NASA hits FISMA reset button

NASA's Jerry Davis has won many admirers for saying his agency would focus on reducing security risks through automation, rather than compliance paperwork

If only it were possible to improve cybersecurity by doing more thorough paperwork. Alas, eight years after the passage of the Federal Information Security Management Act, it hasn’t worked yet. That, anyway, is the conclusion of Jerry Davis, deputy chief information officer of information technology security at NASA.

Davis struck a blow last month for the many security experts who see diminishing returns from the millions of dollars that agencies spend to certify that their systems are compliant with FISMA requirements.

In a memo dated May 18, Davis informed NASA’s information systems security officials that they would not be required to recertify their existing systems as normally done every three years. Instead, agency officials plan to invest their time and money in systems and processes that will allow them to continually monitor the security of their systems, according to the memo.

The traditional certification and accreditation processes “have proven largely ineffective and do not ensure a system’s security, or a true understanding of the system’s risk posture,” Davis wrote in the memo, which was obtained by Jill Aitoro at Nextgov.com.

The C&A processes also have been costly. In an interview with FCW’s Ben Bain, Davis said NASA officials could end up saving close to $20 million this year by not putting their systems through the FISMA grind.

It’s worth noting that FISMA was passed at a time when security processes in government were largely haphazard. Although some agencies did a good job with security, there was no way to replicate those successes at other agencies. FISMA was an effort to create a security baseline across government and systematize the process of measuring compliance at individual agencies.

It was never intended to be the final word in security, just a baseline. But the C&A process was so costly and labor-intensive that the paperwork associated with FISMA compliance has become a cottage industry unto itself at agencies — but an industry with a product of questionable value.

“The mounds of paperwork currently required to perform certification and accreditation activities over federal systems amounts in nothing more than a pro forma exercise that gives officials a false sense that their systems are actually secure,” writes Jeff Bardin at CSO Online.

But it’s not as if federal cybersecurity experts haven’t seen the problem. It’s just that they never had much say in the matter, given the unassailable reporting requirements that the Office of Management and Budget issued. Those requirements were based on security guidance that the National Institute of Standards and Technology issued.

But everything changed with an April 21 memo in which OMB officials detailed FISMA reporting requirements for 2010. The memo notes that NIST’s guidelines allow a certain amount of latitude in application, which “can result in different security solutions that are equally acceptable and compliant” — a line featured prominently in Davis’ memo.

But the shift at OMB did not come out of the blue. Alan Paller, director of research at the SANS Institute, gives kudos to Federal CIO Vivek Kundra and White House Cybersecurity Coordinator Howard Schmidt for encouraging agencies to focus on reducing security risks rather than simply complying with security policies.

The only question was who was willing to step into the opening that OMB created. The answer is Davis.

“The NASA innovation is the breath of fresh air that every CIO and every major program manager in government has been (secretly) hoping for,” writes Paller in a SANS NewsBites newsletter.

However, one security blogger was more skeptical. FISMA has not worked because agencies did not incorporate it, along with other NIST guidance, into a comprehensive security strategy. It’s not that FISMA has failed, the blogger writes. It’s that “I don’t think we’ve really done FISMA yet.”

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Thu, Sep 23, 2010 Jack

Ohhhh they sure did move away from FISMA... not in a good way... This sums it up: http://oig.nasa.gov/audits/reports/FY10/IG-10-024.pdf We found that NASA’s IT security program had not fully implemented key FISMA requirements needed to adequately secure Agency information systems and data. For example, we found that only 24 percent (7 of 29) of the systems we reviewed met FISMA requirements for annual security controls testing and only 52 percent (15 of 29) met FISMA requirements for annual contingency plan testing. In addition, only 40 percent (2 of 5) of the external systems we reviewed were certified and accredited. These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program. We also found that NASA’s Office of Chief Information Officer (OCIO) had not effectively managed corrective action plans used to prioritize the mitigation of IT security weaknesses. This occurred because OCIO did not have a formal policy for managing the plans and did not follow recognized best practices when it purchased an information system that it hoped would facilitate Agency-wide management of IT corrective action plans. However, after spending more than $3 million on the system since October 2005, implementation of the software failed. The Agency is currently expending funds to acquire a replacement system. Specifically, we found that the information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans across NASA. For example, the system contained corrective actions plans for only 2 percent (7 of 289) of the 29 systems we sampled. In our judgment, the system was underutilized because OCIO did not fully document detailed system requirements prior to selecting the system and did not have users validate requirements via acceptance testing prior to implementing it. Because the information system contained minimal data and the manual process the Agency relied on was not consistently followed, OCIO’s management of corrective actions plans was ineffective and did not ensure that significant IT security weaknesses were corrected in a timely manner. Until NASA takes steps to fully meet FISMA requirements and to improve its system acquisition practices, NASA’s IT security program will not be fully effective in protecting critical Agency information systems. Moreover, until such improvements are made OCIO will not be in a position to effectively allocate resources to correct IT security weaknesses.

Wed, Jun 23, 2010

FISMA was unsuccessful at NASA because they never implemented FISMA. They never integrated FISMA. They did not know how best to implement it. You still need a clean secure security baseline for the system. This is the core essence of C&A. You can't continuously monitor what you never baselined. This is Security 101.

Tue, Jun 8, 2010

We already use tools to capture all the possible automated questions so what exactly are the "tree-killing exercise" steps that one can bypass on the way to a cleaner C&A? SP8--37Rev1 Step 1-1? 1-2? 4-1? 4-2? 4-3? I love real-time, but there is still a load of work to get there.

Tue, Jun 8, 2010 James Setzer Virginia Beach

The NASA memo does not suggest that they are turning their backs on C&A. On the contrary, they are discarding the ineffective tree killing exercise that is a drain on resources and provides little in the way of verifyable information from which to make a risk decision, and replacing it with real-time data collection and analysis that will paint a less subjective and more accurate security picture at a fraction of the cost. They are not ignoring the other facets of system security design and their memo states "Nothing in this memo relieves system owners and operators from exercising due diligence and care in ensurein that information systems under their authority have adequate security controls in place and are being appropriately monitored."

Tue, Jun 8, 2010 Kevin Winegardner, CISSP State of Montana

The larger issue is Organizational Resilience. Info Risk Mgmt and frameworks that support this methodology such as FISMA/NIST's 'Risk Management Framework', provide a way of implementing and institutionalizing this methodology in the org culture. Complete security is an illusion. Complete security just from implementing technical controls is impossible. The org must approach the management of its risk from the operation of its programs/systems in a holistic manner that addresses managerial, operational, and technical controls according to the risk tolerance and the requirements of the business. The business/system owners must take ownership of the security requirements for their programs/systems, then commit the necessary resources to meet those requirements. IT Security is only one aspect of this task. This is all FISMA/NIST, and it's all common sense that has been applied in the private sector for years. Bottom line: The operation of business programs/systems that manage information are going to generate risk to the org; The org will suffer compromises,(take damage); The info risk managers job is to work w/org leadership to determine the level of damage the org can sustain and still accomplish its mission, then work with the business/system owners to determine the security controls required to stay below that level.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above