Fountain: FISMA's fifth birthday

The Federal Information Security Management Act turned five in December. As with any milestone, this is a good time to reflect on what’s working and what’s not with one of the most pervasive — and arguably most influential — information security laws to be enacted.

The purpose of FISMA is to protect the government’s information assets — no small task. FISMA has had a positive effect on information security, but there is room for improvement.

FISMA has done a number of things well. It has raised general awareness of information security and increased executive- level accountability. It generates a standardized system of measurement, which the Office of Management and Budget publishes in an annual FISMA report to Congress. The law provides formalized information security practices and procedures.

However, FISMA could and should do four additional things:

Emphasize point-in-time compliance instead of continuous performance assessment.

Although FISMA specifies effective risk management and information security programs in practice, there is too much emphasis on point-in-time compliance demonstrating at the expense of continuous information security. The goal of an effective information security program is to weave information security into everyday tasks and activities. Assessments should be conducted on an ongoing, unscheduled basis and include simulated attacks to identify technical vulnerabilities and measure user adherence to information security policy.

Improve the FISMA report card.

The annual FISMA report card grade is an ineffective measurement tool. The grade reflects an ability to demonstrate compliance and does not measure an information security programs’ effectiveness.

The FISMA report card should be based on a series of quantitative assessments that specifically target program effectiveness.

Assessments should be performed by well-trained information security specialists who operate across agencies. That approach would eliminate the subjective and potentially political nature of the current grading scheme.

Create accountability at all levels.

All government employees, not only agency executives, must be held accountable and rated on information security awareness and policy adherence. Specific language regarding information security should be inserted into all performance appraisals.

Have one consistent standard.

Since FISMA was enacted, the government has gone from a need-to-know to a need-to-share environment. All agencies must have confidence that moving data from one agency or department to another does not compromise the security of that information.

The government needs a single set of core standards and guidance that applies to all civilian, Defense Department and intelligence entities.

Some of that work is under way, but having those standards would simplify the administration of information security programs and facilitate information sharing.

FISMA has had a positive effect on federal information security during the past five years. Now it’s time to take the law to the next level. FISMA needs to be adapted to ensure that information security programs are working and government information assets are secure.

Fountain is president and chief executive officer of SecureInfo, which sells information assurance solutions to federal agencies.
 

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.