New FISMA looks a lot like old FISMA, survey finds
The most common concern for federal IT security professionals is regulatory compliance, according to nCircle’s recently released 2012 Federal Information Security Initiatives Trend Study.
The results indicate misplaced priorities, said Karen Cummins, nCircle’s director of federal markets. “If you pick compliance, that suggests we’re a little out of balance,” she said. Agencies are expected to have risk-based security policies and controls in place to help counter the growing threat of online attacks. But despite changes in the way the Federal Information Security Management Act is being implemented, success still is being measured by reporting rather than by results.
The Homeland Security Department has been given primary responsibility for overseeing FISMA and the emphasis has shifted from periodic assessment to continuous monitoring of IT systems. And “continuous monitoring” is being replaced by the term “continuous diagnostics and mitigation,” which Cummins said better reflects the goals of the program. This is to be enabled by automated data streams, which are fed to DHS through its Cyberscope reporting system.
Automated data streams can be powerful tools for risk remediation, but what is being measured is the ability to report the data to DHS rather than its use within an agency. As a result, “the new FISMA looks a lot like the old FISMA,” Cummins said.
With the inability of the current Congress to pass cybersecurity legislation, FISMA reform has depended instead on shifts in enforcement by DHS and the Office of Management and Budget. “It really has evolved in a very significant way,” Cummins said. But FISMA metrics that continue to focus on agency compliance rather than on results still can inhibit progress in securing federal IT systems.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.