GAO to seek FISMA changes

Should agencies spend less time reporting on security and more time monitoring it?

Letter to DHS CIO Scott Charbo about network security

Related Links

The Government Accountability Office will recommend that federal agencies take a more qualitative and risk-based approach to evaluating their information security.

In a report to be released later this year, auditors will advocate changes in the Office of Management and Budget’s policy guidelines for complying with the Federal Information Security Management Act·(FISMA).  Greg Wilshusen, GAO’s director for information security issues, said GAO is closely reviewing the performance measures that OMB uses to ensure that agencies are implementing proper security controls.

The review comes as lawmakers and others are criticizing FISMA for failing to improve the security of government computer systems. Meanwhile, experts differ on whether a risk-based approach would improve the situation.

The system of letter grades that Congress assigns to rate FISMA compliance “appears to have no connection to the security of the agencies,” said Rep. Zoe Lofgren (D-Calif.). Lofgren was one of several lawmakers who questioned FISMA’s effectiveness during a recent hearing about attacks on State and Commerce department computer systems last year. The House Homeland Security Committee’s  Emerging Threats, Cybersecurity and Science and Technology Subcommittee sponsored the session.

One security expert said federal agencies might be better off spending less time documenting security and more time monitoring it. “Federal IT security practices have been aimed at rewarding those who sufficiently document IT security management,” said Alan Paller, director of research at the SANS Institute. 

The government’s security policies should reward agencies that demonstrate their defenses are solid or that their responses to attacks are effective, Paller said. “While the government has many reports and policies,” he added, “it doesn’t necessarily have good IT security.”

OMB’s performance measures are primarily quantitative rather than qualitative, Wilshusen said. “While agencies are reporting increased implementation of control activities, which is a good thing, it doesn’t reflect how effectively they are implementing them,” he added.

GAO will be looking at the effectiveness of those measures and whether they should be revised, Wilshusen said. He would not say what new performance measures GAO is contemplating. However, he hinted that the recommendations would draw from work the investigative agency completed two years ago. A 2005 GAO report emphasized the advantages of a risk-based approach to government information security.

Such an approach could be useful in improving agency information security, said Mark Day, chief technology officer at McDonald Bradley and former CTO at the Environmental Protection Agency. “It goes back to a cost/benefit analysis,” he said. “You can spend less on controls on systems that contain information of lesser value.”

But Paller warned that poorly implemented risk-based controls could be catastrophic. “Often, when people who have never secured systems employ the term ‘risk’ in planning and testing security, they end up misallocating resources and opening major holes into federal systems,” he said. Leaving low-risk systems vulnerable allows hackers to penetrate higher-risk systems because all the computers are networked,  he added.

Buxbaum is a freelance writer based in Bethesda, Md.

Lawmakers press DHS for security answersSix members of the House Homeland Security Committee signed a letter April 30 to Scott Charbo, the Homeland Security Department’s chief information officer, that asked  for information on how DHS protects its networks.

The lawmakers posed 13 detailed questions, including:
  • Has DHS conducted internal and external penetration tests on its systems and made copies of all reports  describing vulnerabilities?
  • Has DHS implemented a secure coding initiative and tested the security configuration of its software and Web applications?
  • What are DHS’ top three initiatives for securing its networks and how does the department measure their success?
— Jason Miller

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group