Paller: FISMA 2008: A better solution

New FISMA proposals target deficiencies

Ever since the first Federal Information Security Management Act report card was issued for fiscal 2003, federal chief information officers have measured the success of their cybersecurity programs by the grades they get on those annual assessments.

They spend hundreds of millions on certification and accreditation reports and other paperwork to comply with FISMA guidance from the Office of Management and Budget and the National Institute of Standards and Technology. And most receive low grades.

But do FISMA grades actually measure effective security, or are they just paperwork exercises? The person in the best position to answer that question did so in a Senate hearing a few months ago. Karen Evans, who oversees all federal information technology spending for the White House, told senators that if agencies are doing the reports solely to meet compliance requirements, then they are just a paperwork exercise. In other words, FISMA compliance is not the same as — and, many would contend, gets in the way of — effective cybersecurity.

To address that, the Senate drafted new legislation, with substantial input from Evans and others who understand the difference between effective security and mere compliance. The FISMA 2008 legislation is aimed at better synchronizing agency responsibilities under the law with the activities needed to maintain maximum cost-effective security of federal systems.

The most important improvements in the new law are not the ones that are most often cited. Enhanced chief information security officer authority and a step up in red team exercises can add value, but three other changes will have much greater effect, if the legislation becomes law.

1. FISMA 2008 would demand agencies buy security built into products rather than trying to add it after the fact. No single change in federal cybersecurity will have a greater effect. The Air Force proved the power of the principle with the now more than 500,000 computers the service has purchased with built-in secure configurations. The result has been savings of more than $100 million, patch delays reduced from 57 days to 72 hours, and happier users facing fewer problems.

2. The new law would require attack-based metrics, saying that agencies must demonstrate their systems are effectively protected against known vulnerabilities, attacks and exploitations. Attack-based metrics means learning the offense and using that knowledge to develop the defense.

3. And most striking of all, the measure would require agencies to reach governmentwide agreement on what those attack-based metrics must be by establishing a baseline of information security measures and controls that can be “continuously monitored through automated mechanisms.” Those words mark another stark change from the annual to triannual reviews that were common under the old law.

Together, these changes would establish a foundation for massive transformation of federal cybersecurity. They can harmonize the efforts of chief information officers and inspectors general because both will measure against the same set of attack-based metrics.

Paller is director of research at the SANS Institute.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.