FISMA: A good idea whose time never came
Overly broad requirements prevented the law from reaching its full potential
A funny thing happened with the Federal Information Security Management Act of 2002. Critics complain that the law has created a “culture of compliance” in which administrators focus on paperwork rather than results. But in spite of this culture, agencies have not achieved real security.
“An underlying cause for information security weaknesses identified at federal agencies is that [the agencies] have not yet fully or effectively implemented key elements of an agencywide information security program, as required by FISMA,” the Government Accountability Office’s Gregory Wilshusen recently told a House subcommittee.
After seven years of progress and congressional report cards, 21 of 24 major agencies reported significant weaknesses in information system controls in 2009, Wilshusen said.
If we can’t achieve compliance with a culture of compliance, where did we go wrong?
Even most of its critics give FISMA credit for good intentions. It is an effort to bring some order out of the chaos of IT security by requiring a standardized, auditable and repeatable approach to managing information security. Nothing in FISMA is inherently bad, although there is much that is not good enough. The three-year cycle for certifying and accrediting systems and the annual snapshots of security status are woefully inadequate. But FISMA’s real failure is that it overreaches. It focuses on comprehensive procedures rather than results, which has created what former Air Force Chief Information Officer John Gilligan called a “scatter shot” approach to security. By requiring everything, it achieved nothing. Or at least not enough.
For a subject as complex and rapidly evolving as information security in an arena as diverse as the federal government, the less specific a regulation is the more effective it is likely to be. The drafters of FISMA realized this when they made that law technology neutral. It does not specify what tools or products to use and allows administrators to select controls appropriate to the level of risk presented by a system. But it still focuses on the systems and controls rather than the results desired and requires broad application rather than focused attention.
One department has reported significant success in improving its information security posture by prioritizing its defenses and continuously monitoring the status of systems, and then holding administrators responsible for their condition. State Department Chief Information Security Officer John Streufert has reported that overall risk on the department’s key unclassified network has been reduced by about 90 percent.
It is notable that Streufert said that the risk scoring and continuous monitoring has supplemented FISMA compliance, not replaced it. The State Department’s experience shows that while the law might not be adequate for achieving better security, it need not inhibit it. Although FISMA apparently is not the answer to information security, it is not necessarily the problem.
Still, why keep FISMA if it is not working? There is a growing consensus that the law should be fixed and possibly jettisoned completely. But let’s not ignore the law’s strengths.
Streufert called FISMA “game changing,” pointing out that “the establishment of a holistic information security program and the responsibility of accounting to oversight entities, including Congress, served as a valuable check in determining the health of an agency’s information security program.” It is unlikely that State would have been successful in implementing and monitoring key security controls in its information systems if it had not had an accurate inventory of those systems, one of the first requirements of FISMA.
Some rewriting of FISMA is needed and is likely to occur. A number of bills addressing cybersecurity now are pending in both houses of Congress. Whatever form the new legislation takes, it should incorporate the holistic strengths of FISMA as well as correct its weaknesses.