Security experts fault FISMA paperwork

After five years in which federal agencies have been graded on their compliance with security laws, some former federal security officials question the meaning of the annual security grades.

“High grades could mean a lot of compliance but not necessarily a lot of security,” said Bruce Brody, vice president of information security at Input, the market research firm.

Brody, a former cybersecurity official at the Energy and Veterans Affairs departments, said he observed agencies creating lots of paperwork to achieve compliance with the Federal Information Security Management Act of 2002. But that paperwork was not always connected to underlying security fixes, he added. “You really have to ask yourself what has five years of FISMA given to us?”

Speaking Feb. 22 in Washington, D.C., following a security workshop, Brody said it would be helpful if the Office of Management and Budget would recognize technically based security processes in which agencies continuously scan their systems and networks and maintain audit logs. “That process could replace an inordinate amount of paper that is generated right now on certification and accreditation,” Brody said.

Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium, said the information security programs at most U.S. businesses require far less paperwork than those in federal agencies. But important similarities exist, he added. In businesses and in federal agencies, chief information security officers “are fighting for resources, fighting for management attention and management support,” he said.

The Information Security Forum, the International Information Systems Security Certification Consortium and Input sponsored the workshop.