Hurford: Failing at FISMA
An agency’s failing grade means many things, including a disconnected Internet
- By Joel Hurford
- May 08, 2006
The computer security report card that Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, issues attracts notoriety when he releases it each spring. Perhaps the spectacle of so many failing agencies attracts our attention. Or maybe it is the interest in seeing a Cabinet-level agency — the Interior Department in this case — contesting its failing grade in federal court.
In most professional disciplines, failing usually means your performance has been so remiss that you are no longer entitled to practice. But that doesn’t appear to be the meaning of the criteria and scoring developed by the Office of Management and Budget, the Government Accountability Office and the House Government Reform Committee.
GAO applies a weighting system to the policy, training, risk analysis and testing criteria established by OMB. Then GAO collects the reported metrics from each agency and each agency’s inspector general to create a blended score. It weighs the IGs’ scores more heavily because they are seen as independent reviewers who are not inclined to make the numbers look good.
The IGs and agencies, however, have latitude to interpret the standards when they report compliance with OMB’s criteria. That subjectivity makes it difficult to assign consistent meaning to report card grades.
For example, every IG completes an annual financial audit at about the same time each agency completes its yearly evaluation for compliance with the Federal Information Security Management Act of 2002. The financial audit requires that the IG assess information system controls using the same standards prescribed for FISMA. The auditor identifies the most severe discrepancies with those standards as a material weakness. You would expect that ineffective computer controls that contributed to a material weakness would appear in that agency’s FISMA report card grades. But that is not always the case.
In May 2005, Interior defended itself in a legal action to disconnect its information systems from the Internet. The department’s IG testified in a public hearing that he would give the agency an F for information technology security. The IG made his determination three weeks before OMB released its FISMA assessment criteria and four months before the end of the reporting period.
The rapid evolution of computer security standards must be considered in interpreting the progress of federal IT security. The number of FISMA standards from the National Institute of Standards and Technology has quintupled in the past five years. They provide meaningful IT security objectives. The report card, however, does not take into account the challenge of meeting an increasing number of standards.
The report card is a valid attempt to measure and improve government performance. Federal leaders, however, must consider its limitations when planning strategically. Agencies may be challenged to pursue meaningful and cost-effective security in areas that the report card fails to acknowledge.
Even worse, the public and litigants have read the report card as evidence of organizational failure and a preponderance of individual risk.
Such a view of the report card is not accurate, but it has been presented in a U.S. District Court to justify disconnecting Interior from the Internet (Cobell v. Norton). The economic and governmental disruption would be catastrophic if that same ruling were applied to all federal agencies with failing FISMA scores.
Hurford is a former chief information security officer at the Interior Department. He is now a partner with Mitsis IT Services.