Fountain: FISMA's fifth birthday
- By Christopher Fountain
- Feb 29, 2008
The Federal Information Security Management Act turned five in December. As with any milestone, this is a good time to reflect on what’s working and what’s not with one of the most pervasive — and arguably most influential — information security laws to be enacted.
The purpose of FISMA is to protect the government’s information assets — no small task. FISMA has had a positive effect on information security, but there is room for improvement.
FISMA has done a number of things well. It has raised general awareness of information security and increased executive- level accountability. It generates a standardized system of measurement, which the Office of Management and Budget publishes in an annual FISMA report to Congress. The law provides formalized information security practices and procedures.
However, FISMA could and should do four additional things:
■ Emphasize point-in-time compliance instead of continuous performance assessment
Although FISMA specifies effective risk management and information security programs in practice, there is too much emphasis on point-in-time compliance demonstrating at the expense of continuous information security. The goal of an effective information security program is to weave information security into everyday tasks and activities. Assessments should be conducted on an ongoing, unscheduled basis and include simulated attacks to identify technical vulnerabilities and measure user adherence to information security policy.
■ Improve the FISMA report card
The annual FISMA report card grade is an ineffective measurement tool. The grade reflects an ability to demonstrate compliance and does not measure an information security programs’ effectiveness.
The FISMA report card should be based on a series of quantitative assessments that specifically target program effectiveness.
Assessments should be performed by well-trained information security specialists who operate across agencies. That approach would eliminate the subjective and potentially political nature of the current grading scheme.
■ Create accountability at all levels
All government employees, not only agency executives, must be held accountable and rated on information security awareness and policy adherence. Specific language regarding information security should be inserted into all performance appraisals.
■ Have one consistent standard
Since FISMA was enacted, the government has gone from a need-to-know to a need-to-share environment. All agencies must have confidence that moving data from one agency or department to another does not compromise the security of that information.
The government needs a single set of core standards and guidance that applies to all civilian, Defense Department and intelligence entities.
Some of that work is under way, but having those standards would simplify the administration of information security programs and facilitate information sharing.
FISMA has had a positive effect on federal information security during the past five years. Now it’s time to take the law to the next level. FISMA needs to be adapted to ensure that information security programs are working and government information assets are secure. Fountain is president and chief executive officer of SecureInfo, which sells information assurance solutions to federal agencies.