Schlarman: New FISMA is the wrong solution

Although the Federal Information Security Management Act could use some fine-tuning and clarification, S.3474 — the “new FISMA” now under Senate consideration — is unnecessary, creates but doesn’t solve problems, and comes too late for this administration and too early for the next. Three additional factors beg for its quick death:  I’m not surprised by the renewed push for audits. They are comfort food for GAO and IGs. But during the 1999 development of FISMA’s predecessor, the Government Information Security Reform Act, lawmakers chose less formal and more agile evaluations over audits. The reasons they did so are still largely valid.First, audits are inflexible and promote gotcha results while repelling both cooperation and sharing of information and resources among the auditor and audited.Second, because cooperation and sharing don’t exist, obfuscation often does. To avoid an unfavorable finding, those being audited don’t volunteer pertinent information to auditors. Third, without sharing, IGs and agencies must compete for limited resources and a finite pool of smart security folks. Would you rather work long hours to secure your system, only to be rewarded by a probe from a second-guessing auditor? Or would you prefer to be that auditor? Fourth, GAO is finally updating audit standards for IT systems. It is too early to assess the new standards’ quality, but they appear to be consistent with modern executive branch guidance. But, except in an appendix, GAO made little attempt to map FISMA itself. The guidelines might be fine for audits, but they are a far cry from what’s needed for evaluations. New FISMA should sink and not resurface until the next administration and Congress take office. Then its return or replacement by a new proposal must be part of a larger cybersecurity strategy. And unlike this administration’s overly secret cybersecurity initiative, that strategy must recognize the overwhelming majority of government programs are for public use and thus the public deserves to be a meaningful part of security policy development.In the meantime, if an agency believes something in the new FISMA is important for security — and probably only continuous monitoring is — let’s hope they’re already doing it as part of system certification and accreditation. They should not need another law.