With CDM, What Happens to FISMA?

The Federal Information System Management Act (FISMA) has been the backbone of federal IT security for more than a decade, but it’s come under increasing attack in recent years. With the dynamic nature of security threats today, FISMA’s snapshot approach to security assessments is seen as wildly out of date.

The DHS CDM program was created in part to support FISMA reporting, but it could eventually be the key to making FISMA relevant once again. In particular, phase 2 of the program that focuses on identity and network management could be the “realization” of IT security, said Jeff Wagner, director of security operations for the Office of Personnel Management. It’s a sign, he said, that “the federal government finally is taking FISMA seriously,” according to a recent story in Government Computer News.

FISMA, enacted in 2002, was a big leap forward for IT security at the time. It focused on a risk-based approach to “cost-effective” security, and required agencies to conduct annual reviews of their security and formally report the results to OMB. The yearly parade of those agencies deemed to be compliant, or not, with FISMA became an anticipated part of the federal IT scene.

However, it only required a yearly statement that the agency systems and networks met FISMA requirements. Agencies were under no compulsion to regularly follow up their assessments to make sure those systems and networks were always in compliance. For that reason, FISMA was increasingly dismissed as a “box-ticking” exercise with little relation to actual agency security.

CDM should put the relevance back into FISMA. Automated, near-real time scanning and validation of network and system security will accomplish many of the things FISMA was intended to deliver. It will also take much of the pain out of the manual, paper-based method of reporting FISMA since much of the information collected and fed to agency CDM dashboards, and the on from there to the federal dashboard, will meet FISMA requirements.

In fact, CDM-like capabilities are now required by law. In tweaking FISMA to bring it up to date with current security threats, Congress in December 2014 directed DHS as part of the Federal Information Security Modernization Act to “administer procedures to deploy technology, upon request by an agency, to assist the agency to continuously diagnose and mitigate against cyber threats and vulnerabilities.”

OMB also has to deliver annual assessments to Congress on the progress of agencies toward adopting “continuous diagnostic technologies” and other advanced security tools.

OMB emphasized the need for agencies to implement CDM capabilities with a memo updating FISMA metrics for FY 2015 that, where possible, used existing federal agency data feeds to automate responses to improve the quality and timeliness of reported data. Agencies “must assess their information security capabilities against these enhanced FISM metrics at the beginning of FY 2015,” OMB said.

If nothing else, there is a cost imperative that will drive that CDM-influenced change in FISMA. When DHS went to the various chief information security officers at agencies and asked them how much time and resources they devoted each year to dealing with FISMA compliance, they said up to 65 percent was spent on the FISMA process and reporting.

In 2013, at the launch of the CDM program, DHS said CDM will cost just $200 million versus the $600 million a year spent on current compliance needs, and will use just six percent of each cybersecurity dollar.