Contrary to popular opinion, FISMA can improve security, agency officials say
Problem isn't the much-maligned act, but how it's applied
- By William Jackson
- Feb 16, 2011
SAN FRANCISCO — The Federal Information Security Management Act has been criticized as a paperwork exercise that has cost agencies millions of dollars without improving security. But a handful of officials beg to differ: They say the problem is not the tool but how it has been used.
“I don’t think there is a problem with FISMA,” said David Stender, chief information security officer at the Internal Revenue Service. “I think there was a problem with implementing FISMA.”
Agencies have focused on complying with requirements that are not mandatory rather than using the requirements to improve the security status of their systems. That should not be surprising, Stender said, adding, “Compliance is the easiest way to meet requirements.”
But a number of agencies are moving beyond checklist compliance and improving security under FISMA. A handful of officials described their efforts today at the RSA Conference.
In addition to compliance, “we are also focused on risk,” Stender said.
Kundra says agencies ready for real-time FISMA reporting tool
FISMA reform would elevate White House’s cyber authority
Congress has been considering updating or replacing FISMA, and the
Office of Management and Budget has issued new guidelines for FISMA
compliance that put more emphasis on continuous monitoring of systems
rather than on periodic snapshots.
Nevertheless, “we don’t have to stand still and wait for legislation,” Stender said.
“Within FISMA, there are controls that talk about the need for
continuous monitoring,” said Kevin Cox, information security technology
team leader at the Justice Department.
Justice has developed the Cyber Security Assessment and Management tool, which helps automate the job of assessing systems’ security posture, and new tools are available that enable nearly continuous monitoring of systems without overloading the network, Cox said.
All that data — plus the data being produced by other agencies’
monitoring tools — is being sent to the Homeland Security Department via
CyberScope, a government tool that interfaces with commercial analysis
tools in an Extensible Markup Language format.
Matt Coose, director of federal network security at DHS, said CyberScope
reporting is a tool, not a goal. The idea is to help agencies
understand and improve their security postures.
“There is no absolute target,” Coose said. But agencies should be able
to determine what security controls are in place on their systems and
what the patch status is, and they should be able to associate that data
with information about breaches and other failures.
Making FISMA work requires tools to automate the gathering and analysis
of information. Stender and Cox said enterprise tools are needed to
provide the necessary visibility across systems and offices. And
although Stender said ultimately money is not the problem in improving
security, enterprise tools also allow standardization and consolidation,
which can be more economical.
“At some point, you have to consolidate to achieve efficiency,” he said.
“There is so much infrastructure to understand,” and enterprise tools can save money, Coose added.
In the end, “compliance is the product of good security,” not the other way around, Stender said.
Although FISMA is a law, its implementation is covered by guidelines
being developed by the National Institute of Standards and Technology.
Stender emphasized that guidance is not the same as requirements, and
NIST does not intend its guidelines to be mandatory. That means that
compliance is not an either/or situation in which 100 percent is
required. The level of compliance with guidelines should be commensurate
with the level of risk the agency is willing to take.
“We have been our own worst enemy with FISMA 1.0,” Stender said. He
warned that replacing the current law with FISMA 2.0 would move many
agencies back to square one and have them focusing on complying with new
requirements rather than managing risk.