RSSFeds having fits over FISMA and cybersecurity
By Angela Gunn | Published December 12, 2008, 10:09 AM
The Federal Information Security Act of 2002 caused concern over cybersecurity in government entities that hadn't shown much of it previously, lighting fires under folks who needed warming. So what's all this talk of burning FISMA down?
FISMA's birth certificate is fairly petite -- the section of the E-Government Act of 2002 that created FISMA weighs in at a readable 16 pages (PDF available here). It outlines a set of mandatory processes for compliance for information systems used by or on behalf of the US federal government.
Security's a good thing; no one's going to argue against it. Even the Info Assurance crowd, which plugs security into a larger worldview incorporating a focus on risk management and a superior understanding of governance, isn't going to claim that security isn't a core value for well-managed systems.
Talk of torching security rules, therefore, may sound a little hasty, especially when the GAO seems to turn up a new case of federal security brainlessness every week or so. Understanding why so many in government want to either rework FISMA or junk it entirely requires knowing what the standard does -- and what it can't get traction on.
It may surprise you to hear that a federal program created lots of paperwork, but that's what FISMA did. By focusing on security reports and the auditing thereof rather than on actual security measures -- compliance, in other words, not performance -- FISMA made it easy for federal CISOs to quantify their work in a way the bureaucracy at large could understand.
Rather than trying to demonstrate that their systems prevented X number of attacks or deflected Y number of intrusions (go ahead, security staffer, prove those negatives!), departments could demonstrate that they'd reached their proper level of FISMA compliance -- or tried, anyway -- and thereby justify their various budgets. Visibility for cybersecurity increased, and Congress emitted a widely publicized "report card" on the various agencies' compliance scores every year.
(Visibility and the proper level matter in the federal ecosystem, as anyone who works that turf can tell you -- too much security required for your project and you'll spend all your time ensuring compliance with every last sentence of the NIST 800-53's most stringent rules. Too little and hey, maybe whatever it is you're doing doesn't need so much funding.)
It was a start, anyway; something is better than nothing. But many observers say it's high time for FISMA to move past its first incarnation and into an era when actual performance is measured and evaluated. In other words, it shouldn't be enough to check the compliance boxes; you have to actually not have your department getting pwned.
The Senate's Homeland Security and Governmental Affairs Committee actually saw and approved an updated FISMA (S.3474, the FISMA Act of 2008) near the end of the session that ended in October. That bill's slated to appear on the next legislative calendar after the turn of the year.
It's a nice albeit non-sweeping update, refocusing CISO efforts on performance and risk management -- strategies we've learned from seven long years of white hats, black hats, open source, and cyberwars. Audits will still be part of the process, and real, independent audits annually, not the current 'evaluations." A certain amount of standardization in controls will help to further improve implementation.
And FISMA 2 has a friend -- the Consensus Audit Guidelines project, an initiative developed by former Air Force CIO John Gilligan and co-developed by a number of the agencies that are affected by FISMA, including DHS, the NSA, and the GAO.
Gilligan has spoken at length on the CAG project and its 20 proposed controls, but he describes the two most significant "missing ingredients" in the current FISMA as a lack of structure for identifying effective attack-deterrent controls, and the ability to continuously measure whether the controls are working. The group's hope is that the two projects can "dovetail" for maximum effectiveness.
The most pressing task of all? Finding the biggest holes and patching them first -- simple and obvious procedure, genuine security payoff.
Of course, on the other hand, why should we expect the government to be any more efficient than the credit card industry and their PCI requirements that "require" firms to stop using WEP(!!!!) transmission of personal and credit card data by 2010!!!
Nothing like waiting until the advent of the 10th anniversary of a transmission protocol being declared fatally flawed and easily compromised to really put your foot down and take the bull by the horns and effectively deal with the fundamental insecurity!
Score: 0
I believe you mean the "Federal Information Security Management Act of 2002"
Score: 0
The fact is, nothing should have prevented them from implementing best practices as defined by COBiT/ISO17799/20001/20002. not to mention the reams of best practices defined in the Rainbow books and the myriad defense best practices that have existed long before! But then anyone who has dealt with the InfoSec aspect of the industry should be well aware of this...especially as it grew OUT OF the defense industry's requirements and standards!
So instead of screwing around and doing that could have very effectively have been implimented over the past 7 plus years (and using industry standard audits for verification) - and having not even following the forced march of private business with SOX and HIPAA, what the government needs is more committee meetings and paper proposals as the various feifdoms worry more about who should have the most clout as they debate over what should be done if they weren't so busy having meetings debating what they would do if they were not in meetings.
But like quality control and Deming - we are great about talking a good game - yet we did nothing about implementing it - as it took Japan to bring Deming to Japan and to turn talk into action.
And unfortunately the talking heads who run this country are too busy doing only that - deabting more over who has control rather than implementing that which has been well established for over 30plus years.
It would be one thing if they were simply debating small tweaks to the system. Unfortunately the basics still haven't been fully implemented!
Score: 0