FISMA compliance: Money misspent?

"NIST's FISMA implementation project guidelines"

Agencies' efforts to carry out the Federal Information Security Management Act have fallen short and taxpayers' money has been misspent, a prominent security expert said this week at a public workshop on FISMA.

"FISMA gets four F's, not in its writing, but in its implementation," said Alan Paller, director for research at the SANS Institute, an education and research group specializing in systems and network management and security.

Paller and other officials spoke May 20 at a workshop presented by the Center for Democracy and Technology, the Council for Excellence in Government, the Cyber Security and Policy Research Institute at George Washington University and the American Council for Technology.

To date, agencies have spent about $300 million on efforts to protect their computer systems, yet they still have insecure systems, Paller said.

In some areas, he said, federal agencies could use better guidelines from the Office of Management and Budget and the National Institute of Standards and Technology, the two agencies responsible for information about complying with the law.

For example, in addition to the focus on systems in the guidelines, Paller said, federal officials should look at improving the security of their agencies' computer network infrastructure through such means as automated security patches and intrusion detection systems.

FISMA guidelines "don't give you any points for patch automation because it's an infrastructure function," he said.

Federal agencies, Paller said, have also overlooked the fourth and most important step in the security certification and accreditation process: continuously monitoring systems once they have been certified and accredited.

Finally, he said, computer worms regularly infect systems when agency employees install default versions of Microsoft Corp.'s Windows operating system on computers connected to the Internet. Doing that means agency officials are ignoring the FISMA clause that says no computer should be connected to the network unless it has been safely configured, Paller said.

"That means a reasonably large number of computers are doing low and slow attacks inside your own firewall, looking for new machines to take over," said Paller, one of several speakers for the workshop.

Stuart Katzke also urged federal civilian agencies to change the prevailing culture, which is to connect new computers to a network and worry about security later.

Katzke, senior computer scientist and information security researcher at NIST's Information Technology Laboratory, said the agency's role now is to provide standards and guidelines for compliance with FISMA. After it completes those documents, NIST officials will begin Phase 2 of their responsibilities, he said, which will be to create a pool of qualified organizations able to help agencies perform the security assessments that the act requires. Katzke's remark triggered a muffled cheer in parts of the mostly government audience.

One of the biggest challenges for federal officials will be to find ways to protect their information and information systems within very limited budgets, he said.

Glenn Schlarman, OMB's branch chief for information policy and technology, said the agency continues to work toward a goal of information security practices that are "documentable, repeatable and consistent across all agencies."

Paller encouraged federal officials to spend more time learning from one another. He cited the Transportation Department's success in reducing the typical cost of certification and accreditation of its information systems from between $28,000 and $48,000 per system to about $5,500 per system.