GCN Tech Blog

By GCN Staff

Blog archive

Readers divided over Kundra's plan for upgrading FISMA

Federal Chief Information Officer Vivek Kundra’s push to update how agencies measure compliance with the Federal Information Security Management Act seemed to strike a nerve this week with readers.

In a letter to the Government Accountability Office, Kundra wrote that the reporting requirements for FISMA, enacted in 2002, were outdated and “largely compliance based. They are trailing, rather than leading, indicators. We need metrics that give insight into agencies’ security postures and possible vulnerabilities on an on-going basis.”

His letter was prompted by a GAO report that found disparities between agencies’ FISMA compliance and their actually security status. He suggested that one way to improve reporting was to replace spreadsheets with an online database.

Reader comments ranged from hopeful to skeptical.

“Hurray! We have a Federal CIO who has the vision and is acting like a real CIO!” wrote one commenter. “The current government IT security environment is too focused on checking off boxes and being defensive. Kundra understands technology, its potential, and how to use it. I can only hope that his ideas and policies sink in at the agency level.”

However, one writer seemed to wonder if his approach was practical. “Kundra may know technology, but it doesn't appear that he's familiar with FISMA … the disconnect is very clear where Kundra argues with the GAO recommendation for OMB [to] use its authority to disapprove failing security programs; this hasn't ever happen[ed], should be the tool for OMB to get agencies to produce ‘real world’ rather than checkbox plans, and yet Kundra says OMB is doing fine as-is... Ha!”

Still another put the burden not on FISMA, but on the people in charge of security at agencies: “Since FISMA is a risk-management framework which requires Agencies to produce their own information security plan, the 'FISMA/Security' gap is really an 'Agency CIO/CISO failure to develop their own adequate security plan' gap. Let us thank that fact that we have FISMA, since without its mandatory system inventory and reporting there's no telling whether these non-performing agency CIO/CISO's would even bother with security."

Can security and new Web technologies coexist? One writer was doubtful: “It's clear that Kundra is not serious about security. All of us our being pushed to field Web 2.0 technologies, and anybody who raises any issue about security gets blown out of the water as being an obstructionist. OMB needs to get its act together. Their automated tool for FISMA reporting (developed without any inputs from the community) will not help. Wonder if their wonderful new tool could pass an OIG or GAO FISMA compliance audit. I doubt it.”

One a Web 2.0-related note, Kundra told an audience at the Open Government and Innovations Conference this week that, "[t]his notion of thinking about data in a structured, relational database is dead.”

He said agencies should be ready for explosion of new data and that "[s]ome of the most valuable information is going to live in video, blogs and audio, and it is going to be unstructured inherently."

That prompted this commenter to point out the difference between how data is produced and how it is presented: “... aren't most all Web 2.0 apps built on a relational database management system platform anyway? Is this sort of like saying ‘we don't need farms any more because now we have grocery stores’? ”

Posted by GCN Staff on Jul 24, 2009 at 9:39 AM


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected