Blog Categories
Sign Up for Updates
Is FISMA Set to Fizzle?
Posted April 16, 2010
While a number of legislative attempts to overhaul FISMA, or at least refine it at the edges, will likely stall before the end of the 111th Congress, there is still reason to believe that the sweeping 2002 legislation, with its $8 billion annual price tag, may be in danger of being curtailed.
The Level-Set: FISMA-at-a-Glance
The Federal Information Security Management Act was enacted in 2002 and requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency. FISMA requires annual reviews of each agency’s information security program and “certifications and accreditations” of each agency’s compliance with the overall requirements of the Act.
This audit is a major thrust of the Act, and the basis of perhaps its biggest, most-often lobbed criticism: that the Act essentially generates a lot of paperwork at considerable cost only to offer a snapshot in time of the security status of an agency’s security practices and systems.
Alternative Approaches to Federal Information Security
An approach that has been gaining currency within the federal information security community is one advanced by the U.S. Department of State since 2006. The Department’s Risk Scoring Program is aimed at pinpointing and correcting the worst vulnerabilities on a given day in any of its worldwide systems and networks, and continuously monitors those systems and networks, pinging each at least once in every 36-hour period. According to State’s CISO, this approach has led to a plunge in overall risk on the Department’s key unclassified network by more than 80 percent over the past year.
The U.S. Navy has also redoubled its efforts toward more than single-point in-time security evaluations. In a presentation last week to the U.S. Center for Strategic and International Studies, the head of the U.S. Fleet Cyber Command (FCC) pointed to situational awareness, operationally focused testing, use of talented people, and continuous monitoring, among other things as goals he is moving the FCC toward. The navy is also focused on advancing predictive and dynamic security, the latter of which is expected to be in place by the end of the year, and has been described as “when you know what's going on in the now, not what was going on a while ago.”
Infosec & Related Bills in the 111th Congress
Such approaches have been embraced by lawmakers who – along with others – have long expressed concerns at the notion that FISMA might be more of an exercise in wasteful paperwork than any meaningful attempt to counter attacks on the nation’s information systems infrastructure.
The most recent of a number of FISMA-related cybersecurity bills introduced over the past year was introduced last month by Rep. Diane Watson, D-Calif. -- the 2010 Federal Information Security Amendments Act (H.R. 4900) – and would expressly update FISMA to, among other things, reduce the reporting burden by requiring agencies to deploy automated tools that continuously monitor and measure how vulnerable networks were to cyberattacks.
Another bill, introduced last year in the Senate by Delaware Democrat Tom Carper -- the United States Information and Communications Enhancement Act (S. 921) -- is also expressly aimed at updating FISMA by directing federal agencies to use real-time metrics to determine the true security of their IT systems.
The Carper bill follows introduction by Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine of their own measure – the Cybersecurity Act of 2009 (S. 773) – that also calls for the establishment of a real-time cybersecurity dashboard, among other things, and mandates that the president collaborate with the private sector to develop a comprehensive national cybersecurity strategy.
(Several other measures also have been introduced in the House and Senate over the past year that are targeted at affecting the creation and implementation of U.S. domestic and international cybersecurity policy. These include International Cyberspace and Cybersecurity Coordination Act of 2010, Cybersecurity Enhancement Act of 2010 (H.R. 4061), the International Cybercrime Reporting and Cooperation Act , introduced in both chambers as S. 3155 and H.R. 4692, and the Fostering a Global Response to Cyber Attacks Act (S. 1438). Additionally, a long-time leader in Congress on information technology and chairman of the Senate Committee on Homeland Security and Governmental Affairs, Joseph Lieberman, has promised to introduce his version of a comprehensive cybersecurity bill.
While these measures are beyond the scope of this post, pay attention to this space, as they will be addressed in the near future.)
The Administration Weighs In
Federal Chief Information Officer Vivek Kundra, who testified at Rep. Watson’s hearing on HR 4900, is quite supportive of developing a real-time approach to measuring systems vulnerabilities.
Kundra noted that while agencies have shown progress in following FISMA’s compliance guidelines, compliance statistics don’t conclusively demonstrate
that systems are secure. "The FISMA measures reported on annually have led agencies to focus on compliance," he said. "However, we will never get to security through compliance alone."
Elaborating on this stance in a recent interview, Kundra noted that new FISMA guidance the Office of Management and Budget will issue in the coming weeks will indeed emphasize the use of real-time security monitoring, among other things, pointing out such “guidance … is very much focused around data feeds that are of a real-time nature, around actually creating risk profiles that are very specific to agency missions." Kundra favors an approach that employs new tools such as CyberScope, which furnishes a standard format and provides a better view of agencies' data, and which will eventually feed data into a cybersecurity dashboard, in an express nod to the State Department’s model.
Our Pontifications
So, does the widespread recognition by industry, Congress, the Obama Administration and others mean that FISMA is about to be upended? Certainly not – at least not just yet, and, any major reform is not likely to take place much before the 112th Congress, given the myriad number of competing priorities – and the brewing Supreme Court nomination battle during the remainder of the current legislative session.
We are, however, of the view that – depending on how pointed the OMB guidance is later this year, there will quite possibly be a paring back of the level of resources currently allocated to annual FISMA audits. Again, given the need for legislative action to trigger any significant reforms, and the likelihood that that debate will be eclipsed by other national priorities, it will probably be the fourth quarter of 2011 (or even 2012’s first quarter) before much movement becomes evident in the direction of doing away with FISMA audits.
Subscribe to this comment's feed
