Risky business: FISMA reform hinges on managing the risks

Given the persistent concerns about protecting the government’s computer systems, the most recent of many congressional hearings on how to fix the Federal Information Security Management Act was perhaps as maddening for its old refrains as it was encouraging for the renewed desire to deal with them.

It certainly was no surprise that witnesses testifying late last month before the House Oversight and Government Reform Committee's Government Management, Organization and Procurement Subcommittee agreed that FISMA has generally failed to make agency systems more secure.

Related Stories:

Consensus growing for reform of flawed FISMA

FISMA: A good idea whose time never came

Although the messenger was new, the message was familiar: “Despite the improvement reported by agencies, the federal government’s communications and information infrastructure is still far from secure,” Federal Chief Information Officer Vivek Kundra said, adding that agencies will never get to security through compliance audits alone.

Government and private-sector experts continue to maintain that agencies need to adopt a real-time, enterprise-based risk management approach to securing the nation’s information infrastructures.

That said, the hearing reflected new attention to FISMA and the Federal Information Security Amendments Act of 2010 (H.R. 4900), which the committee is reviewing.

The bill would go beyond FISMA’s original provisions by requiring continuous system monitoring accompanied by penetration testing. It would also create a National Office of Cyberspace at the White House to oversee the nation's cybersecurity posture, require independent auditing of the effectiveness of programs, and include security requirements in acquisition policies.

However, the problem with legislating new information security practices is how quickly technologies evolve and unleash new and unforeseen threats.

So it wasn’t surprising when the technology community, while praising the intent of the legislation, quickly hoisted warning flags urging Congress not to erect barriers to innovative solutions.

The better alternative, most experts agree, is using sound risk management disciplines. Bureaucrats might find them too inexact compared with verifying compliance, but if done well — which is to say, if government taps into the insights learned by the private sector — agencies stand a better chance of mitigating cybersecurity risks more quickly and coherently than they do now.

Assuming the bill moves forward — and we hope it will — it will certainly benefit from work released last month by the National Institute of Standards and Technology, the final version of its “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.”  Developed jointly with the defense and intelligence communities, the new publication (S.P. 800-37) provides an important reference for moving past compliance in the battle against cyber threats.

About the Author

Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Wed, Apr 14, 2010

I'm sorry, but the new SP 800-37 is not at all that much different then the previous versions. Along with the new 800-53 Rev 3, these are both just more of the same old fantasy academic exercises that further illustrates how clueless that NIST still is, in regards to the complexity of today's information systems. By the time you get through trying to apply these 2 new NIST pubs to large complex systems, you will have wasted even more money and generated more paperwork then ever before. When the heck is NIST going to wake up? You get a bunch of clue less security geeks together from NIST, NSA, Intel, DoD ...wherever, all you're going to end up with is this never ending wasteful exercise that OMB and NIST have shoved down our throats since 2002. These products are good for class room networks and computer science classes, but they have no practical (emphasis on practical) utility in the real world. How sad that the Federal government remains mired in this ludicrous quagmire orchestrated by NIST.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group