Reform would focus on a risk-based approach using automated tools for continuous monitoring that agencies already are adopting. But will they be graded on security or paperwork?
A bill updating federal information security requirements has passed unanimously in the House and now awaits action in the Senate, raising the possibility that Congress might actually enact some kind of cybersecurity legislation.
The Federal Information Security Amendments Act of 2013 would require agencies to take a risk-based approach to information security, using automated tools for continuous monitoring of civilian, military and intelligence IT systems. It essentially would bring the Federal Information Security Management Act into line with the best practices agencies already are adopting.
Like the current FISMA, it would require annual reports to Congress, and it would be congressional oversight that ultimately would determine its success in improving federal cybersecurity. The question is: Will Congress continue to grade agency performance based on paperwork compliance, or will it measure actual security?
The bill was introduced by Rep. Darrell Issa (R-Calif.) with five bipartisan cosponsors to “provide a comprehensive framework for ensuring the effectiveness of information security controls,” and “effective governmentwide management and oversight of the related information security risks,” for both civilian and national security systems.
It is technology agnostic, leaving the selection of the appropriate hardware and software up to each agency based on guidance and standards developed by the National Institute of Standards and Technology. It defines “adequate security” as “security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction or modification of information.”
The bill gives a nod to cloud computing by including services in its definition of systems. NIST would develop standards in cooperation with security agencies, including the National Security Agency, “to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems,” although the Defense Department and CIA will continue to oversee their own systems. Each agency would have a chief information security officer, either the CIO or a senior official reporting directly to the CIO.
None of this is radically different from FISMA as it now stands, and nothing in the current law prohibits the use of these tools and processes. But FISMA has remained mired in paperwork documenting compliance within the letter of the law rather than improving cybersecurity. And much of the fault for that lies with Congress.
In the early days of FISMA there was a lot of basic and remedial work to be done. Agencies had to create accurate inventories of IT systems, determine their condition and OK their operation. Not certify that they were secure, but that the agency understood the risks of operating them and accepted those risks.
These were necessary tasks and important steps toward effective security. But FISMA has struggled to get past this stage because it is easier to measure paperwork compliance than security status. Harried administrators and security teams worked diligently to keep Congress off their backs and devoted what resources were left to improving security.
A focus on establishing priorities and automating processes has improved security in recent years, although agencies still struggle to keep up with the bad guys. Codifying these efforts could help if Congress can find a way to measure results rather than process.
NEXT STORY: GSA wants ideas on next-gen ID management