Paller: FISMA 2008: A better solution

Ever since the first Federal Information Security Management Act report card was issued for fiscal 2003, federal chief information officers have measured the success of their cybersecurity programs by the grades they get on those annual assessments.

They spend hundreds of millions on certification and accreditation reports and other paperwork to comply with FISMA guidance from the Office of Management and Budget and the National Institute of Standards and Technology. And most receive low grades.

But do FISMA grades actually measure effective security, or are they just paperwork exercises? The person in the best position to answer that question did so in a Senate hearing a few months ago. Karen Evans, who oversees all federal information technology spending for the White House, told senators that if agencies are doing the reports solely to meet compliance requirements, then they are just a paperwork exercise. In other words, FISMA compliance is not the same as — and, many would contend, gets in the way of — effective cybersecurity.

To address that, the Senate drafted new legislation, with substantial input from Evans and others who understand the difference between effective security and mere compliance. The FISMA 2008 legislation is aimed at better synchronizing agency responsibilities under the law with the activities needed to maintain maximum cost-effective security of federal systems.

The most important improvements in the new law are not the ones that are most often cited. Enhanced chief information security officer authority and a step up in red team exercises can add value, but three other changes will have much greater effect, if the legislation becomes law.

1. FISMA 2008 would demand agencies buy security built into products rather than trying to add it after the fact. No single change in federal cybersecurity will have a greater effect. The Air Force proved the power of the principle with the now more than 500,000 computers the service has purchased with built-in secure configurations. The result has been savings of more than $100 million, patch delays reduced from 57 days to 72 hours, and happier users facing fewer problems.

2. The new law would require attack-based metrics, saying that agencies must demonstrate their systems are effectively protected against known vulnerabilities, attacks and exploitations. Attack-based metrics means learning the offense and using that knowledge to develop the defense.

3. And most striking of all, the measure would require agencies to reach governmentwide agreement on what those attack-based metrics must be by establishing a baseline of information security measures and controls that can be “continuously monitored through automated mechanisms.” Those words mark another stark change from the annual to triannual reviews that were common under the old law.

Together, these changes would establish a foundation for massive transformation of federal cybersecurity. They can harmonize the efforts of chief information officers and inspectors general because both will measure against the same set of attack-based metrics.

Paller is director of research at the SANS Institute.