Is a legislative fix in FISMA's future?
Some say problem is how the 2002 law has been implemented
Even without an overhaul of the Federal Information Security Management Act (FISMA), some experts say departments and agencies can dramatically improve their cybersecurity by using more focused, automated and continuous approaches to security.
Some members of Congress, government officials and security experts have argued that agencies' efforts to comply with FISMA amount to little more than filling out paperwork exercises and the situation requires a legislative fix. Sen. Thomas Carper (D-Del.) introduced legislation in April to reform FISMA, and Sen. Joe Lieberman (I-Conn.) has said he hopes to include provisions to reform the 2002 law in comprehensive cybersecurity legislation he plans to introduce.
Despite indications that agencies have improved their compliance with parts of FISMA, some agencies still consider their information security controls to be a significant deficiency or material weakness, the Government Accountability Office found earlier this year.
John Streufert, the State Department’s chief information security officer, and John Gilligan, a former chief information officer for the Air Force and the Energy Department, say the problems may stem from how agencies comply with the law and less about the act’s actual language.
Streufert and Gilligan made those comments Nov. 12 during a security conference in Washington sponsored by the 1105 Government Information Group, the owner of Federal Computer Week.
“Recently I went back and reread FISMA, and FISMA has been lambasted; … some say FISMA needs to be revised, [that] it’s fundamentally flawed,” said Gilligan, now retired from government and is president of the Gilligan Group consulting firm . “It really is not that bad; it’s a good piece of legislation, what’s really wrong is how we have implemented it.”
Meanwhile, Gilligan and Streufert questioned the extent to which the massive amount of reports agencies must now produce to comply with FISMA actually improve security.
Streufert said during six years the State Department produced 95,000 pages of certification and accreditation (C&A) documents to meet FISMA requirements at a cost of $1,400 per page, for a total library of documents that cost $130 million.
Gilligan said agencies' efforts to comply with FISMA have become "a paperwork drill." He added, "Every year stacks of paperwork are counted and then those are used to feed grades, and we send those grades up to [Capitol] Hill, we have hearings, and there is a façade of improving security based on higher and higher stacks of paperwork.”
Meanwhile, Streufert said State reduced what it spends on the C&A of systems by 62 percent annually, relative to what it spent before examining its processes in 2006. Streufert said the money saved has been used to develop toolkits that other departments and agencies can use to lower their C&A costs.
In addition, State has also been conducting a pilot program since July 2008 to continuously monitor vulnerabilities and produce ongoing grades of security risks. Streufert said the program has reduced vulnerabilities and improved accountability and the benefits are scalable to other government organizations.
”So far [State] has reduced known vulnerabilities by a factor of 10, but problems are still unacceptably high so much remains to be done,” Streufert said in a follow-up e-mail message. “What has been accomplished so far has been possible with exceptional teamwork fueled by [the] use of metrics."
Streufert said the pilot program has shown that "when continuous monitoring augmented the snapshots required by FISMA, mobilizing to lower risk was both feasible and fast.”
Streufert also said the Consensus Audit Guidelines (CAG) have been useful. Those guidelines consist of 20 specific security controls announced earlier this year after being agreed to by a consortium of federal and private industry cybersecurity officials brought together by Gilligan. The guidelines are based on specific experiences in dealing with particular attacks directed at the information systems of the government and the defense industrial base.
Streufert said perhaps the FISMA law itself doesn’t need to be changed, but people need to look at the requirements to perform annual monitoring as a minimum, and try to exceed them. “So taking the same basic elements of FISMA, let’s turn them upside down and see what’s possible,” Streufert said.
Ben Bain is a reporter for Federal Computer Week.