Readers divided over Kundra's plan for upgrading FISMA
Federal Chief Information Officer Vivek Kundra’s push to update
how agencies measure compliance with the Federal Information Security Management Act seemed to strike a nerve this week with readers.
In a letter to the Government Accountability Office, Kundra wrote that the reporting requirements for FISMA, enacted in 2002, were outdated and “largely compliance based. They are trailing, rather than leading, indicators. We need metrics that give insight into agencies’ security postures and possible vulnerabilities on an on-going basis.”
His letter was prompted by a GAO report that found disparities between agencies’ FISMA compliance and their actually security status. He suggested that one way to improve reporting was to replace spreadsheets with an online database.
Reader comments ranged from hopeful to skeptical.
“Hurray! We have a Federal CIO who has the vision and is acting like a real CIO!” wrote one commenter. “The current government IT security environment is too focused on checking off boxes and being defensive. Kundra understands technology, its potential, and how to use it. I can only hope that his ideas and policies sink in at the agency level.”
However, one writer seemed to wonder if his approach was practical. “Kundra may know technology, but it doesn't appear that he's familiar with FISMA … the disconnect is very clear where Kundra argues with the GAO recommendation for OMB [to] use its authority to disapprove failing security programs; this hasn't ever happen[ed], should be the tool for OMB to get agencies to produce ‘real world’ rather than checkbox plans, and yet Kundra says OMB is doing fine as-is... Ha!”
Still another put the burden not on FISMA, but on the people in charge of security at agencies: “Since FISMA is a risk-management framework which requires Agencies to produce their own information security plan, the 'FISMA/Security' gap is really an 'Agency CIO/CISO failure to develop their own adequate security plan' gap. Let us thank that fact that we have FISMA, since without its mandatory system inventory and reporting there's no telling whether these non-performing agency CIO/CISO's would even bother with security."
Can security and new Web technologies coexist? One writer was doubtful: “It's clear that Kundra is not serious about security. All of us our being pushed to field Web 2.0 technologies, and anybody who raises any issue about security gets blown out of the water as being an obstructionist. OMB needs to get its act together. Their automated tool for FISMA reporting (developed without any inputs from the community) will not help. Wonder if their wonderful new tool could pass an OIG or GAO FISMA compliance audit. I doubt it.”
One a Web 2.0-related note, Kundra told an audience at the Open Government and Innovations Conference this week that, "[t]his notion of thinking about data in a structured, relational database is dead.”
He said agencies should be ready for explosion of new data and that "[s]ome of the most valuable information is going to live in video, blogs and audio, and it is going to be unstructured inherently."
That prompted this commenter to point out the difference between how data is produced and how it is presented: “... aren't most all Web 2.0 apps built on a relational database management system platform anyway? Is this sort of like saying ‘we don't need farms any more because now we have grocery stores’? ”
Posted by GCN Staff on Jul 24, 2009 at 7:05 PM