How to move past the FISMA mind-set

Federal agencies are paying a price for trying to minimize all possible information security risks

Jamil Farshchi is chief information security officer and Ahmad Douglas is senior cybersecurity leader at Los Alamos National Laboratory.

The federal government’s information security strategy is unsustainable. Enacted in the Federal Information Security Management Act and implemented in a framework developed by the National Institute of Standards and Technology, that strategy is built on a set of controls whose unintended consequence is to stifle agility and innovation. However, as new technologies and threats emerge, today’s paper-focused compliance paradigm must give way to a more sustainable long-term option.

Let’s begin with a quick digression on economics. All organizations, whether in the public or private sector, are built on the fundamental principle of value creation. In the private sector, an organization executes a set of business processes to create value for its shareholders, while simultaneously assuming the risks inherent in those processes.

Absent annual board meetings and quarterly financial reports, federal agencies might forget that, just like the private sector, their ultimate objective is to create value for U.S. taxpayers. Whether negotiating trade agreements, protecting the country or maintaining our strategic nuclear arsenal, each federal agency has its own set of core business processes that create value for the nation. Central to executing those business processes effectively is the wise management of their inherent risks.

It is in this regard that the NIST framework falls short. Because the framework does not account for business processes, applying the NIST controls can sacrifice business productivity to mitigate risks of low relative importance. And because the NIST compliance paradigm is primarily paper-based, the best possible outcome is point-in-time — or static — compliance. Unfortunately, point-in-time assessments do not capture the real risk inherent in a dynamic production system.

We need to move to a compliance paradigm that better suits the federal government’s diverse set of business processes. Rather than trying to minimize all risks, as the NIST framework encourages, we should identify the most significant risks to our core business processes. Information security officers would then implement an elegant set of controls to manage those risks. Finally, compliance would move from a check-the-box exercise to an honest, holistic assessment of an organization’s risk management framework.

In a sustainable compliance paradigm, we must first focus on value and then integrate risk. Such a paradigm would adhere to the following guidelines.

  1. Start with business processes. The chief information security officer should intimately understand the business processes the organization uses to create value. Supporting and accelerating those processes are the core facets of a sustainable information security strategy.
  2. Adopt true risk-based decision-making. You manage risks through the lens of value creation by asking: How will mitigating a given risk affect my organization’s productivity? Will the reduction in potential loss or liability more than offset the productivity cost?
  3. Streamline the core control set. The number of core information security controls that support almost any mission are few. Place them at the center of a new, mission-focused framework. Make other controls optional or discontinue them.
  4. Use documentation wisely. The existing certification and accreditation process is time-, labor- and paper-intensive. Certainly, some information security aspects can be assessed effectively on paper, such as process and governance. Others, such as configuration and vulnerability management, cannot. Create documents when they add value. Implement spot-checks or continuous monitoring elsewhere.

Our goal is to open a dialogue on value-focused risk management in the federal government. We hope that federal decision-makers will realize the significant long-term challenges presented by the compliance approach in place now and will consider steering the federal information security compliance paradigm toward a better balance of value and risk.

About the Authors

Jamil Farshchi is the Chief Information Security Officer (CISO) at the Los Alamos National Laboratory and has previously served in senior information technology roles in both government and private sectors including Sitel Corporation, NextWave Wireless, and the National Aeronautics and Space Administration. Jamil has numerous publications, including a recent cover article for Chief Security Officer Magazine (CSO). Jamil has been awarded the President’s Council for Integrity and Efficiency Information Technology Excellence award and the NASA Cooperative External Achievement Award, among several others. He has a BBA from University of Oklahoma, a PLD from Harvard Business School, and is currently a Doctoral candidate at the Wharton School, University of Pennsylvania.

Ahmad Douglas is senior cyber security leader at Los Alamos National Laboratory.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Tue, Oct 12, 2010

some of the commentors are correct, NIST does have the flexibility built into the process of compliance, but it requires personnel in postions of authority to actually practice "risk acceptance" instead of not knowing what the statement means and forcing the process into a mind numbing paper drill. This requires proactive informatioin security personnel to take the time to educate management on what the risk really are. If we as information security personnel fail to educate our management then we will work for the sake of generating paperwork and not for managing true risk.

Fri, Sep 24, 2010 Washington DC

I would agree that compliance is a dysfunctional art of IG inspectors trying to fathom what NIST intended, which is why they add so little value in what they purport is necessary. It is precisely because NIST intentionally introduces creative license into the implementation of security controls where we get into trouble, because the IG Compliance Mandate is incapable of dealing with such freedoms. In this vacuum of absolutes, OIG introduces fanciful opinions on how things ought to be done, and in an instant, chaos reigns, NFRs get issued and somehow - NIST and everything it promulgates is at fault. Until the gubment can come to grips with the difference between what NIST advocates, and what compliance inspectors dream up as standards, the cart will always be leading the horse.

Wed, Sep 22, 2010

NIST's requirements aren't as rigid as this commentary implies. The NIST publications implore organizations to customize controls to fit their systems. With control customization comes customized documentation. If any inflexibility exists, it is likely at the individual agency level (generically interpreting NIST requirements and forcing all of their systems to adhere to that generic interpretation). If organizations DON'T grasp NIST's intent, then FISMA compliance can easily be viewed as a 'paperwork exercise.' For those organizations which DO understand NIST's intent, the (mandatory) guidance NIST provides helps organizations establish a robust security program.

Thu, Sep 16, 2010

The LosAlamos gentlemen have misinterpreted the Fed/NIST ITSecurity program. Systems/applications are categorized by their managers as having a HI/MED/LO impact on their mission if confidentiality, integrity, or availability of the system or its data are lost. The 1st resource focus is on HI systems. Not every vulnerability is addressed. However, I believe the NIST creators of "continuous monitoring" are either from a different planet or at least using a different dictionary of the English language. Though CM of security configurations is possible with automated tools, several SP 800 NIST pubs recommend monthly, annual, even once-per-3year assessments or checks or measurements, yet name the approach "continuous monitoring". It is not; NIST should think of a more credible name.

Wed, Sep 15, 2010

How is this "moving past" FISMA? Isn't this the whole point of the RMF section of FISMA? My main problem with FISMA is that guidance somehow became gospel. Compliance measurement is the real problem, as that's where the checklist approach comes from. The end users are savvier than the auditors, which leads to blind blanket applications of guidelines instead of reasoned interpretation of the implementation. This would of course cost more and drive timelines even longer than the usual C&A process.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group