CISOs assess the assessors

Government chief information security officers still do not have a cure for the headache caused by the need to create quarterly or annual reports about their agencies' security status, which CISOs must complete to comply with congressional and oversight requirements. Participants in FCW’s CISO round table described the system audits and reporting processes as cumbersome, time-consuming, painful and difficult.

Some of the CISOs said the burden is easing somewhat as the reporting processes mature, particularly for the Federal Information Security Management Act. However, many still question whether periodic reporting exercises are the best way to bolster security.

“I wouldn't say they are the most effective way of improving cybersecurity, but they do improve the cybersecurity program by locating weaknesses in our program that may not have been known,” said Ryan Brewer, chief information security officer at the Centers for Medicare and Medicaid Services.

Others say FISMA can’t keep up with new risks.

“Given the rapid changes in the threat landscape, merely meeting a checklist of requirements simply shows that we are compliant to a state of security at the time the regulation was created,” said Robert Maley, Pennsylvania's chief information security officer.

Others say there should be less emphasis on reporting.

“Reporting should be a secondary function to the actual securing of our systems and applications,” said Phillip Loranger, chief information security officer and acting director of information assurance at the Education Department. “This process needs to be re-evaluated and streamlined to be less administratively focused and more action-focused.”

A July report from the Government Accountability Office highlighted ongoing weaknesses of the FISMA reporting process and its frequent failure to identify disparities between agencies’ FISMA compliance records and their security status.

Federal Chief Information Officer Vivek Kundra has called for a rewrite of FISMA that would, in addition to clarifying the reporting process, yield metrics that assess security postures and continuously identify new threats. At least one CISO fears that such efforts could fall into old traps.

“I would hope that with the next evolution of FISMA, the lawmakers and the executive branch would actually call out to the agency CISOs in a collaborative manner to come up with a better way to satisfy these requirements,” Loranger said. “If they continue to work in a vacuum, I’m afraid we’ll be faced with the same challenges as before.”

Federal CISOs rate FISMA

Federal chief information security officers characterized the effectiveness of the Federal Information Security Management Act’s reporting process. Here are their responses.

Real but uneven improvement: 48 percent

Paper exercise with little upside: 24 percent

Costs exceed benefits: 19 percent

A great success: 9 percent

Source: The State of Cybersecurity from the Federal CISO’s Perspective, (ISC)2, April

About the Author

John Moore is a freelance writer based in Syracuse, N.Y.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.