But after 11 years it continues to mature and provide a reasonable framework for securing IT systems.
The Federal Information Security Management Act, the framework for cybersecurity in the federal government, has come in for a lot of criticism since its enactment in 2002. Some say it is hopelessly out of date; others that it never was adequate. But the law has proved remarkably resilient in the face of an IT landscape and threat environment that has changed almost beyond recognition in the last 11 years.
This is due in large part to the continually and rapidly evolving body of cybersecurity guidance being produced by the National Institute of Standards and Technology – the meat on the bones of FISMA.
Assessments of FISMA’s success remain cautious, at best. A recent report from the Government Accountability Office shows “mixed progress” from fiscal 2011 to 2012. Some security elements improved across agencies while some declined, and “23 of 24 of the major federal agencies had weaknesses in the controls that are intended to limit or detect access to computer resources.”
Government IT security professionals questioned in a recent survey by MeriTalk gave a positive but cool assessment of the law. Although just 27 percent of respondents reported being fully compliant with FISMA, 62 percent believe increased compliance would improve security, and 53 percent say it already has improved security.
But they still have reservations about FISMA. Twenty-eight percent said it focuses on compliance rather fixing problems, 21 percent say it is insufficient for today’s threats and 11 percent say it is antiquated. Still, 27 percent say it is improving with requirements such as continuous monitoring.
So, how to shift opinions of FISMA from cautious to enthusiastic? GAO focuses its recommendations for improvement on metrics. Current reporting does not address all FISMA requirements and is focused on compliance rather than outcome. GAO recommends looking at periodic assessments of risk and developing metrics for inspectors general so that they can report on the effectiveness or security programs.
NIST will need to continue updating its guidance to reflect new demands and capabilities, such as continuous monitoring of IT systems and automation of assessments.
And everyone will have to accept that cybersecurity is a moving target and that even the best-protected systems will quickly become out of date if ignored for a short time.
“You are never done, you are never there,” said Vincent Berk, CEO of FlowTraq. “We are talking about an amazingly complex problem.” But government has made great strides in addressing the task by making security a priority.
If gaps remain, it is not necessarily the fault of FISMA. If the Office of Management and Budget and the Homeland Security Department can learn to measure the right things and give credit for what works, the existing legal framework can continue to help.
NEXT STORY: Getting harder to trust Alexander's NSA