William Jackson | Happy Birthday FISMA
- By William Jackson
- Dec 17, 2007
The Federal Information Security Management Act is five years old. For five years, agencies have been struggling under unfunded mandates for regulatory compliance, a drumbeat of bad publicity from annual congressional report cards, a constant ping of hostile probes of IT systems and the occasional self-inflicted black eye. Is government's IT security any better today than it was in 2002?
It is hard to say with certainty because assessing security is like trying to prove a negative. If security is done right, the outcome is nothing. This makes it difficult to identify success and easy to pinpoint every slip. This is further complicated by the fact that there is no such thing as 'government IT security.' There are several dozen executive branch departments and agencies covered under FISMA, many with dozens more subdivisions, each with its unique networks, systems, missions and challenges.
But on the whole, I think government IT security has improved and I think FISMA has helped.
This might not be immediately apparent. The most recent annual IT security report card from the House Government Oversight and Reform Committee gave the 24 executive branch agencies covered in the report an overall grade of only C- for 2006. The grade had been stalled at D or D+ for the previous three years. Agencies receiving an F or an A this year are tied at eight each. Seven agencies improved their grades this year, six got worse and 10 remained the same. One major department, Veterans Affairs, didn't provide a report for 2006 and so received an 'incomplete.'
But these grades probably are neither a good assessment of IT security. They focus broadly on regulatory compliance without taking into account the complexities and incremental improvements.
'I don't think these grades represent a good measure of how well agencies have secured their information assets,' said Chris Fountain, CEO of SecureInfo Corp. of Washington. 'FISMA has gotten bad publicity because of non-representative grades.'
Faced with limited resources and shrinking budgets, administrators often are forced to make tough choices between regulatory compliance and practical efforts. Ted Julian, vice president of marketing and strategy for Application Security Inc. of New York, said that what he hears from his government customers is, 'compliance is important, but they don't want the compliance tail to wag the security dog.'
But for the last five years agencies have been inventorying IT assets, assessing vulnerabilities and assigning levels of risk, applying security controls and monitoring this process. Many of them have not managed to satisfy FISMA requirements, but even incomplete efforts cannot but help administrators to identify and protect against threats. I bet you would be hard pressed to find an agency where IT security has not become more standardized and more of a rational, repeatable process today than it was five years ago.
Standardization is a key concept. One of the shining accomplishments of FISMA has been the guidance produced by the National Institute of Standards and Technology for implementing the act. As required by FISMA, NIST has published a series of Federal Information Processing Standards and special publications with technical specifications for applying the standards.
This guidance documenting best security practices has been called robust and critical. Best of all, while FISMA itself and the FIPS standards are appropriately technology neutral, focusing instead on goals and processes, specs in NIST's 800 series special publications provide what Julian called 'granular insight into emerging best practices and threats.'
Not only do these publications provide a template for agencies in complying with FISMA, but industry also has embraced them, producing tools intended to meet the NIST specs.
Julian called FISMA results a 'mixed bag,' but he concedes that NIST's work under FISMA has gone a long way toward documenting best security practices.
'They may have succeeded where the private sector has failed,' he said. 'How often does that happen?'
William Jackson is a Maryland-based freelance writer.