Paller: FISMA 2008: A better solution

New FISMA proposals target deficiencies

Ever since the first Federal Information Security Management Act report card was issued for fiscal 2003, federal chief information officers have measured the success of their cybersecurity programs by the grades they get on those annual assessments.

They spend hundreds of millions on certification and accreditation reports and other paperwork to comply with FISMA guidance from the Office of Management and Budget and the National Institute of Standards and Technology. And most receive low grades.

But do FISMA grades actually measure effective security, or are they just paperwork exercises? The person in the best position to answer that question did so in a Senate hearing a few months ago. Karen Evans, who oversees all federal information technology spending for the White House, told senators that if agencies are doing the reports solely to meet compliance requirements, then they are just a paperwork exercise. In other words, FISMA compliance is not the same as — and, many would contend, gets in the way of — effective cybersecurity.

To address that, the Senate drafted new legislation, with substantial input from Evans and others who understand the difference between effective security and mere compliance. The FISMA 2008 legislation is aimed at better synchronizing agency responsibilities under the law with the activities needed to maintain maximum cost-effective security of federal systems.

The most important improvements in the new law are not the ones that are most often cited. Enhanced chief information security officer authority and a step up in red team exercises can add value, but three other changes will have much greater effect, if the legislation becomes law.

1. FISMA 2008 would demand agencies buy security built into products rather than trying to add it after the fact. No single change in federal cybersecurity will have a greater effect. The Air Force proved the power of the principle with the now more than 500,000 computers the service has purchased with built-in secure configurations. The result has been savings of more than $100 million, patch delays reduced from 57 days to 72 hours, and happier users facing fewer problems.

2. The new law would require attack-based metrics, saying that agencies must demonstrate their systems are effectively protected against known vulnerabilities, attacks and exploitations. Attack-based metrics means learning the offense and using that knowledge to develop the defense.

3. And most striking of all, the measure would require agencies to reach governmentwide agreement on what those attack-based metrics must be by establishing a baseline of information security measures and controls that can be “continuously monitored through automated mechanisms.” Those words mark another stark change from the annual to triannual reviews that were common under the old law.

Together, these changes would establish a foundation for massive transformation of federal cybersecurity. They can harmonize the efforts of chief information officers and inspectors general because both will measure against the same set of attack-based metrics.

Paller is director of research at the SANS Institute.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group