Paller: FISMA 2008: A better solution

New FISMA proposals target deficiencies

Ever since the first Federal Information Security Management Act report card was issued for fiscal 2003, federal chief information officers have measured the success of their cybersecurity programs by the grades they get on those annual assessments.

They spend hundreds of millions on certification and accreditation reports and other paperwork to comply with FISMA guidance from the Office of Management and Budget and the National Institute of Standards and Technology. And most receive low grades.

But do FISMA grades actually measure effective security, or are they just paperwork exercises? The person in the best position to answer that question did so in a Senate hearing a few months ago. Karen Evans, who oversees all federal information technology spending for the White House, told senators that if agencies are doing the reports solely to meet compliance requirements, then they are just a paperwork exercise. In other words, FISMA compliance is not the same as — and, many would contend, gets in the way of — effective cybersecurity.

To address that, the Senate drafted new legislation, with substantial input from Evans and others who understand the difference between effective security and mere compliance. The FISMA 2008 legislation is aimed at better synchronizing agency responsibilities under the law with the activities needed to maintain maximum cost-effective security of federal systems.

The most important improvements in the new law are not the ones that are most often cited. Enhanced chief information security officer authority and a step up in red team exercises can add value, but three other changes will have much greater effect, if the legislation becomes law.

1. FISMA 2008 would demand agencies buy security built into products rather than trying to add it after the fact. No single change in federal cybersecurity will have a greater effect. The Air Force proved the power of the principle with the now more than 500,000 computers the service has purchased with built-in secure configurations. The result has been savings of more than $100 million, patch delays reduced from 57 days to 72 hours, and happier users facing fewer problems.

2. The new law would require attack-based metrics, saying that agencies must demonstrate their systems are effectively protected against known vulnerabilities, attacks and exploitations. Attack-based metrics means learning the offense and using that knowledge to develop the defense.

3. And most striking of all, the measure would require agencies to reach governmentwide agreement on what those attack-based metrics must be by establishing a baseline of information security measures and controls that can be “continuously monitored through automated mechanisms.” Those words mark another stark change from the annual to triannual reviews that were common under the old law.

Together, these changes would establish a foundation for massive transformation of federal cybersecurity. They can harmonize the efforts of chief information officers and inspectors general because both will measure against the same set of attack-based metrics.

Paller is director of research at the SANS Institute.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.