CISOs assess the assessors

Government chief information security officers still do not have a cure for the headache caused by the need to create quarterly or annual reports about their agencies' security status, which CISOs must complete to comply with congressional and oversight requirements. Participants in FCW’s CISO round table described the system audits and reporting processes as cumbersome, time-consuming, painful and difficult.

Some of the CISOs said the burden is easing somewhat as the reporting processes mature, particularly for the Federal Information Security Management Act. However, many still question whether periodic reporting exercises are the best way to bolster security.

“I wouldn't say they are the most effective way of improving cybersecurity, but they do improve the cybersecurity program by locating weaknesses in our program that may not have been known,” said Ryan Brewer, chief information security officer at the Centers for Medicare and Medicaid Services.

Others say FISMA can’t keep up with new risks.

“Given the rapid changes in the threat landscape, merely meeting a checklist of requirements simply shows that we are compliant to a state of security at the time the regulation was created,” said Robert Maley, Pennsylvania's chief information security officer.

Others say there should be less emphasis on reporting.

“Reporting should be a secondary function to the actual securing of our systems and applications,” said Phillip Loranger, chief information security officer and acting director of information assurance at the Education Department. “This process needs to be re-evaluated and streamlined to be less administratively focused and more action-focused.”

A July report from the Government Accountability Office highlighted ongoing weaknesses of the FISMA reporting process and its frequent failure to identify disparities between agencies’ FISMA compliance records and their security status.

Federal Chief Information Officer Vivek Kundra has called for a rewrite of FISMA that would, in addition to clarifying the reporting process, yield metrics that assess security postures and continuously identify new threats. At least one CISO fears that such efforts could fall into old traps.

“I would hope that with the next evolution of FISMA, the lawmakers and the executive branch would actually call out to the agency CISOs in a collaborative manner to come up with a better way to satisfy these requirements,” Loranger said. “If they continue to work in a vacuum, I’m afraid we’ll be faced with the same challenges as before.”

Federal CISOs rate FISMA

Federal chief information security officers characterized the effectiveness of the Federal Information Security Management Act’s reporting process. Here are their responses.

Real but uneven improvement: 48 percent

Paper exercise with little upside: 24 percent

Costs exceed benefits: 19 percent

A great success: 9 percent

Source: The State of Cybersecurity from the Federal CISO’s Perspective, (ISC)2, April

About the Author

John Moore is a freelance writer based in Syracuse, N.Y.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.