CISOs assess the assessors

Government chief information security officers still do not have a cure for the headache caused by the need to create quarterly or annual reports about their agencies' security status, which CISOs must complete to comply with congressional and oversight requirements. Participants in FCW’s CISO round table described the system audits and reporting processes as cumbersome, time-consuming, painful and difficult.

Some of the CISOs said the burden is easing somewhat as the reporting processes mature, particularly for the Federal Information Security Management Act. However, many still question whether periodic reporting exercises are the best way to bolster security.

“I wouldn't say they are the most effective way of improving cybersecurity, but they do improve the cybersecurity program by locating weaknesses in our program that may not have been known,” said Ryan Brewer, chief information security officer at the Centers for Medicare and Medicaid Services.

Others say FISMA can’t keep up with new risks.

“Given the rapid changes in the threat landscape, merely meeting a checklist of requirements simply shows that we are compliant to a state of security at the time the regulation was created,” said Robert Maley, Pennsylvania's chief information security officer.

Others say there should be less emphasis on reporting.

“Reporting should be a secondary function to the actual securing of our systems and applications,” said Phillip Loranger, chief information security officer and acting director of information assurance at the Education Department. “This process needs to be re-evaluated and streamlined to be less administratively focused and more action-focused.”

A July report from the Government Accountability Office highlighted ongoing weaknesses of the FISMA reporting process and its frequent failure to identify disparities between agencies’ FISMA compliance records and their security status.

Federal Chief Information Officer Vivek Kundra has called for a rewrite of FISMA that would, in addition to clarifying the reporting process, yield metrics that assess security postures and continuously identify new threats. At least one CISO fears that such efforts could fall into old traps.

“I would hope that with the next evolution of FISMA, the lawmakers and the executive branch would actually call out to the agency CISOs in a collaborative manner to come up with a better way to satisfy these requirements,” Loranger said. “If they continue to work in a vacuum, I’m afraid we’ll be faced with the same challenges as before.”

Federal CISOs rate FISMA

Federal chief information security officers characterized the effectiveness of the Federal Information Security Management Act’s reporting process. Here are their responses.

Real but uneven improvement: 48 percent

Paper exercise with little upside: 24 percent

Costs exceed benefits: 19 percent

A great success: 9 percent

Source: The State of Cybersecurity from the Federal CISO’s Perspective, (ISC)2, April

About the Author

John Moore is a freelance writer based in Syracuse, N.Y.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group