NASA hits FISMA reset button

NASA's Jerry Davis has won many admirers for saying his agency would focus on reducing security risks through automation, rather than compliance paperwork

If only it were possible to improve cybersecurity by doing more thorough paperwork. Alas, eight years after the passage of the Federal Information Security Management Act, it hasn’t worked yet. That, anyway, is the conclusion of Jerry Davis, deputy chief information officer of information technology security at NASA.

Davis struck a blow last month for the many security experts who see diminishing returns from the millions of dollars that agencies spend to certify that their systems are compliant with FISMA requirements.

In a memo dated May 18, Davis informed NASA’s information systems security officials that they would not be required to recertify their existing systems as normally done every three years. Instead, agency officials plan to invest their time and money in systems and processes that will allow them to continually monitor the security of their systems, according to the memo.

The traditional certification and accreditation processes “have proven largely ineffective and do not ensure a system’s security, or a true understanding of the system’s risk posture,” Davis wrote in the memo, which was obtained by Jill Aitoro at

The C&A processes also have been costly. In an interview with FCW’s Ben Bain, Davis said NASA officials could end up saving close to $20 million this year by not putting their systems through the FISMA grind.

It’s worth noting that FISMA was passed at a time when security processes in government were largely haphazard. Although some agencies did a good job with security, there was no way to replicate those successes at other agencies. FISMA was an effort to create a security baseline across government and systematize the process of measuring compliance at individual agencies.

It was never intended to be the final word in security, just a baseline. But the C&A process was so costly and labor-intensive that the paperwork associated with FISMA compliance has become a cottage industry unto itself at agencies — but an industry with a product of questionable value.

“The mounds of paperwork currently required to perform certification and accreditation activities over federal systems amounts in nothing more than a pro forma exercise that gives officials a false sense that their systems are actually secure,” writes Jeff Bardin at CSO Online.

But it’s not as if federal cybersecurity experts haven’t seen the problem. It’s just that they never had much say in the matter, given the unassailable reporting requirements that the Office of Management and Budget issued. Those requirements were based on security guidance that the National Institute of Standards and Technology issued.

But everything changed with an April 21 memo in which OMB officials detailed FISMA reporting requirements for 2010. The memo notes that NIST’s guidelines allow a certain amount of latitude in application, which “can result in different security solutions that are equally acceptable and compliant” — a line featured prominently in Davis’ memo.

But the shift at OMB did not come out of the blue. Alan Paller, director of research at the SANS Institute, gives kudos to Federal CIO Vivek Kundra and White House Cybersecurity Coordinator Howard Schmidt for encouraging agencies to focus on reducing security risks rather than simply complying with security policies.

The only question was who was willing to step into the opening that OMB created. The answer is Davis.

“The NASA innovation is the breath of fresh air that every CIO and every major program manager in government has been (secretly) hoping for,” writes Paller in a SANS NewsBites newsletter.

However, one security blogger was more skeptical. FISMA has not worked because agencies did not incorporate it, along with other NIST guidance, into a comprehensive security strategy. It’s not that FISMA has failed, the blogger writes. It’s that “I don’t think we’ve really done FISMA yet.”

About the Author

Connect with the FCW staff on Twitter @FCWnow.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.