people, he said.

“It’s not hard to do from a management and technology standpoint,” he said. “It is hard to do in some agencies from a cultural standpoint.”

Reader Comments

Fri, Mar 5, 2010

StrangeLoop is spot on. You must implement continuous monitoring and risk assessment (as mandated by FISMA/NIST/OMB.) FISMA isn't broken, agencies haven't implemented it properly due to weak security programs. See the comments section of this doc: http://gcn.com/articles/2009/07/30/commentary-isc2-continuous-monitoring.aspx and also Kwon here: http://www.nextgov.com/nextgov/ng_20091125_4727.php?oref=rss If OMB wants to fix the problem update A-130 to include continuous monitoring requirements AND have the IGs funded to audit and enforce.

Thu, Mar 4, 2010 StrangeLoop

I wonder if Paller has ever actually read FISMA - or if he just says what he thinks will get his name in print. There is nothing in FISMA to keep anyone from continuous monitoring (the latest NIST documents, in fact, increasing their referring to using it), or any other measure. And the only thing 'annual' about it is reporting progress to OMB. As the article points out, State seems to have figured it out: what is most needed is an organizational commitment to doing the right thing, rather than doing only what they get 'checked up' on.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above