Letter to the editor | FISMA quandary
I both agree and disagree with William Jackson's commentary on FISMA and security.
Having worked with federal agencies on both security architecture and FISMA compliance, I see a true divergence in opinions concerning FISMA.
What concerns me most is the 'check the box' attitude surrounding FISMA. I believe this stems more from OMB and GAO rather than any fault or shortcoming in the FISMA legislation or the resulting NIST standards and guidance.
The quandary is that no one will actually comply with the legislation unless OMB and GAO hold their feet to the fire; but when this happens, it perpetuates the 'check the box' mentality that reduces FISMA to a paper drill.
Those who see FISMA for what it is'a means to truly measure the effectiveness of an agency's information security program'get it and there is no paper drill. FISMA then becomes what it was always intended to be. Those who don't get it, and see FISMA as just one more thing to do, reduce it to a paper drill. Unfortunately, the latter far outnumber the former, thus the whole reason for this discussion.
Certification and accreditation is all about demonstrating, not achieving, compliance. We should be honest about what we are doing right and what we are doing wrong so we can prioritize our efforts and improve.
But let's not throw out the baby with the bath water. The only thing wrong with FISMA is the manner in which agencies chose to implement it. It is easy to legislate; it is hard to change a mindset. Since FISMA came out, I have been saying almost word for word Mr. Jackson's quote ('FISMA compliance does not necessarily mean improved security, but improving security can lead to FISMA compliance'). I would urge your readers to focus on this issue rather than on whether we need to make changes in FISMA.
How do we resolve the quandary? That is the hard part. There are no easy answers. Perhaps facilitating more discussion about this in GCN could be a start in the right direction.Graydon McKee, CISSP, GSEC
Senior Security Architect
Enterprise Security Group Unisys