Senate revisits FISMA
- By William Jackson
- Mar 13, 2008
The Office of Management and Budget reports that as of last year agency compliance with the Federal Information Security Management Act (FISMA) had significantly improved. In 2007, 92 percent of information systems were certified and accredited, 86 percent of agencies had a tested contingency plan, and 95 percent had tested security controls.
Unfortunately, FISMA compliance is not necessarily a good measure of information technology security, a panel of witnesses told a Senate subcommittee March 12. There are no consistent assessments of the effectiveness of the controls being put into place, and practical examples of weaknesses, such as system penetrations and data loss, continue to crop up.
'Despite reported progress, 20 of 24 agencies continue to experience information security control deficiencies,' said Gregory Wilshusen, director of information security issues at the Government Accountability Office.
Sen. Thomas R. Carper (D-Del.), chairman of the Homeland Security and Government Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, cited a litany of security breaches, including data losses by agencies and the apparent systematic probing of federal IT systems by China. He called the weaknesses 'simply unacceptable.'
'Our inability to secure federal information networks and protect the information they contain leaves American citizens open to threats like identity theft,' he said. 'It even places our national security at risk.'
The problem is not that FISMA is bad, as far as it goes, but that it does not go far enough, officials and experts said. They suggested clarified reporting requirements and better guidelines on complying with the law.
FISMA was enacted in 2002, establishing a set of requirements for agencies to meet in inventorying, assessing risk and placing security controls on information systems. All systems are supposed to be certified and accredited for operation and security controls, and programs regularly evaluated. Agency inspectors general are supposed to do annual independent evaluations. From the start there have been complaints from agencies and from security experts that the act would become a paperwork drill rather than produce meaningful security.
Despite reported improvements in compliance metrics over the past five years, assessments of agencies' overall security postures have been routinely disappointing. Last year's annual House report card on security gave the government an overall grade of C-, a slight improvement from the previous year's D+.
'Some argue that FISMA does not adequately measure information security,' said Tim Bennett, president at the Cyber Security Industry Alliance. 'A high FISMA grade doesn't mean the agency is secure and vice versa. That is because FISMA grades reflect compliance with mandated processes: they do not, in my view, measure how much these process have actually increased security.'
Despite an obvious need to improve security, no one suggested scrapping FISMA.
'The bill itself is fine with the way the framework is set up,' said Karen Evans, OMB's administrator for electronic government and IT. FISMA is a tool that provides metrics for reporting efforts, and with independent IG evaluations it does not rely on self-reporting. Whether or not it is a paperwork drill or a genuine enhancement to security 'depends on how the agency goes about doing the work.'
Both Evans and Wilshusen cited a number of government-wide initiatives intended to help agencies make the most of FISMA and improve security. These include:
- The Information Security Line of Business, to help agencies share expertise and common processes.
- The Federal Desktop Core Configuration, to establish consistent and secure operating system configurations for Windows XP and Vista users.
- SmartBUY, to provide cost-effective and standardized software acquisition.
- The Trusted Internet Connections initiative to reduce the number of federal Internet access points to a manageable and better-monitored number.
Wilshusen also recommended several changes to FISMA, including enhanced reporting requirements, with IGs reporting on the quality of security controls and evaluation processes rather than just their presence; and applying audit standards to the annual FISMA evaluations.
The IT security industry, through CSIA, took a tougher stance. While approving OMB guidance and programs to improve security, the association's president said they needed the force of law to be effective.
'CSIA believes that amending legislation is needed to give the weight and suasion of law to the improvements that we are recommending,' Bennett said.
Those recommendations include:
- Giving explicit enforcement power to chief information and chief information security officers. 'Accountability at the individual level, not just the agency level, is critical to obtaining improved security.'
- Require a standardized, comprehensive approach to assessing, monitoring and remediating problems in IT security. Evaluations need to be more frequent than annual.
- Mandate a complete inventory of all IT assets by a certain date. 'It is a complicated task to complete a comprehensive inventory, but you can't protect what you don't know about even though an enemy might know about it.'
- Improve IT security performance metrics and provide incentives to agencies.
- Institutionalize security in agency culture, with training and a CISO council that reports regularly to Congress.
- Enact a federal data breach notification law, codifying existing OMB guidelines to agencies.
- Increase IT security funding, at least meeting the president's fiscal 2009 budget request for $7.3 billion.
- Require an objective assessment of the security of new networking technologies rather than restricting procurement of potentially improved products by forcing compliance with static requirements.
William Jackson is a Maryland-based freelance writer.