FISMA compliance: Money misspent?

"NIST's FISMA implementation project guidelines"

Agencies' efforts to carry out the Federal Information Security Management Act have fallen short and taxpayers' money has been misspent, a prominent security expert said this week at a public workshop on FISMA.

"FISMA gets four F's, not in its writing, but in its implementation," said Alan Paller, director for research at the SANS Institute, an education and research group specializing in systems and network management and security.

Paller and other officials spoke May 20 at a workshop presented by the Center for Democracy and Technology, the Council for Excellence in Government, the Cyber Security and Policy Research Institute at George Washington University and the American Council for Technology.

To date, agencies have spent about $300 million on efforts to protect their computer systems, yet they still have insecure systems, Paller said.

In some areas, he said, federal agencies could use better guidelines from the Office of Management and Budget and the National Institute of Standards and Technology, the two agencies responsible for information about complying with the law.

For example, in addition to the focus on systems in the guidelines, Paller said, federal officials should look at improving the security of their agencies' computer network infrastructure through such means as automated security patches and intrusion detection systems.

FISMA guidelines "don't give you any points for patch automation because it's an infrastructure function," he said.

Federal agencies, Paller said, have also overlooked the fourth and most important step in the security certification and accreditation process: continuously monitoring systems once they have been certified and accredited.

Finally, he said, computer worms regularly infect systems when agency employees install default versions of Microsoft Corp.'s Windows operating system on computers connected to the Internet. Doing that means agency officials are ignoring the FISMA clause that says no computer should be connected to the network unless it has been safely configured, Paller said.

"That means a reasonably large number of computers are doing low and slow attacks inside your own firewall, looking for new machines to take over," said Paller, one of several speakers for the workshop.

Stuart Katzke also urged federal civilian agencies to change the prevailing culture, which is to connect new computers to a network and worry about security later.

Katzke, senior computer scientist and information security researcher at NIST's Information Technology Laboratory, said the agency's role now is to provide standards and guidelines for compliance with FISMA. After it completes those documents, NIST officials will begin Phase 2 of their responsibilities, he said, which will be to create a pool of qualified organizations able to help agencies perform the security assessments that the act requires. Katzke's remark triggered a muffled cheer in parts of the mostly government audience.

One of the biggest challenges for federal officials will be to find ways to protect their information and information systems within very limited budgets, he said.

Glenn Schlarman, OMB's branch chief for information policy and technology, said the agency continues to work toward a goal of information security practices that are "documentable, repeatable and consistent across all agencies."

Paller encouraged federal officials to spend more time learning from one another. He cited the Transportation Department's success in reducing the typical cost of certification and accreditation of its information systems from between $28,000 and $48,000 per system to about $5,500 per system.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.