Experts: It's time to fix FISMA
Connecting state and local government leaders
A pair of security experts gave a harsh critique Tuesday of FISMA as a well-intentioned but fundamentally flawed tool.
SAN FRANCISCO ' A pair of security experts, one of them a former federal chief information security officer, gave a harsh critique Tuesday of the Federal Information Security Management Act as a well-intentioned but fundamentally flawed tool.
'A lot of your money is being thrown away,' Alan Paller, director of research for the SANS Institute, told an audience at the RSA IT security conference.
The 2002 act mandates security planning for agencies, requiring a risk analysis of IT systems, and certification and accreditation of those systems.
'FISMA wasn't written badly, but the measuring system they are using is broken,' Paller said. 'What we measure now is, 'Do you have a plan?' ' Not whether the plan actually improves security.
Too often, the plans do not improve security, said Bruce Brody, vice president of information assurance at CACI International Inc. and formerly with the Veterans Affairs and Energy departments
'Federal systems and networks are like Swiss cheese,' Brody said. 'FISMA over five years has not helped us to be appreciably more secure.'
The speakers described the risk analysis and C&A processes as paperwork drills that let agencies comply with the letter of the law without doing anything to improve actual security. Even so, many agencies routinely receive failing grades in the annual FISMA report cards handed out by Congress, and government as a whole has not risen above D. Brody said he received four Fs and one C during his term in government.
Paller offered two broad fixes for the security challenge facing government. The first is to stop blaming the user for problems, and require that vendors ship well designed products that are securely configured by default. He also called for using 'attack-based' metrics in measuring security compliance. These metrics include:
- How quickly penetrations of the system are identified
- The length of time it takes to deploy needed security patches
- The number of accounts remaining active after employees or consultants have left an agency
- Whether programming teams are including errors in code
- How quickly malicious code can be found on a system.
- The boundaries and topologies of the interconnected enterprise
- The devices that are connected to the enterprise and the channels they use to connect to it
- The configuration of these devices
- Who is accessing these devices and whether that access is authorized
- What these users are doing on the system.
NEXT STORY: A new twist on familiar technologies