Cyber bill's FISMA mandate could be a step backward

Requiring mandatory controls could emphasize compliance over security

The long-awaited cybersecurity bill by Sen. Joe Lieberman (I-Conn.) and his colleagues on the Senate Homeland Security and Governmental Affairs Committee is here, a wide-ranging piece of legislation to improve the security of the nation’s critical infrastructure, both in government and private sector.

Lieberman is adamant that the bill contains no Internet “kill switch,” a controversial issue that he says overshadowed the debate on his cybersecurity bill introduced in the last Congress, S. 3480. The new legislation contains pretty specific language setting out just what the president can and cannot do in the event of a national cyber emergency and explicitly states that “neither the president, the director of the National Center for Cybersecurity and Communications, nor any other officer or employee of the federal government should have the authority to shut down the Internet.”

Related coverage:

Security reform? What security reform?

These provisions still are likely to generate controversy whether it is merited or not, but there is another provision of the bill that also bears close attention. In revamping the Federal Information Security Management Act, it calls for mandatory security controls for agency IT systems.

It says that, “the Director of the National Center for Cybersecurity and Communications shall...provide to agencies security controls that agencies shall be required to be implemented to mitigate and remediate vulnerabilities, attacks, and exploitations....”

This does not appear at first blush to be a bad idea, but it is the kind of thing that IRS Chief Information Security Officer David Stender has warned against.

“Compliance is the easiest way to meet requirements,” he said in a discussion of FISMA during last week’s RSA Security Conference. But compliance does not equal security. Stender was not speaking about the Lieberman bill specifically, but he said that rewriting FISMA to include mandatory security controls could reinforce the culture of compliance that has given FISMA a black eye over the past eight years.

Stender is, if not a fan, at least not a critic of FISMA as now written. “I don’t think there was a problem with FISMA,” he said. “I think there was a problem with implementing FISMA.”

The proposed revamping in the Lieberman bill is not bad. It calls for automated continuous monitoring of systems, for protection commensurate with risk in a cost-effective way, and improved accountability for cybersecurity. But FISMA currently addresses continuous monitoring, and agencies, under recent guidance from the Office of Management and Budget, are moving toward that goal.

One of the strengths of the current law is that it is focused on guidance, not requirements. Compliance with that guidance is an easy shortcut, but the law also allows agencies the latitude to address risk without being in 100 percent compliance with the guidelines, which agencies are beginning to do. Putting mandatory security controls in place could tempt agencies to take a big step backward and comply with the law by checking off the required controls without addressing the real risk environment.

This is not to say that there should be no changes to FISMA, but any changes should be carefully considered to ensure that they bring real improvements.

“We have been our own worst enemy with FISMA 1.0,” Stender said. “We don’t have to stand still and wait for legislation.”

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Fri, Aug 5, 2011 Short Little Rebel

Lieberman’s Cybersecurity & Internet Freedom Act 2011 is the most treasonous bill ever introduced in the history of our nation. The result is the decimation of our technology market and the birth of Big Brother. The following article breaks the bill down into understandable points, with quotes directly from the bill and lists the incredible authorities being given to the director of the new Cybersecurity Agency that will be created and to the POTUS. This bill represents the single largest takeover of the private market in human history. Contact information for all Senators & Representatives is also included. Every red-blooded American- be they liberal or conservative- needs to read this analysis and take action! It is not being covered in the news- wonder why?

Tue, Jul 12, 2011 Jack

If the CIO isn't responsible for implementing security as part of an overall IT requirement it will always get bolted on and that is counter productive. The CIO needs an operational and strategic information security professional to build in security and steer the security architecture of the organization. This is what FISMA does. What is mentioned above is the organizational risk management which has an IT component but is a much broader and necessary encompassing function. FISMA does not address this as it is outside of the scope of E-Gov. By using the term "enforce" the CIO is now law enforcement which is typically the realm of the IG. Now certainly the IG's have not "enforced" as much as they should because they have been focused so much on the Audit side. I think FISMA can stand on it's own. There is enough flexibility through OMB, NIST (FIPS esp.) and DHS to use it effectively. Now if OMB and the IGs would police the agencies we'd see better security.

Sat, Feb 19, 2011 Bruce Brody Washington, DC

To those who say that FISMA was not the problem, it was the implementation, they are foolishly disregarding FISMA's complete disregard for the CISO, FISMA's arguably incorrect placement of the security function under the CIO and FISMA's blatant error in using the word "ensure" rather than "enforce" in representing the CIO's authority under the act. Plenty can be said about the way OMB improperly implemented FISMA, but giving Congress a mulligan for botching the governance side of the problem is pure foolishness.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group