GAO to seek FISMA changes

Should agencies spend less time reporting on security and more time monitoring it?

Letter to DHS CIO Scott Charbo about network security

Related Links

The Government Accountability Office will recommend that federal agencies take a more qualitative and risk-based approach to evaluating their information security.

In a report to be released later this year, auditors will advocate changes in the Office of Management and Budget’s policy guidelines for complying with the Federal Information Security Management Act·(FISMA).  Greg Wilshusen, GAO’s director for information security issues, said GAO is closely reviewing the performance measures that OMB uses to ensure that agencies are implementing proper security controls.

The review comes as lawmakers and others are criticizing FISMA for failing to improve the security of government computer systems. Meanwhile, experts differ on whether a risk-based approach would improve the situation.

The system of letter grades that Congress assigns to rate FISMA compliance “appears to have no connection to the security of the agencies,” said Rep. Zoe Lofgren (D-Calif.). Lofgren was one of several lawmakers who questioned FISMA’s effectiveness during a recent hearing about attacks on State and Commerce department computer systems last year. The House Homeland Security Committee’s  Emerging Threats, Cybersecurity and Science and Technology Subcommittee sponsored the session.

One security expert said federal agencies might be better off spending less time documenting security and more time monitoring it. “Federal IT security practices have been aimed at rewarding those who sufficiently document IT security management,” said Alan Paller, director of research at the SANS Institute. 

The government’s security policies should reward agencies that demonstrate their defenses are solid or that their responses to attacks are effective, Paller said. “While the government has many reports and policies,” he added, “it doesn’t necessarily have good IT security.”

OMB’s performance measures are primarily quantitative rather than qualitative, Wilshusen said. “While agencies are reporting increased implementation of control activities, which is a good thing, it doesn’t reflect how effectively they are implementing them,” he added.

GAO will be looking at the effectiveness of those measures and whether they should be revised, Wilshusen said. He would not say what new performance measures GAO is contemplating. However, he hinted that the recommendations would draw from work the investigative agency completed two years ago. A 2005 GAO report emphasized the advantages of a risk-based approach to government information security.

Such an approach could be useful in improving agency information security, said Mark Day, chief technology officer at McDonald Bradley and former CTO at the Environmental Protection Agency. “It goes back to a cost/benefit analysis,” he said. “You can spend less on controls on systems that contain information of lesser value.”

But Paller warned that poorly implemented risk-based controls could be catastrophic. “Often, when people who have never secured systems employ the term ‘risk’ in planning and testing security, they end up misallocating resources and opening major holes into federal systems,” he said. Leaving low-risk systems vulnerable allows hackers to penetrate higher-risk systems because all the computers are networked,  he added.

Buxbaum is a freelance writer based in Bethesda, Md.

Lawmakers press DHS for security answersSix members of the House Homeland Security Committee signed a letter April 30 to Scott Charbo, the Homeland Security Department’s chief information officer, that asked  for information on how DHS protects its networks.

The lawmakers posed 13 detailed questions, including:
  • Has DHS conducted internal and external penetration tests on its systems and made copies of all reports  describing vulnerabilities?
  • Has DHS implemented a secure coding initiative and tested the security configuration of its software and Web applications?
  • What are DHS’ top three initiatives for securing its networks and how does the department measure their success?
— Jason Miller

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group