Schlarman: New FISMA is the wrong solution

Although the Federal Information Security Management Act could use some fine-tuning and clarification, S.3474 — the “new FISMA” now under Senate consideration — is unnecessary, creates but doesn’t solve problems, and comes too late for this administration and too early for the next.

Three additional factors beg for its quick death: 

  1. The most frequent criticism of FISMA is that it has become a paperwork drill. The new FISMA adds more paper.

  2. Another common complaint about federal security programs in general is that chief information officers and the Office of Management and Budget-led CIO Council haven’t done their jobs. New FISMA compounds that problem by creating a parallel universe with yet another interagency council that is bound to compete with existingorganizations. It also gives citizens of this new universe — CIO subordinates — enforcement powers that even CIOs don’t have.

  3. Through a simple word swap (“audit” instead of “evaluation”), new FISMA promotes resource draining, security-weakening competition between inspectors general and agencies.

I’m not surprised by the renewed push for audits. They are comfort food for GAO and IGs. But during the 1999 development of FISMA’s predecessor, the Government Information Security Reform Act, lawmakers chose less formal and more agile evaluations over audits. The reasons they did so are still largely valid.

First, audits are inflexible and promote gotcha results while repelling both cooperation and sharing of information and resources among the auditor and audited.

Second, because cooperation and sharing don’t exist, obfuscation often does. To avoid an unfavorable finding, those being audited don’t volunteer pertinent information to auditors.

Third, without sharing, IGs and agencies must compete for limited resources and a finite pool of smart security folks. Would you rather work long hours to secure your system, only to be rewarded by a probe from a second-guessing auditor? Or would you prefer to be that auditor?

Fourth, GAO is finally updating audit standards for IT systems. It is too early to assess the new standards’ quality, but they appear to be consistent with modern executive branch guidance. But, except in an appendix, GAO made little attempt to map FISMA itself. The guidelines might be fine for audits, but they are a far cry from what’s needed for evaluations.

New FISMA should sink and not resurface until the next administration and Congress take office. Then its return or replacement by a new proposal must be part of a larger cybersecurity strategy. And unlike this administration’s overly secret cybersecurity initiative, that strategy must recognize the overwhelming majority of government programs are for public use and thus the public deserves to be a meaningful part of security policy development.

In the meantime, if an agency believes something in the new FISMA is important for security — and probably only continuous monitoring is — let’s hope they’re already doing it as part of system certification and accreditation. They should not need another law.

Schlarman is a former chief of Office of Management and Budget’s Information Policy and Technology Branch.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Fri, Dec 16, 2011 Federal Drone

While I can see the theorhetical need for standards and audits, I've watched IT productivity in the Federal workspace drop to near 0 as a result of NIST's broad recommendations being implemented as specific requirements and audited on a far-too-frequent basis by OMB. In spite of the mountains of paperwork, FDCC-certified workstations are too often unpatched and easy prey for Adobe and MS 0-day vulnerabilities. Putting people with no IT knowledge in charge of approving or (more often) denying deployment is NOT a good idea. Was it Rome that collapsed under the weight of bureaucracy?

Fri, Jul 29, 2011 Robert MD

Continous Monitioring is an important aspect but you need to actually implement security measures that continually improve security effectiveness. I think too many put faith in the mere metrics gathered by the so-called "Continous Monitoring" concept. Here's the problems: what's critical to monitor first, second, third, forth, etc...? Who's paying for it? Yet another unfunded standard? Oh yeah, there is no real standardized "Continous Monitoring Architecture" yet, is there? Who besides select groups understand the intent of FISMA? Problem with the Fed is their own leadership is frequently untrained or cares less about FISMA. Let me clarify by stating many do understand, but not ALL critical leadership cares about FISMA, much less understand it. Why, it's an "IA" area and operational IT managers often don't feel they own the responsibility to enforce the controls. Many IA types get caught up satisfying report requirements when they should be auditing their own internal security first and fixing the broken things. Bottom line, if your Continous Monitoring program mandates don't have appropriate leadership assigned responsibilty and funding we will have a bigger mess. FISMA was fine, it was the leadership funding and lack of teeth and vision that failed us. Continous Monitoring was always required by the original FISMA bill but few took the time to read the damn thing. NIST checklists were always required as well but the Fed is too liberal in saying their guidance. The checklists are MANDATORY and always have been under FISMA. People need to actually read the bill and understand what their required to do is all. Too many people read the law and put their own intent when it is clear what is required. NIST, your at fault in some ways but your program has gotten better. Too many baseline checklists confused the community for far too many years. Step up and give clarity to the minimal requirements for Continous Monitoring Architechures. The field needs standards and not fifty zillion guides what they "could do". Keep it simple NIST, tell the what they must do. We all know NIST has no authority, perhaps it should if it is to continue writing so much guidance that supports LAW???

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group