Schlarman: New FISMA is the wrong solution

Although the Federal Information Security Management Act could use some fine-tuning and clarification, S.3474 — the “new FISMA” now under Senate consideration — is unnecessary, creates but doesn’t solve problems, and comes too late for this administration and too early for the next.

Three additional factors beg for its quick death: 



  1. The most frequent criticism of FISMA is that it has become a paperwork drill. The new FISMA adds more paper.



  2. Another common complaint about federal security programs in general is that chief information officers and the Office of Management and Budget-led CIO Council haven’t done their jobs. New FISMA compounds that problem by creating a parallel universe with yet another interagency council that is bound to compete with existingorganizations. It also gives citizens of this new universe — CIO subordinates — enforcement powers that even CIOs don’t have.



  3. Through a simple word swap (“audit” instead of “evaluation”), new FISMA promotes resource draining, security-weakening competition between inspectors general and agencies.



I’m not surprised by the renewed push for audits. They are comfort food for GAO and IGs. But during the 1999 development of FISMA’s predecessor, the Government Information Security Reform Act, lawmakers chose less formal and more agile evaluations over audits. The reasons they did so are still largely valid.

First, audits are inflexible and promote gotcha results while repelling both cooperation and sharing of information and resources among the auditor and audited.

Second, because cooperation and sharing don’t exist, obfuscation often does. To avoid an unfavorable finding, those being audited don’t volunteer pertinent information to auditors.

Third, without sharing, IGs and agencies must compete for limited resources and a finite pool of smart security folks. Would you rather work long hours to secure your system, only to be rewarded by a probe from a second-guessing auditor? Or would you prefer to be that auditor?

Fourth, GAO is finally updating audit standards for IT systems. It is too early to assess the new standards’ quality, but they appear to be consistent with modern executive branch guidance. But, except in an appendix, GAO made little attempt to map FISMA itself. The guidelines might be fine for audits, but they are a far cry from what’s needed for evaluations.

New FISMA should sink and not resurface until the next administration and Congress take office. Then its return or replacement by a new proposal must be part of a larger cybersecurity strategy. And unlike this administration’s overly secret cybersecurity initiative, that strategy must recognize the overwhelming majority of government programs are for public use and thus the public deserves to be a meaningful part of security policy development.

In the meantime, if an agency believes something in the new FISMA is important for security — and probably only continuous monitoring is — let’s hope they’re already doing it as part of system certification and accreditation. They should not need another law.

Schlarman is a former chief of Office of Management and Budget’s Information Policy and Technology Branch.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Fri, Dec 16, 2011 Federal Drone

While I can see the theorhetical need for standards and audits, I've watched IT productivity in the Federal workspace drop to near 0 as a result of NIST's broad recommendations being implemented as specific requirements and audited on a far-too-frequent basis by OMB. In spite of the mountains of paperwork, FDCC-certified workstations are too often unpatched and easy prey for Adobe and MS 0-day vulnerabilities. Putting people with no IT knowledge in charge of approving or (more often) denying deployment is NOT a good idea. Was it Rome that collapsed under the weight of bureaucracy?

Fri, Jul 29, 2011 Robert MD

Continous Monitioring is an important aspect but you need to actually implement security measures that continually improve security effectiveness. I think too many put faith in the mere metrics gathered by the so-called "Continous Monitoring" concept. Here's the problems: what's critical to monitor first, second, third, forth, etc...? Who's paying for it? Yet another unfunded standard? Oh yeah, there is no real standardized "Continous Monitoring Architecture" yet, is there? Who besides select groups understand the intent of FISMA? Problem with the Fed is their own leadership is frequently untrained or cares less about FISMA. Let me clarify by stating many do understand, but not ALL critical leadership cares about FISMA, much less understand it. Why, it's an "IA" area and operational IT managers often don't feel they own the responsibility to enforce the controls. Many IA types get caught up satisfying report requirements when they should be auditing their own internal security first and fixing the broken things. Bottom line, if your Continous Monitoring program mandates don't have appropriate leadership assigned responsibilty and funding we will have a bigger mess. FISMA was fine, it was the leadership funding and lack of teeth and vision that failed us. Continous Monitoring was always required by the original FISMA bill but few took the time to read the damn thing. NIST checklists were always required as well but the Fed is too liberal in saying their guidance. The checklists are MANDATORY and always have been under FISMA. People need to actually read the bill and understand what their required to do is all. Too many people read the law and put their own intent when it is clear what is required. NIST, your at fault in some ways but your program has gotten better. Too many baseline checklists confused the community for far too many years. Step up and give clarity to the minimal requirements for Continous Monitoring Architechures. The field needs standards and not fifty zillion guides what they "could do". Keep it simple NIST, tell the what they must do. We all know NIST has no authority, perhaps it should if it is to continue writing so much guidance that supports LAW???

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above