FISMA forces business leaders to pay attention

For one of the best examples of the impact of the Federal Information Security Management Act in the past five years, look no further than the State Department’s reaction to a hacker attack from a foreign country in 2006.

Instead of instantly shutting down the affected networks, the department performed a risk analysis and discovered that the hack involved reconnaissance rather than data theft, said Donald Reid, senior coordinator for security infrastructure at State’s Bureau of Diplomatic Security.

“We saw there was no malicious activity, so we worked with the chief information officer to develop a set of tripwires of when we needed to pull the host networks,” Reid said today at a FISMA breakfast discussion sponsored by Government Executive magazine. “As soon as we saw an exfiltration of information, we would pull the networks off-line.”

Reid said he and his team evaluated the business impact of taking 45 networks off-line and waiting up to two months for the software patch to arrive.

“We found two vulnerabilities in our Microsoft software. “One was known and one wasn’t,” he said.

State’s ability to determine the business impact of shutting down systems is a clear example of how far FISMA has come since it became law in 2003.

“We have raised awareness of [information technology] security among senior business leaders because of FISMA,” said Ed Meagher, deputy CIO at the Interior Department. “FISMA grades are a general evaluation of how mature our processes have become, but it only takes you so far. We need to look at tools that show how ready we are to repel hackers and viruses.”

Meagher said FISMA continually reminds businesspeople why IT security is important, but agencies also need to constantly monitor their networks.

Michael Castagna, chief information security officer at the Commerce Department, said the department’s move to a standard Microsoft desktop PC configuration is a significant step toward secure networks.

“The great majority of exploits come from misconfigured systems or missing patches,” he said. “The secure desktop will help us close these exploits.”

But he also warned that because the baseline configuration is public, hackers will find exploits so the standard should only be a starting point for securing desktop computers.

Commerce is moving to real-time network monitoring, Castagna added, and officials chose the Justice Department’s FISMA reporting tool under the IT Security Line of Business for that purpose. Commerce is scheduled to finish deploying the tool by March 2008.

Meagher and others said the best approach to IT security still comes from selling the business benefits to program people.

“We have to explain why we need to spend money on security beyond the reasoning ‘so nothing bad will happen,’” Meagher said. “We need to explain it on a business level and discuss the disruption of the business processes and mission goals. When we do that, the businesspeople take you more seriously.”

Castagna added that IT security must be seen as a tool for helping agencies achieve their missions, and therefore, the CISO must understand the chief financial officer’s language.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.