Pessimism over FISMA deadline starts at the top, survey finds
Fewer than half of the agencies represented in a recent poll expect to meet the September deadline for using continuous monitoring to meet Federal Information Security Management Act reporting requirements, and C-level executives interviewed were more pessimistic about their prospects for success than rank-and-file administrators.
The findings reflect the complexity of bringing together information from disparate IT systems to provide the required situational awareness, said Mike Lloyd, chief technology officer of RedSeal Networks, which sponsored the survey.
“Everybody agrees that this is the right thing,” Lloyd said, with 64 percent of respondents saying that continuous monitoring and the security metrics it provides will improve IT security status. “This clearly is a technical problem.”
NIST offers a how-to for must-do continuous monitoring
Agencies slowly gain ground on continuous monitoring
Lloyd said the technology exists to do continuous monitoring as required by the Office of Management and Budget, but few agencies have enough knowledge on their complete IT environment to deploy that technology effectively. Maintaining accurate inventories of IT systems and mapping them to the agencies’ missions to provide meaningful risk assessment have been challenges of FISMA since its enactment in 2002.
FISMA has been criticized as a meaningless paperwork exercise, initially enforced with requirements to assess security of IT systems every three years. But the requirements have shifted to a more real-time approach based on continuous monitoring of systems’ security postures. OMB in 2010 told agencies that FISMA reporting must be done through automated monitoring tools by Sept. 30, 2012.
The National Institute of Standards and Technology has produced guidance for the process and is developing the Security Content Automation Protocol, a set of standards for automated tools to help enable it.
RedSeal interviewed 234 IT security professionals attending the annual conference of Government Forum of Incident Response and Survey Teams held in Nashville in August. The results were released in December.
Of those surveyed, 22 percent said they already had deployed continuous monitoring solutions, and altogether 45 percent said they expected to meet the deadline. When the results are broken down by role, however, 53 percent of security managers, administrators and auditors expected to meet the Sept. 30 deadline, while only 28 percent of CIOs and chief information security officers expected to.
This runs counter to the usual pattern in surveys, in which C-level executives have a rosier outlook about IT security, Lloyd said.
“Confidence that they would meet the deadline was falling,” he said. “This is an interesting finding, not what a cynic might expect. People are struggling.”
He interpreted it to mean that although individual line administrators might have confidence in their understanding of their own fiefdoms, senior executives see that this information is not coming together into the unified picture that will be needed for automated FISMA reporting.
Slipping deadlines for technical deployments are a familiar pattern in government and not necessarily fatal to the goals. To eventually meet those goals, agencies will have to develop comprehensive views of their IT infrastructures and map tools and techniques for monitoring and reporting based on each agency’s mission and its risk tolerance.
As of the time of the survey, a variety of tools were being considered by agencies for meeting requirements for continuous monitoring with no single technology dominating. The choices were:
- Intrusion detection and intrusion prevention systems, 51 percent.
- Security event and information management, 49 percent.
- Network security device configuration audit tools, 43 percent.
- Vulnerability assessment tools, 35 percent.