Don't be too quick to dismiss FISMA
Security regulations can evolve with changing threats, NIST researcher says
The Federal Information Security Management Act has become the whipping boy for security vendors, chief information security officers and legislators, but we should not be too eager to abandon it, says a leading security researcher at the National Institute of Standards and Technology.
“We tend to want to make ‘compliance’ a bad word today,” said NIST senior computer scientist Ron Ross. But regulatory compliance does not have to be a static checklist, and it is part of effective risk management, he said.
If the regulations are fundamentally sound and adaptable, they can evolve to address a rapidly changing security environment, and that is what is happening with FISMA, he said. “The fundamental reforms already are ongoing, coming from grass-roots activities,” not from policy or legislative changes, Ross said.
FISMA gets the tools to do the job
FISMA’s future may lie in State Department security model
As the head of NIST’s FISMA implementation program, Ross, who spoke recently about changes in cybersecurity requirements at a forum hosted by InformationWeek, is hardly a disinterested observer. Since the passage of FISMA in 2002, a great deal of the resources of NIST’s Computer Security Division have gone to creating standards, recommendations and guidelines on how to achieve compliance. That body of work has been praised as one of the accomplishments of FISMA while at the same time condemned as overly comprehensive and prescriptive.
But we should not exaggerate FISMA’s weaknesses or ignore its strengths. The NIST guidance is not static and is evolving to meet changing needs. One example is the Joint Task Force for Unified Standards that has been working for several years to harmonize standards and requirements between national security IT systems and those in the rest of government. “That has nothing to do with legislation,” Ross said.
Ross said the increased emphasis on continuous monitoring of IT systems is not a contradiction of the long-standing requirements for periodic certification of systems to ensure that proper controls are in place. Assessing controls is an essential part of knowingly accepting certain levels of risk, which is what accreditation is all about. “Continuous monitoring is not strategy; it is a tactic,” he said.
Efforts such as the well-publicized success at the State Department with monitoring essential controls are not contradictory to FISMA requirements. They are part of an evolution in FISMA. “We have all of the standards in place to make this transition to near real-time awareness,” he said.
If FISMA is essentially sound, why are we still seeing so many IT security failures?
“We are aggressively using IT across government,” with more networking and sharing than was anticipated eight years ago, Ross said. At the same time, there has been an exponential growth in the numbers of threats and attacks against such systems. “You put these things together, and you are going to continue to see breaches in federal systems,” he said.
The problems are being caused not so much by a failure of basic security policy as by an unprecedented growth in risk, and the solution is to manage that risk with the best tools available. That requires frequent evaluations and upgrades of policies and practices to provide agile defenses against agile threats.
“There is no such thing as a secure system in today’s world,” Ross warned. “The best you can hope for is risk management.”