New FISMA looks a lot like old FISMA, survey finds

The most common concern for federal IT security professionals is regulatory compliance, according to nCircle’s recently released 2012 Federal Information Security Initiatives Trend Study.

Top security concerns

The results indicate misplaced priorities, said Karen Cummins, nCircle’s director of federal markets. “If you pick compliance, that suggests we’re a little out of balance,” she said. Agencies are expected to have risk-based security policies and controls in place to help counter the growing threat of online attacks. But despite changes in the way the Federal Information Security Management Act is being implemented, success still is being measured by reporting rather than by results.

The Homeland Security Department has been given primary responsibility for overseeing FISMA and the emphasis has shifted from periodic assessment to continuous monitoring of IT systems. And “continuous monitoring” is being replaced by the term “continuous diagnostics and mitigation,” which Cummins said better reflects the goals of the program. This is to be enabled by automated data streams, which are fed to DHS through its Cyberscope reporting system.

Automated data streams can be powerful tools for risk remediation, but what is being measured is the ability to report the data to DHS rather than its use within an agency. As a result, “the new FISMA looks a lot like the old FISMA,” Cummins said.

With the inability of the current Congress to pass cybersecurity legislation, FISMA reform has depended instead on shifts in enforcement by DHS and the Office of Management and Budget. “It really has evolved in a very significant way,” Cummins said. But FISMA metrics that continue to focus on agency compliance rather than on results still can inhibit progress in securing federal IT systems.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Sep 14, 2012 George Johnson DC

Unfortunately organizations will focus on what the MUST do rather than spend money trying to mitigate risks against threats that they can't quantify. Until we can either quantify threats or provide a radically better process for qualifying probability of threats, there will never be enough budget to do what most people call "enough" security. When will we have honest open discussions of threat? Will we ever be able to address threat probability (which is the keystone of measuring risk)? Is that even possible... Most High Impact attacks started as Low Probability (in the minds of CFO/CEO), but those black swan events were the ones that really hurt the organization.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above