GCN Tech Blog

By GCN Staff

Blog archive

Readers divided over Kundra's plan for upgrading FISMA

Federal Chief Information Officer Vivek Kundra’s push to update how agencies measure compliance with the Federal Information Security Management Act seemed to strike a nerve this week with readers.

In a letter to the Government Accountability Office, Kundra wrote that the reporting requirements for FISMA, enacted in 2002, were outdated and “largely compliance based. They are trailing, rather than leading, indicators. We need metrics that give insight into agencies’ security postures and possible vulnerabilities on an on-going basis.”

His letter was prompted by a GAO report that found disparities between agencies’ FISMA compliance and their actually security status. He suggested that one way to improve reporting was to replace spreadsheets with an online database.

Reader comments ranged from hopeful to skeptical.

“Hurray! We have a Federal CIO who has the vision and is acting like a real CIO!” wrote one commenter. “The current government IT security environment is too focused on checking off boxes and being defensive. Kundra understands technology, its potential, and how to use it. I can only hope that his ideas and policies sink in at the agency level.”

However, one writer seemed to wonder if his approach was practical. “Kundra may know technology, but it doesn't appear that he's familiar with FISMA … the disconnect is very clear where Kundra argues with the GAO recommendation for OMB [to] use its authority to disapprove failing security programs; this hasn't ever happen[ed], should be the tool for OMB to get agencies to produce ‘real world’ rather than checkbox plans, and yet Kundra says OMB is doing fine as-is... Ha!”

Still another put the burden not on FISMA, but on the people in charge of security at agencies: “Since FISMA is a risk-management framework which requires Agencies to produce their own information security plan, the 'FISMA/Security' gap is really an 'Agency CIO/CISO failure to develop their own adequate security plan' gap. Let us thank that fact that we have FISMA, since without its mandatory system inventory and reporting there's no telling whether these non-performing agency CIO/CISO's would even bother with security."

Can security and new Web technologies coexist? One writer was doubtful: “It's clear that Kundra is not serious about security. All of us our being pushed to field Web 2.0 technologies, and anybody who raises any issue about security gets blown out of the water as being an obstructionist. OMB needs to get its act together. Their automated tool for FISMA reporting (developed without any inputs from the community) will not help. Wonder if their wonderful new tool could pass an OIG or GAO FISMA compliance audit. I doubt it.”

One a Web 2.0-related note, Kundra told an audience at the Open Government and Innovations Conference this week that, "[t]his notion of thinking about data in a structured, relational database is dead.”

He said agencies should be ready for explosion of new data and that "[s]ome of the most valuable information is going to live in video, blogs and audio, and it is going to be unstructured inherently."

That prompted this commenter to point out the difference between how data is produced and how it is presented: “... aren't most all Web 2.0 apps built on a relational database management system platform anyway? Is this sort of like saying ‘we don't need farms any more because now we have grocery stores’? ”

Posted by GCN Staff on Jul 24, 2009 at 9:39 AM

Reader Comments

Thu, Jul 30, 2009 sasa

I guess that that’s important to know about upgrading FISMA. http://w DOT ww.gogetessays.com at the research paper writing services just about upgrading FISMA, because this is important article.

Tue, Jul 28, 2009

Kundra has demonstrated little understanding of risk management. He has stated that he wants to make "C&A'd cloud services" part of a GSA storefront offering. Accreditation is a risk acceptance activity performed explicitly by an agency in view of its mission. Kunda and GSA cannot accredit information systems for other agencies as they don't inherently understand the mission or personally accept the risk of operation. He doesn't understand that without assessment work there can be no risk analysis and no accreditation decisions. These activities are all in light of the risk management framework FISMA put in place. FISMA was never intended to be wonderful bliss. It is a legal minimum that agencies are required to implement. FISMA has been successful in that it allowed agencies enough rope to perform risk management in light of their mission.

Mon, Jul 27, 2009 Puregoldj Washington, DC

I am not saying that FISMA is a bad law; it's a framework to assess security. My observation is that many agencies have made it a check-box exercise; and of course, their senior management is delighted to see all the boxes checked. Meanwhile, while Congress and OMB have put in many rules governing Federal IT, OMB has generaly been short-handed, not shown any technological savvy, and has generally accepted the submission of checked boxes. The result has been that nobody has been there to shake up the check-box mentality. If Kundra can get agencies to be less reactive and more proactive on security (as well as on other IT governance issues), that would be of great benefit!

Mon, Jul 27, 2009

I have performed several FISMA based assessments for federal agencies. FISMA is designed to assess the security posture of an agency. If you choose to turn it into a check the box exercise (like many agenices have doene) then you can but the goal is to get security metrics then remediate. Kundra comments are echoing others but Kundra does not understand technology or assessments since he has no track record of performing either.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above


HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities