Cyber bill's FISMA mandate could be a step backward
Requiring mandatory controls could emphasize compliance over security
The long-awaited cybersecurity bill by Sen. Joe Lieberman (I-Conn.) and his colleagues on the Senate Homeland Security and Governmental Affairs Committee is here, a wide-ranging piece of legislation to improve the security of the nation’s critical infrastructure, both in government and private sector.
Lieberman is adamant that the bill contains no Internet “kill switch,” a controversial issue that he says overshadowed the debate on his cybersecurity bill introduced in the last Congress, S. 3480. The new legislation contains pretty specific language setting out just what the president can and cannot do in the event of a national cyber emergency and explicitly states that “neither the president, the director of the National Center for Cybersecurity and Communications, nor any other officer or employee of the federal government should have the authority to shut down the Internet.”
Security reform? What security reform?
These provisions still are likely to generate controversy whether it is merited or not, but there is another provision of the bill that also bears close attention. In revamping the Federal Information Security Management Act, it calls for mandatory security controls for agency IT systems.
It says that, “the Director of the National Center for Cybersecurity and Communications shall...provide to agencies security controls that agencies shall be required to be implemented to mitigate and remediate vulnerabilities, attacks, and exploitations....”
This does not appear at first blush to be a bad idea, but it is the kind of thing that IRS Chief Information Security Officer David Stender has warned against.
“Compliance is the easiest way to meet requirements,” he said in a discussion of FISMA during last week’s RSA Security Conference. But compliance does not equal security. Stender was not speaking about the Lieberman bill specifically, but he said that rewriting FISMA to include mandatory security controls could reinforce the culture of compliance that has given FISMA a black eye over the past eight years.
Stender is, if not a fan, at least not a critic of FISMA as now written. “I don’t think there was a problem with FISMA,” he said. “I think there was a problem with implementing FISMA.”
The proposed revamping in the Lieberman bill is not bad. It calls for automated continuous monitoring of systems, for protection commensurate with risk in a cost-effective way, and improved accountability for cybersecurity. But FISMA currently addresses continuous monitoring, and agencies, under recent guidance from the Office of Management and Budget, are moving toward that goal.
One of the strengths of the current law is that it is focused on guidance, not requirements. Compliance with that guidance is an easy shortcut, but the law also allows agencies the latitude to address risk without being in 100 percent compliance with the guidelines, which agencies are beginning to do. Putting mandatory security controls in place could tempt agencies to take a big step backward and comply with the law by checking off the required controls without addressing the real risk environment.
This is not to say that there should be no changes to FISMA, but any changes should be carefully considered to ensure that they bring real improvements.
“We have been our own worst enemy with FISMA 1.0,” Stender said. “We don’t have to stand still and wait for legislation.”