Risky business: FISMA reform hinges on managing the risks
Given the persistent concerns about protecting the government’s computer systems, the most recent of many congressional hearings on how to fix the Federal Information Security Management Act was perhaps as maddening for its old refrains as it was encouraging for the renewed desire to deal with them.
It certainly was no surprise that witnesses testifying late last month before the House Oversight and Government Reform Committee's Government Management, Organization and Procurement Subcommittee agreed that FISMA has generally failed to make agency systems more secure.
Consensus growing for reform of flawed FISMA
FISMA: A good idea whose time never came
Although the messenger was new, the message was familiar: “Despite the improvement reported by agencies, the federal government’s communications and information infrastructure is still far from secure,” Federal Chief Information Officer Vivek Kundra said, adding that agencies will never get to security through compliance audits alone.
Government and private-sector experts continue to maintain that agencies need to adopt a real-time, enterprise-based risk management approach to securing the nation’s information infrastructures.
That said, the hearing reflected new attention to FISMA and the Federal Information Security Amendments Act of 2010 (H.R. 4900), which the committee is reviewing.
The bill would go beyond FISMA’s original provisions by requiring continuous system monitoring accompanied by penetration testing. It would also create a National Office of Cyberspace at the White House to oversee the nation's cybersecurity posture, require independent auditing of the effectiveness of programs, and include security requirements in acquisition policies.
However, the problem with legislating new information security practices is how quickly technologies evolve and unleash new and unforeseen threats.
So it wasn’t surprising when the technology community, while praising the intent of the legislation, quickly hoisted warning flags urging Congress not to erect barriers to innovative solutions.
The better alternative, most experts agree, is using sound risk management disciplines. Bureaucrats might find them too inexact compared with verifying compliance, but if done well — which is to say, if government taps into the insights learned by the private sector — agencies stand a better chance of mitigating cybersecurity risks more quickly and coherently than they do now.
Assuming the bill moves forward — and we hope it will — it will certainly benefit from work released last month by the National Institute of Standards and Technology, the final version of its “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” Developed jointly with the defense and intelligence communities, the new publication (S.P. 800-37) provides an important reference for moving past compliance in the battle against cyber threats.
Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.