Schlarman: New FISMA is the wrong solution
- By Glenn Schlarman
- Oct 15, 2008
Although the Federal Information Security Management Act could use some fine-tuning and clarification, S.3474 — the “new FISMA” now under Senate consideration — is unnecessary, creates but doesn’t solve problems, and comes too late for this administration and too early for the next.
Three additional factors beg for its quick death:
- The most frequent criticism of FISMA is that it has become a paperwork drill. The new FISMA adds more paper.
- Another common complaint about federal security programs in general is that chief information officers and the Office of Management and Budget-led CIO Council haven’t done their jobs. New FISMA compounds that problem by creating a parallel universe with yet another interagency council that is bound to compete with existingorganizations. It also gives citizens of this new universe — CIO subordinates — enforcement powers that even CIOs don’t have.
- Through a simple word swap (“audit” instead of “evaluation”), new FISMA promotes resource draining, security-weakening competition between inspectors general and agencies.
I’m not surprised by the renewed push for audits. They are comfort food for GAO and IGs. But during the 1999 development of FISMA’s predecessor, the Government Information Security Reform Act, lawmakers chose less formal and more agile evaluations over audits. The reasons they did so are still largely valid.
First, audits are inflexible and promote gotcha results while repelling both cooperation and sharing of information and resources among the auditor and audited.
Second, because cooperation and sharing don’t exist, obfuscation often does. To avoid an unfavorable finding, those being audited don’t volunteer pertinent information to auditors.
Third, without sharing, IGs and agencies must compete for limited resources and a finite pool of smart security folks. Would you rather work long hours to secure your system, only to be rewarded by a probe from a second-guessing auditor? Or would you prefer to be that auditor?
Fourth, GAO is finally updating audit standards for IT systems. It is too early to assess the new standards’ quality, but they appear to be consistent with modern executive branch guidance. But, except in an appendix, GAO made little attempt to map FISMA itself. The guidelines might be fine for audits, but they are a far cry from what’s needed for evaluations.
New FISMA should sink and not resurface until the next administration and Congress take office. Then its return or replacement by a new proposal must be part of a larger cybersecurity strategy. And unlike this administration’s overly secret cybersecurity initiative, that strategy must recognize the overwhelming majority of government programs are for public use and thus the public deserves to be a meaningful part of security policy development.
In the meantime, if an agency believes something in the new FISMA is important for security — and probably only continuous monitoring is — let’s hope they’re already doing it as part of system certification and accreditation. They should not need another law. Schlarman is a former chief of Office of Management and Budget’s Information Policy and Technology Branch.