Time to move beyond FISMA, CISOs say

The Federal Information Security Management Act (FISMA) will be five years old in November, and it has achieved its goal of raising the government’s awareness of cybersecurity, federal officials say.

Some chief information security officers say agencies must move beyond the law’s requirements to address real-time monitoring and install proactive and dynamic defenses.

“We need to move above and beyond the paper exercises and see what is happening and evaluate ourselves against it,” said Ed Meagher, the Interior Department’s deputy chief information officer. “We can’t stop doing the reporting that FISMA requires, but we need to look for ways to understand what the threats are and in real time.”

Michael Castagna, the Commerce Department’s CISO, said FISMA provided visibility and a way to communicate security requirements to senior managers and other employees.

“Security must be rooted in the organization’s culture,” he said during a panel discussion on information technology security sponsored by Cisco Systems and FCW Events. “FISMA helped us put security in our governance processes, [such as] capital planning and investment control, IT investments, and enterprise architecture.”

One agency participant agreed with Meagher and Castagna that FISMA has succeeded in getting agencies to focus on security in their day-to-day operations.

Now CISOs must take a more aggressive approach to spreading the word about cybersecurity, Meagher said.

“The CISO community is hesitant to speak up because they feel like they are not at the table [with other chiefs] yet,” he said. “The one thing they must stop is management complacency. Telling them to do it is not enough.”

Meagher said it is best for CISOs to be visible throughout the agency and have a track record of success.

“You need to know your priorities based on your mission needs,” said Dennis Heretick, the Justice Department’s CISO. “You then prioritize your requirements based on risk.”

Patrick Howard, the Department of Housing and Urban Development’s CISO, said the agency focuses on ensuring security when planning and developing new systems.

“We are designing the controls at the right stage to support our business better,” he said. “We are trying to move out of playing catch-up with our older systems.”

Heretick said the risk for most agencies is at the install bases, so Justice is focusing on them first and using new systems to replace applications that cannot be updated or are too expensive to improve.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group