CISOs assess the assessors

Government chief information security officers still do not have a cure for the headache caused by the need to create quarterly or annual reports about their agencies' security status, which CISOs must complete to comply with congressional and oversight requirements. Participants in FCW’s CISO round table described the system audits and reporting processes as cumbersome, time-consuming, painful and difficult.

Some of the CISOs said the burden is easing somewhat as the reporting processes mature, particularly for the Federal Information Security Management Act. However, many still question whether periodic reporting exercises are the best way to bolster security.

“I wouldn't say they are the most effective way of improving cybersecurity, but they do improve the cybersecurity program by locating weaknesses in our program that may not have been known,” said Ryan Brewer, chief information security officer at the Centers for Medicare and Medicaid Services.

Others say FISMA can’t keep up with new risks.

“Given the rapid changes in the threat landscape, merely meeting a checklist of requirements simply shows that we are compliant to a state of security at the time the regulation was created,” said Robert Maley, Pennsylvania's chief information security officer.

Others say there should be less emphasis on reporting.

“Reporting should be a secondary function to the actual securing of our systems and applications,” said Phillip Loranger, chief information security officer and acting director of information assurance at the Education Department. “This process needs to be re-evaluated and streamlined to be less administratively focused and more action-focused.”

A July report from the Government Accountability Office highlighted ongoing weaknesses of the FISMA reporting process and its frequent failure to identify disparities between agencies’ FISMA compliance records and their security status.

Federal Chief Information Officer Vivek Kundra has called for a rewrite of FISMA that would, in addition to clarifying the reporting process, yield metrics that assess security postures and continuously identify new threats. At least one CISO fears that such efforts could fall into old traps.

“I would hope that with the next evolution of FISMA, the lawmakers and the executive branch would actually call out to the agency CISOs in a collaborative manner to come up with a better way to satisfy these requirements,” Loranger said. “If they continue to work in a vacuum, I’m afraid we’ll be faced with the same challenges as before.”

Federal CISOs rate FISMA

Federal chief information security officers characterized the effectiveness of the Federal Information Security Management Act’s reporting process. Here are their responses.

Real but uneven improvement: 48 percent

Paper exercise with little upside: 24 percent

Costs exceed benefits: 19 percent

A great success: 9 percent

Source: The State of Cybersecurity from the Federal CISO’s Perspective, (ISC)2, April

About the Author

John Moore is a freelance writer based in Syracuse, N.Y.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group