Schlarman: New FISMA is the wrong solution

Although the Federal Information Security Management Act could use some fine-tuning and clarification, S.3474 — the “new FISMA” now under Senate consideration — is unnecessary, creates but doesn’t solve problems, and comes too late for this administration and too early for the next.

Three additional factors beg for its quick death: 

  1. The most frequent criticism of FISMA is that it has become a paperwork drill. The new FISMA adds more paper.

  2. Another common complaint about federal security programs in general is that chief information officers and the Office of Management and Budget-led CIO Council haven’t done their jobs. New FISMA compounds that problem by creating a parallel universe with yet another interagency council that is bound to compete with existingorganizations. It also gives citizens of this new universe — CIO subordinates — enforcement powers that even CIOs don’t have.

  3. Through a simple word swap (“audit” instead of “evaluation”), new FISMA promotes resource draining, security-weakening competition between inspectors general and agencies.

I’m not surprised by the renewed push for audits. They are comfort food for GAO and IGs. But during the 1999 development of FISMA’s predecessor, the Government Information Security Reform Act, lawmakers chose less formal and more agile evaluations over audits. The reasons they did so are still largely valid.

First, audits are inflexible and promote gotcha results while repelling both cooperation and sharing of information and resources among the auditor and audited.

Second, because cooperation and sharing don’t exist, obfuscation often does. To avoid an unfavorable finding, those being audited don’t volunteer pertinent information to auditors.

Third, without sharing, IGs and agencies must compete for limited resources and a finite pool of smart security folks. Would you rather work long hours to secure your system, only to be rewarded by a probe from a second-guessing auditor? Or would you prefer to be that auditor?

Fourth, GAO is finally updating audit standards for IT systems. It is too early to assess the new standards’ quality, but they appear to be consistent with modern executive branch guidance. But, except in an appendix, GAO made little attempt to map FISMA itself. The guidelines might be fine for audits, but they are a far cry from what’s needed for evaluations.

New FISMA should sink and not resurface until the next administration and Congress take office. Then its return or replacement by a new proposal must be part of a larger cybersecurity strategy. And unlike this administration’s overly secret cybersecurity initiative, that strategy must recognize the overwhelming majority of government programs are for public use and thus the public deserves to be a meaningful part of security policy development.

In the meantime, if an agency believes something in the new FISMA is important for security — and probably only continuous monitoring is — let’s hope they’re already doing it as part of system certification and accreditation. They should not need another law.

Schlarman is a former chief of Office of Management and Budget’s Information Policy and Technology Branch.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Fri, Dec 16, 2011 Federal Drone

While I can see the theorhetical need for standards and audits, I've watched IT productivity in the Federal workspace drop to near 0 as a result of NIST's broad recommendations being implemented as specific requirements and audited on a far-too-frequent basis by OMB. In spite of the mountains of paperwork, FDCC-certified workstations are too often unpatched and easy prey for Adobe and MS 0-day vulnerabilities. Putting people with no IT knowledge in charge of approving or (more often) denying deployment is NOT a good idea. Was it Rome that collapsed under the weight of bureaucracy?

Fri, Jul 29, 2011 Robert MD

Continous Monitioring is an important aspect but you need to actually implement security measures that continually improve security effectiveness. I think too many put faith in the mere metrics gathered by the so-called "Continous Monitoring" concept. Here's the problems: what's critical to monitor first, second, third, forth, etc...? Who's paying for it? Yet another unfunded standard? Oh yeah, there is no real standardized "Continous Monitoring Architecture" yet, is there? Who besides select groups understand the intent of FISMA? Problem with the Fed is their own leadership is frequently untrained or cares less about FISMA. Let me clarify by stating many do understand, but not ALL critical leadership cares about FISMA, much less understand it. Why, it's an "IA" area and operational IT managers often don't feel they own the responsibility to enforce the controls. Many IA types get caught up satisfying report requirements when they should be auditing their own internal security first and fixing the broken things. Bottom line, if your Continous Monitoring program mandates don't have appropriate leadership assigned responsibilty and funding we will have a bigger mess. FISMA was fine, it was the leadership funding and lack of teeth and vision that failed us. Continous Monitoring was always required by the original FISMA bill but few took the time to read the damn thing. NIST checklists were always required as well but the Fed is too liberal in saying their guidance. The checklists are MANDATORY and always have been under FISMA. People need to actually read the bill and understand what their required to do is all. Too many people read the law and put their own intent when it is clear what is required. NIST, your at fault in some ways but your program has gotten better. Too many baseline checklists confused the community for far too many years. Step up and give clarity to the minimal requirements for Continous Monitoring Architechures. The field needs standards and not fifty zillion guides what they "could do". Keep it simple NIST, tell the what they must do. We all know NIST has no authority, perhaps it should if it is to continue writing so much guidance that supports LAW???

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above