Fountain: FISMA's fifth birthday

The Federal Information Security Management Act turned five in December. As with any milestone, this is a good time to reflect on what’s working and what’s not with one of the most pervasive — and arguably most influential — information security laws to be enacted.

The purpose of FISMA is to protect the government’s information assets — no small task. FISMA has had a positive effect on information security, but there is room for improvement.

FISMA has done a number of things well. It has raised general awareness of information security and increased executive- level accountability. It generates a standardized system of measurement, which the Office of Management and Budget publishes in an annual FISMA report to Congress. The law provides formalized information security practices and procedures.

However, FISMA could and should do four additional things:

Emphasize point-in-time compliance instead of continuous performance assessment.

Although FISMA specifies effective risk management and information security programs in practice, there is too much emphasis on point-in-time compliance demonstrating at the expense of continuous information security. The goal of an effective information security program is to weave information security into everyday tasks and activities. Assessments should be conducted on an ongoing, unscheduled basis and include simulated attacks to identify technical vulnerabilities and measure user adherence to information security policy.

Improve the FISMA report card.

The annual FISMA report card grade is an ineffective measurement tool. The grade reflects an ability to demonstrate compliance and does not measure an information security programs’ effectiveness.

The FISMA report card should be based on a series of quantitative assessments that specifically target program effectiveness.

Assessments should be performed by well-trained information security specialists who operate across agencies. That approach would eliminate the subjective and potentially political nature of the current grading scheme.

Create accountability at all levels.

All government employees, not only agency executives, must be held accountable and rated on information security awareness and policy adherence. Specific language regarding information security should be inserted into all performance appraisals.

Have one consistent standard.

Since FISMA was enacted, the government has gone from a need-to-know to a need-to-share environment. All agencies must have confidence that moving data from one agency or department to another does not compromise the security of that information.

The government needs a single set of core standards and guidance that applies to all civilian, Defense Department and intelligence entities.

Some of that work is under way, but having those standards would simplify the administration of information security programs and facilitate information sharing.

FISMA has had a positive effect on federal information security during the past five years. Now it’s time to take the law to the next level. FISMA needs to be adapted to ensure that information security programs are working and government information assets are secure.

Fountain is president and chief executive officer of SecureInfo, which sells information assurance solutions to federal agencies.
 

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group