NASA's FISMA stance stirs up a debate

Readers still see value in certification and accreditation process

NASA’s top cybersecurity official raised a few eyebrows and won a lot of fans last month when he said the cost of complying with the Federal Information Security Management Act was not a good investment.

Rather than spend tens of millions of dollars going through the paperwork-intensive certification and accreditation process in 2010, NASA planned to invest its money in technology that would make it possible to manage security risks in real time, said Jerry Davis, NASA’s deputy chief information officer for information technology security.

“Security is still going to be done,” he told Federal Computer Week’s Ben Bain. "Certification and accreditation will still be done, but the way we do it is going to change significantly and the frequency of it will change. Instead of every three years, you’re really going to be doing it, in a sense, on a weekly or monthly basis. You’re always going to be looking at those controls and adjusting them for changes."

Many cybersecurity experts cheered Davis, suggesting that he spoke aloud what a lot of government officials have been thinking for some time. But numerous FCW readers see it as a dangerous precedent that ignores the real value of the certification and accreditation process. Here is a sampling of the comments we received.

Reader comments

[Editor's note: Comments have been edited for length, clarity and style].

Watch the Watchdogs

I would really like to know what the NASA inspector general has to say, because until the FISMA law changes, federal agencies are required to follow current policy. Many agencies have tried to implement many risk-based, cost-saving measures. But if you are an organization that is audited by your IG and the Government Accountability Office, you will find that this type of action meets with many issues in the way of adverse findings.

— Anonymous

Not Soon Enough

The really sad story is that this decision was not made about a year ago before the next round of paperwork started. Then NASA could have had some real significant savings. Since we are stopping this late into the process, we have wasted a lot of resources. At least as part of the processes, we have updated our risk assessments and our plans of actions and milestones. The best news is that NASA's horrific IT security documentation generator/repository looks like it will be rocketed out of NASA's cyberspace.

— A NASA information system security officer

Show Your Work

Has Mr. Davis produced a business impact analysis that he would be willing to share publicly or in redacted form? Wouldn't someone do that before issuing a blanket policy memo directing change with considerable risk implications?

— Sally

Truth and Consequences

Maybe the IG of NASA needs to have another look at the memo and document the risk to NASA and any agencies using NASA services. No one is arguing with a fresh look at FISMA and even tossing it out in favor of something better. What really is frustrating is the Senior Executive Service mentality of super-solution and super-memo with no regard to what actually needs to be done and how and by who and when…. Where is real governance with real consequences?

— JimR

Not Measuring Up

The question is: What good is the technical monitoring if you don't know what you’re looking at, other than a workstation or a server? Also, without the requirement of a certification, all people will do is ensure their machine can be patched or be off the network and nothing more. What is measured is done, and since NASA will now measure patching, this is what will get done.

— Daniel Philpott

A Poor Posture

A security monitoring tool is not going to tell you your complete security posture. At best, the tools are a passive approach to managing vulnerabilities detected in the information systems. What if you fail to train your employees, and someone downloads an e-mail message with a virus? Your tool will detect the virus, but it won't detect the yahoo downloading the e-mail. Root cause, folks. Start integrating the risk management framework into your software development life cycle process. That is your first step to implementing a successful security authorization process.

— Frustrated

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Wed, Sep 29, 2010 SunMan Greenbelt, MD

For small "systems," the total workload for producing a C&A (S&A) plan is unsupportable. Likewise, lumping them in with larger systems not managed by the same risk managers is a recipe for disaster. The emphasis for such systems should rightly be on monitoring, testing, and constant revision of relevant controls, rather than producing meaningless "metrics" that are of interest only to managers who don't know what the controls really are or what people who implement them really do for a living.

Thu, Sep 23, 2010 Jack

Ohhhh they sure did move away from FISMA... not in a good way... This sums it up: http://oig.nasa.gov/audits/reports/FY10/IG-10-024.pdf We found that NASA’s IT security program had not fully implemented key FISMA requirements needed to adequately secure Agency information systems and data. For example, we found that only 24 percent (7 of 29) of the systems we reviewed met FISMA requirements for annual security controls testing and only 52 percent (15 of 29) met FISMA requirements for annual contingency plan testing. In addition, only 40 percent (2 of 5) of the external systems we reviewed were certified and accredited. These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program. We also found that NASA’s Office of Chief Information Officer (OCIO) had not effectively managed corrective action plans used to prioritize the mitigation of IT security weaknesses. This occurred because OCIO did not have a formal policy for managing the plans and did not follow recognized best practices when it purchased an information system that it hoped would facilitate Agency-wide management of IT corrective action plans. However, after spending more than $3 million on the system since October 2005, implementation of the software failed. The Agency is currently expending funds to acquire a replacement system. Specifically, we found that the information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans across NASA. For example, the system contained corrective actions plans for only 2 percent (7 of 289) of the 29 systems we sampled. In our judgment, the system was underutilized because OCIO did not fully document detailed system requirements prior to selecting the system and did not have users validate requirements via acceptance testing prior to implementing it. Because the information system contained minimal data and the manual process the Agency relied on was not consistently followed, OCIO’s management of corrective actions plans was ineffective and did not ensure that significant IT security weaknesses were corrected in a timely manner. Until NASA takes steps to fully meet FISMA requirements and to improve its system acquisition practices, NASA’s IT security program will not be fully effective in protecting critical Agency information systems. Moreover, until such improvements are made OCIO will not be in a position to effectively allocate resources to correct IT security weaknesses.

Thu, Jun 17, 2010 Norm G. DC-ish

Examine, Interview, and Test -vs.- Security Content Automated Protocol (SCAP). It's really difficult to get an automated tool to do an interview. The determination of procedural compliance may not be evident to an automated test. Which direction (uncovered window) is your monitor facing? Tough to automate. Is your password written under your keyboard? Another tough one. The melding of automation and human assessment might be a good choice. Full automation ... they write movies about that one.

Mon, Jun 14, 2010 David Wilson Ashburn, VA

Based on all the media coverage of the NASA memo, my understanding is that Security Authorization (or C&A) is still part of the NASA security process, with emphasis being placed on Continuous Monitoring of systems after their fielding. This is consistent with the NIST Risk Management Framework documented in 800-37 rev.1. My most significant concern with the new NASA direction is that there needs to continue to be some consideration for third-party involvement in the periodic assessment of security controls. The good news is -- there's a control for that. Actually two --CA-2 and CA-7 -- assuming these are implemented appropriately the independence of assessors and their scope of evaluations will mitigate my initial concerns with the memo. Why was I concerned about this? When you read the commercial threat/security reports issued annually by IBM-ISS X-Force and/or Verizon, you see that the most sophisticated attacks are typically detected by third-party assessors.

Mon, Jun 14, 2010 NickK

How can you honestly say that a labor intensive process is going to better solve the root-cause issues versus an automated system AUGMENTED by boots in the field? No one looking at FISMA 2.0 or risk automation thinks that the entire program is solved by an automated solution. The idea is that you automate the most basic and simple tasks that honestly don't require human processing power, and then re-allocate human bodies and brains to solving the root problems. I applaud that NASA has realized that not every problem requires a human in the seat, and to better allocate their human capital to solving problems, not identifying them. For everyone else who seems to think their antiquated way of having only humans doing things is the future, I have 6 letters; SAIR II.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above