William Jackson | The FISMA paradigm
Security policies remain a burden to federal IT managers, but they are producing results
- By William Jackson
- Jun 30, 2008
There is no question that the Federal Information Security Management Act has changed the way information technology managers do their jobs. It has changed the way agencies write requests for proposals and set standards for vulnerability and configuration scanning ' and it eats up days and weeks in the production of reports.
The question remaining is whether federal IT systems are more secure now.
Rich Kellet, IT security officer at the General Services Administration's Citizen Services and Communications office, gave a qualified yes. Requirements for monthly vulnerability scans with deadlines for correcting critical problems have resulted in more secure systems. But Kellet described himself as skeptical about the overall requirements for detailed reporting to the Office of Management and Budget.
One of the bright spots in the FISMA paradigm is the guidance produced by the National Institute of Standards and Technology. The 800-series of special publications produced by the NIST Computer Security Division puts flesh on the bare bones of FISMA with guidelines and specifications for meeting compliance requirements.
Chief among these, Kellet said, is Special Publication (SP) 800-53, titled 'Techniques and Procedures for Verifying the Effectiveness of Security Controls in Information Systems.' Kellet called this a training manual for IT systems management. Everyone should be familiar with at least the general summary section of this publication, he said. But if you are not up to reading all of its several hundred pages, Kellet recommended SP 800-37, 'Guide for the Security Certification and Accreditation of Federal Information Systems.' 'It's really must reading for everyone.'
This is not just bedtime reading. The guidelines in 800-53 form a baseline of requirements that must be included in requests for proposals for IT systems and services. Agencies cannot meet FISMA requirements unless their vendors are meeting them.
'You cannot simply say in a contract, 'Follow 800-53',' he said. 'We made that mistake.' A list of specific deliverables with standards for meeting them is better for the vendor and agency, he said. 'We want them to cost it out because we don't want surprises at the end.'
But on the other side of the equation is the complaint that has been leveled against FISMA from the beginning: Paperwork. This includes quarterly security reporting and an annual FISMA data call to OMB that compliance assessments are based on. Kellet said he spends nearly four weeks a year ' several days on each of the quarterly reports and several weeks on the annual report ' producing documentation he is not sure is of any real use to OMB given the 7,000 systems it oversees.
The reporting should be more strategic, Kellet said, but he does not fault OMB. This is part of an evolution, a learning process that will eventually allow OMB to determine what information it needs to assess an agency's performance.
The bottom line is that FISMA has meant a lot of extra work for federal IT administrators, but it also has produced some results. Systems are being regularly scanned and vulnerabilities detected and corrected where possible ' some systems are just too touchy or critical to easily update and patch ' and security is being woven into IT management.
Regular reports of attacks against government systems and their occasional penetration make them appear still dangerously porous, and there clearly is a lot of work remaining. But there always will be. Cyberspace is a more hostile place now than when FISMA was written, and considering their high profile as targets, government systems have held up remarkable well against sophisticated attackers.
As it re-evaluates FISMA this year, Congress has an opportunity to refine the law and incorporate lessons learned during the past five years, possibly increasing the return on our security investment. FISMA will never be perfect ' but it's not bad, and we can hope to see it get better.
William Jackson is a Maryland-based freelance writer.