GAO to seek FISMA changes

Should agencies spend less time reporting on security and more time monitoring it?

Letter to DHS CIO Scott Charbo about network security

Related Links

The Government Accountability Office will recommend that federal agencies take a more qualitative and risk-based approach to evaluating their information security.

In a report to be released later this year, auditors will advocate changes in the Office of Management and Budget’s policy guidelines for complying with the Federal Information Security Management Act·(FISMA).  Greg Wilshusen, GAO’s director for information security issues, said GAO is closely reviewing the performance measures that OMB uses to ensure that agencies are implementing proper security controls.

The review comes as lawmakers and others are criticizing FISMA for failing to improve the security of government computer systems. Meanwhile, experts differ on whether a risk-based approach would improve the situation.

The system of letter grades that Congress assigns to rate FISMA compliance “appears to have no connection to the security of the agencies,” said Rep. Zoe Lofgren (D-Calif.). Lofgren was one of several lawmakers who questioned FISMA’s effectiveness during a recent hearing about attacks on State and Commerce department computer systems last year. The House Homeland Security Committee’s  Emerging Threats, Cybersecurity and Science and Technology Subcommittee sponsored the session.

One security expert said federal agencies might be better off spending less time documenting security and more time monitoring it. “Federal IT security practices have been aimed at rewarding those who sufficiently document IT security management,” said Alan Paller, director of research at the SANS Institute. 

The government’s security policies should reward agencies that demonstrate their defenses are solid or that their responses to attacks are effective, Paller said. “While the government has many reports and policies,” he added, “it doesn’t necessarily have good IT security.”

OMB’s performance measures are primarily quantitative rather than qualitative, Wilshusen said. “While agencies are reporting increased implementation of control activities, which is a good thing, it doesn’t reflect how effectively they are implementing them,” he added.

GAO will be looking at the effectiveness of those measures and whether they should be revised, Wilshusen said. He would not say what new performance measures GAO is contemplating. However, he hinted that the recommendations would draw from work the investigative agency completed two years ago. A 2005 GAO report emphasized the advantages of a risk-based approach to government information security.

Such an approach could be useful in improving agency information security, said Mark Day, chief technology officer at McDonald Bradley and former CTO at the Environmental Protection Agency. “It goes back to a cost/benefit analysis,” he said. “You can spend less on controls on systems that contain information of lesser value.”

But Paller warned that poorly implemented risk-based controls could be catastrophic. “Often, when people who have never secured systems employ the term ‘risk’ in planning and testing security, they end up misallocating resources and opening major holes into federal systems,” he said. Leaving low-risk systems vulnerable allows hackers to penetrate higher-risk systems because all the computers are networked,  he added.

Buxbaum is a freelance writer based in Bethesda, Md.



Lawmakers press DHS for security answersSix members of the House Homeland Security Committee signed a letter April 30 to Scott Charbo, the Homeland Security Department’s chief information officer, that asked  for information on how DHS protects its networks.

The lawmakers posed 13 detailed questions, including:
  • Has DHS conducted internal and external penetration tests on its systems and made copies of all reports  describing vulnerabilities?
  • Has DHS implemented a secure coding initiative and tested the security configuration of its software and Web applications?
  • What are DHS’ top three initiatives for securing its networks and how does the department measure their success?
— Jason Miller

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above