When reforming FISMA, don't throw out what works
We now are in the opening weeks of a new Congress, and several cybersecurity bills already have been introduced, aimed primarily at improving cybersecurity education and protecting critical infrastructure. It is just a matter of time before FISMA reform is again brought up.
At 11 years old, the Federal Information Security Management Act of 2002 is well into middle age for an IT law — in fact, it’s probably moving into old age — so it is due for a legislative update. When Congress does address the issue, it should move cautiously, taking the time to evaluate what is right about FISMA and what could be improved, and looking at what agencies have been doing right in securing their information systems.
Moving cautiously does not mean stalling. Any number of FISMA reform bills have been introduced in past sessions, only to die without making it to the floor. But Congress should take the time to ensure that any new law is a clear improvement over the existing one.
FISMA has always had its detractors, but it has proved to be a robust law. One of its strengths has been its ability to evolve through non-legislative means. Over the years, the agencies overseeing it have shifted focus away from static compliance and toward risk management, continuous monitoring and real-time awareness. In the past year or so, the National Institute of Standards and Technology has updated its guidelines on risk assessment (Special Publication 800-30 Rev. 1, revised in Sept. 2012), security controls (SP 800-53 Rev. 4, draft revision issued in February 2012) and continuous monitoring (SP 800-137, issued in September 2011).
In 2010, the Office of Management and Budget designated the Homeland Security Department the lead agency for establishing cybersecurity metrics, and by 2011 overall compliance had increased from 62 percent to 74 percent. DHS introduced CyberScope for automated FISMA reporting in 2010, and its reporting guidelines for fiscal 2013 continuing an increased emphasis on continuous monitoring.
This does not mean that everything is all right with FISMA. A 2012 survey of federal officials by nCircle showed that IT security still is focused on compliance rather than risk, which has been a complaint against FISMA from the beginning. As has been amply demonstrated over the last decade, compliance does not equal security.
But the problem with FISMA has been in its implementation rather than its goals. Before Congress fiddles too much with the act, lawmakers should have a good idea of how that implementation has improved and what the impact has been, and what practices have actually improved security in agencies. It may be an old law, but it’s possible that FISMA needs only a tune-up rather than a major overhaul.
Posted by William Jackson on Jan 28, 2013 at 9:39 AM