Feds fumble with FISMA performance
Some doubt that grades give a true picture
- By Patience Wait
- Mar 30, 2006
'We clearly have to do much better in creating metrics. All the things we're talking about now are output measures, not outcome measures.'
' DOD's Robert Lentz
Bob Lentz wants to emphasize that FISMA is a good thing. The Federal Information Security Management Act is the law that requires federal agencies to report to the Office of Management and Budget and to Congress on their progress in improving information security.
Since 2001, agencies have been held up to public scrutiny annually as Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, presented the grades earned by their efforts to meet the requirements of the act.
Lentz, assistant secretary of Defense for networks and information and integration, and director of information assurance for the Pentagon, sees the benefit of requiring agencies to report back to Capitol Hill once a year on their progress. Yet, since his department earned an F this year'and has never managed higher than a D'Lentz chooses his words carefully, because he knows first-hand the money and manpower DOD is putting into improving cybersecurity.
'The Department of Defense uses FISMA as a critical management and assessment tool. We continue to enhance our FISMA effort, consistent with guidelines from OMB,' Lentz told Davis at a hearing last month.
But after the hearing, Lentz said that while the FISMA grades raise the visibility, thus the importance, of cybersecurity issues, the grades don't necessarily address whether cybersecurity has been improved in an agency.
'I think at times we get a little too hung up on the score, and we make a lot of auditable, black-and-white decisions that end up not portraying' the true security picture, Lentz said. The grades 'certainly are a factor in how you improve,' but you have to step back and ask yourself whether the overall assessment that you're making is the whole picture.FISMA important, but ...
Dennis Heretick, the Justice Department's chief information security officer, agreed on both counts'that FISMA is important, but the grades may not be an accurate reflection of an agency's cyberreadiness.
Heretick is unhappy that his agency's grade fell from a B- last year to a D this year. He feels an A- would be far more reflective of the status of Justice systems.
'We improved sharply, in my opinion, in just about every one of the FISMA questions,' Heretick said.
For example, DOJ last year had a certification and accreditation rate of 91 percent; this year, it rose to 99 percent, he said.
His department's problem arose with its inspector general, who is responsible for assessing the condition of Justice systems, answering FISMA questions for OMB and preparing numerical scores for grading purposes, Heretick said.
'If you take the IG's view, if you have weaknesses you deserve to be marked down,' he said. 'But if you want to fix things, you have to find the problems.'
This is part of a problem that Lentz, Heretick and others have observed: The scoring process is based on system-by-system assessments and doesn't include ways to get credit for enterprisewide infrastructure improvements.
At DOD, implementing the provisions of Homeland Security Presidential Directive 12'which requires all agencies to begin issuing interoperable smart identification cards by Oct. 27'is a major undertaking in which the Pentagon is investing a lot of resources. But 'there's no recognition of that' in FISMA, Lentz said.
The advent of standardized configurations for computers of all stripes'desktop, notebook, handheld'is another area that significantly improves security by enhancing configuration management and streamlining patch management, but the law doesn't include a grade for that, either, he said.
'We clearly have to do much better in creating metrics' for FISMA, Lentz said. 'All the things we're talking about now are output measures, not outcome measures.'
'I think the agencies should have brought up' how to credit department- wide improvements as an issue at the hearing, said a Government Reform Committee staff member. 'Agencies might make a huge push in one year, focusing on one or two areas, [but] sometimes it requires so much effort, it's hard to sustain it.'
Similarly, the committee began to explore why such a dichotomy has emerged in the FISMA scores, with the largest departments getting the worst grades, while smaller agencies either have the best grades or show greater progress from previous years' results.
Particularly alarming were the scores of DOD and the Homeland Security Department, which also received an F (see scorecard).
At the hearing, Rep. Diane Watson (D-Calif.) questioned sarcastically whether the two agencies most responsible for protecting the country are up to the task, if they can't protect their own computer systems.Apples and oranges?
Davis avoided the partisan tone but wondered out loud if perhaps there is such a difference between large agencies and small ones that FISMA is difficult to apply evenhandedly.
Karen Evans, OMB administrator for e-government and IT, said it is not surprising that there is a difference between them.
'The overall size, geographic distribution of offices and systems, as well as legacy systems of differing versions (hardware and software) introduce much complexity,' Evans acknowledged.
But as agencies continue to work at FISMA compliance, she added, security will be integrated throughout the lifecycle of systems, and the adoption and implementation of enterprise architectures will further reduce complexity.
Within the Pentagon, however, complexity will continue. The evolution of network-centric warfare requires that systems and networks be configured on the fly and reconfigured on a moment's notice as the tactical situation changes.
'When you're in a very dynamic environment, you can have a system today that is certified and its three-year certificate expires'it goes from green on November 30 to red on December 1,' Lentz said.
At DHS, the challenge of raising FISMA scores is just one of a slew of obstacles to integrating all the disparate parts into the three-year-old department, DHS CIO Scott Charbo said at the hearing.
In October, only 26 percent of the department's approximately 700 systems had been accredited; by the end of February, more than 60 percent had been accredited, he said, and reaching 100 percent by the end of the fiscal year is 'on track.'