By Patrick Marshall

Blog archive

When reforming FISMA, don't throw out what works

We now are in the opening weeks of a new Congress, and several cybersecurity bills already have been introduced, aimed primarily at improving cybersecurity education and protecting critical infrastructure. It is just a matter of time before FISMA reform is again brought up.

At 11 years old, the Federal Information Security Management Act of 2002 is well into middle age for an IT law — in fact, it’s probably moving into old age — so it is due for a legislative update. When Congress does address the issue, it should move cautiously, taking the time to evaluate what is right about FISMA and what could be improved, and looking at what agencies have been doing right in securing their information systems.

Moving cautiously does not mean stalling. Any number of FISMA reform bills have been introduced in past sessions, only to die without making it to the floor. But Congress should take the time to ensure that any new law is a clear improvement over the existing one.

FISMA has always had its detractors, but it has proved to be a robust law. One of its strengths has been its ability to evolve through non-legislative means. Over the years, the agencies overseeing it have shifted focus away from static compliance and toward risk management, continuous monitoring and real-time awareness. In the past year or so, the National Institute of Standards and Technology has updated its guidelines on risk assessment (Special Publication 800-30 Rev. 1, revised in Sept. 2012), security controls (SP 800-53 Rev. 4, draft revision issued in February 2012) and continuous monitoring (SP 800-137, issued in September 2011).

In 2010, the Office of Management and Budget designated the Homeland Security Department the lead agency for establishing cybersecurity metrics, and by 2011 overall compliance had increased from 62 percent to 74 percent. DHS introduced CyberScope for automated FISMA reporting in 2010, and its reporting guidelines for fiscal 2013 continuing an increased emphasis on continuous monitoring.

This does not mean that everything is all right with FISMA. A 2012 survey of federal officials by nCircle showed that IT security still is focused on compliance rather than risk, which has been a complaint against FISMA from the beginning. As has been amply demonstrated over the last decade, compliance does not equal security.

But the problem with FISMA has been in its implementation rather than its goals. Before Congress fiddles too much with the act, lawmakers should have a good idea of how that implementation has improved and what the impact has been, and what practices have actually improved security in agencies. It may be an old law, but it’s possible that FISMA needs only a tune-up rather than a major overhaul.

Posted by William Jackson on Jan 28, 2013 at 9:39 AM


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s chief, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.