The much-maligned Federal Information Security Management Act is not a bad tool, but it has been used improperly, federal officials say.
SAN FRANCISCO — The Federal Information Security Management Act has been criticized as a paperwork exercise that has cost agencies millions of dollars without improving security. But a handful of officials beg to differ: They say the problem is not the tool but how it has been used.
“I don’t think there is a problem with FISMA,” said David Stender, chief information security officer at the Internal Revenue Service. “I think there was a problem with implementing FISMA.”
Agencies have focused on complying with requirements that are not mandatory rather than using the requirements to improve the security status of their systems. That should not be surprising, Stender said, adding, “Compliance is the easiest way to meet requirements.”
But a number of agencies are moving beyond checklist compliance and improving security under FISMA. A handful of officials described their efforts today at the RSA Conference.
In addition to compliance, “we are also focused on risk,” Stender said.
Congress has been considering updating or replacing FISMA, and the Office of Management and Budget has issued new guidelines for FISMA compliance that put more emphasis on continuous monitoring of systems rather than on periodic snapshots.
Nevertheless, “we don’t have to stand still and wait for legislation,” Stender said.
“Within FISMA, there are controls that talk about the need for continuous monitoring,” said Kevin Cox, information security technology team leader at the Justice Department.
Justice has developed the Cyber Security Assessment and Management tool, which helps automate the job of assessing systems’ security posture, and new tools are available that enable nearly continuous monitoring of systems without overloading the network, Cox said.
All that data — plus the data being produced by other agencies’ monitoring tools — is being sent to the Homeland Security Department via CyberScope, a government tool that interfaces with commercial analysis tools in an Extensible Markup Language format.
Matt Coose, director of federal network security at DHS, said CyberScope reporting is a tool, not a goal. The idea is to help agencies understand and improve their security postures.
“There is no absolute target,” Coose said. But agencies should be able to determine what security controls are in place on their systems and what the patch status is, and they should be able to associate that data with information about breaches and other failures.
Making FISMA work requires tools to automate the gathering and analysis of information. Stender and Cox said enterprise tools are needed to provide the necessary visibility across systems and offices. And although Stender said ultimately money is not the problem in improving security, enterprise tools also allow standardization and consolidation, which can be more economical.
“At some point, you have to consolidate to achieve efficiency,” he said.
“There is so much infrastructure to understand,” and enterprise tools can save money, Coose added.
In the end, “compliance is the product of good security,” not the other way around, Stender said.
Although FISMA is a law, its implementation is covered by guidelines being developed by the National Institute of Standards and Technology. Stender emphasized that guidance is not the same as requirements, and NIST does not intend its guidelines to be mandatory. That means that compliance is not an either/or situation in which 100 percent is required. The level of compliance with guidelines should be commensurate with the level of risk the agency is willing to take.
“We have been our own worst enemy with FISMA 1.0,” Stender said. He warned that replacing the current law with FISMA 2.0 would move many agencies back to square one and have them focusing on complying with new requirements rather than managing risk.