FISMA gets the tools to do the job
New OMB reporting structure helps bring federal security practices up to date
New reporting requirements released last week by the Office of Management and Budget will help bring the Federal Information Security Management Act (FISMA) into line with best security practices that have developed since the statute’s enactment eight years ago.
“Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way,” OMB memo M-10-15 says. “To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze security-related information. Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools.”
Consensus is growing for the reform of flawed FISMA
FISMA: A good idea whose time never came
That approach is commonplace today but is absent from FISMA, which focuses on a static evaluation of systems and their security status, and on annual reporting. The White House, working through Federal Chief Information Officer Vivek Kundra and Cybersecurity Coordinator Howard A. Schmidt, has corrected this shortfall by executive fiat, requiring that a set of data elements be reported monthly by each agency directly to a central platform managed by the Homeland Security Department.
FISMA has been roundly criticized since its passage as an ineffective, burdensome paperwork exercise. I have never completely bought into that. It is clear that FISMA compliance does not necessarily equal security, and security does not necessarily mean compliance. But I believed that once the onerous task of compliance was achieved, the groundwork would be laid for a meaningful security management framework. This has not yet happened. Although FISMA has increased awareness of security issues and improved visibility into government systems by requiring inventories and certification, it has remained a paper-based compliance effort while real-world security practices such as automated monitoring and reporting developed separately.
The new OMB requirements are a move to integrate those automated tools into FISMA. “Agencies should not build separate systems for reporting,” the memo states. “Any reporting should be a by-product of agencies’ continuous monitoring programs and security management tools.”
The power of the new approach is that it now puts the authority of regulation behind these tools. And in government, regulation is everything. A task force that included the Federal CIO Council, the Council of Inspectors General on Integrity and Efficiency, the National Institute of Standards and Technology, DHS, the Information Security and Privacy Advisory Board and the President’s cybersecurity coordinator developed a set of metrics to be reported.
“Understanding that metrics are a policy statement about what federal entities should concentrate resources on, the task force developed metrics that will push agencies to examine their risks and make substantial improvements in their security,” the memo states.
The new reporting requirements do not represent a complete overhaul of FISMA. Data is not being gathered from agencies continuously; it will be reported quarterly through the remainder of this year and in 2011 will be reported monthly. But the process will be automated, uniform and timely, and it should provide a reasonably up-to-date governmentwide snapshot of the IT security status. And agencies will have access to this data in real time and will be able to use it to improve their security.
It still would be wrong to assume that FISMA compliance equals security. But this should move compliance and security closer together, and this system will likely allow DHS and individual agencies to more nearly determine how secure they are and where improvements are needed.