CYBEREYE

Don't be too quick to dismiss FISMA

Security regulations can evolve with changing threats, NIST researcher says

The Federal Information Security Management Act has become the whipping boy for security vendors, chief information security officers and legislators, but we should not be too eager to abandon it, says a leading security researcher at the National Institute of Standards and Technology.

“We tend to want to make ‘compliance’ a bad word today,” said NIST senior computer scientist Ron Ross. But regulatory compliance does not have to be a static checklist, and it is part of effective risk management, he said.

If the regulations are fundamentally sound and adaptable, they can evolve to address a rapidly changing security environment, and that is what is happening with FISMA, he said. “The fundamental reforms already are ongoing, coming from grass-roots activities,” not from policy or legislative changes, Ross said.


Related stories

FISMA gets the tools to do the job

FISMA’s future may lie in State Department security model


As the head of NIST’s FISMA implementation program, Ross, who spoke recently about changes in cybersecurity requirements at a forum hosted by InformationWeek, is hardly a disinterested observer. Since the passage of FISMA in 2002, a great deal of the resources of NIST’s Computer Security Division have gone to creating standards, recommendations and guidelines on how to achieve compliance. That body of work has been praised as one of the accomplishments of FISMA while at the same time condemned as overly comprehensive and prescriptive.

But we should not exaggerate FISMA’s weaknesses or ignore its strengths. The NIST guidance is not static and is evolving to meet changing needs. One example is the Joint Task Force for Unified Standards that has been working for several years to harmonize standards and requirements between national security IT systems and those in the rest of government. “That has nothing to do with legislation,” Ross said.

Ross said the increased emphasis on continuous monitoring of IT systems is not a contradiction of the long-standing requirements for periodic certification of systems to ensure that proper controls are in place. Assessing controls is an essential part of knowingly accepting certain levels of risk, which is what accreditation is all about. “Continuous monitoring is not strategy; it is a tactic,” he said.

Efforts such as the well-publicized success at the State Department with monitoring essential controls are not contradictory to FISMA requirements. They are part of an evolution in FISMA. “We have all of the standards in place to make this transition to near real-time awareness,” he said.

If FISMA is essentially sound, why are we still seeing so many IT security failures?

“We are aggressively using IT across government,” with more networking and sharing than was anticipated eight years ago, Ross said. At the same time, there has been an exponential growth in the numbers of threats and attacks against such systems. “You put these things together, and you are going to continue to see breaches in federal systems,” he said.

The problems are being caused not so much by a failure of basic security policy as by an unprecedented growth in risk, and the solution is to manage that risk with the best tools available. That requires frequent evaluations and upgrades of policies and practices to provide agile defenses against agile threats.

“There is no such thing as a secure system in today’s world,” Ross warned. “The best you can hope for is risk management.”

Reader Comments

Fri, Jul 16, 2010 Jack

Bravo Ron!!! about time somebody explains that Continuous monitoring is only part of a complete program. Some want to make a lot of money from continuous monitoring tools, training and capabilities, but this is completely a tactical solution. Hope to see more articles like this.

Tue, Jul 13, 2010 Gary Christoph Columbia, MD

The major issue is that few agencies are funded to adequately perform all of their mandates. What this means is that security and privacy often get short shrifted; keeping the trains running gets the majority of resources. Thus, it is due to humans being involved, and trying to get their work done, that undoes much of what our security institutions and installed technology try to accomplish. The important thing is to have people watching, and to do enforcement when they do bad things. Unfortunately, most agencies are unable or unwilling to watch carefully. (This is the reason why FDA has missed on various food scares, and why Congress chose to (for the first time!) allow State AGs to enforce HIPAA security and privacy. Note that IRS audits some 1% of 1040s and gets good compliance, so watching and enforcement do give good results. So the difficulty is not the policy (which is actually pretty good), but the poor execution of it and the poor understanding of risks by the users. And I say this having been the first CIO for CMS (and thus responsible for many of the HIPAA regs) and the main Compusec Officer for Los Alamos. What NIST has done is appropriate, but you are correct in saying that FISMA and the NIST rules are good policy: it is just that execution, particularly in civilian government, is poor to non-existant.

Tue, Jul 13, 2010

Yet another voice of reason that continous monitoring is part of the overarching C&A process (and I stress process) - go Ron!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above