Compliance reporting bogs down cybersecurity, officials say

Despite growing threats to the nation’s information infrastructure, agencies have not done an adequate job of protecting their systems, the federal chief information officer told a Senate panel Oct. 29.

“Security in the federal government is not where it needs to be,” Vivek Kundra said. “Historically, the federal government has not been as effective as necessary in its cyber defense. An inadequate cybersecurity workforce, a focus on compliance rather than outcomes, and a cumbersome and time-consuming process for collecting information regarding agency security postures have hindered our cybersecurity management capabilities.”

Kundra, testifying before the Senate Homeland Security and Governmental Affairs Committee's Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, outlined efforts to deal with these problems.

The Federal Information Security Management Act (FISMA) sets out a comprehensive framework for security controls on government information technology systems, and agencies must report annually on those controls to the Office of Management and Budget.

“FISMA has raised the level of awareness of the critical importance of information security in the agencies and in the country at large,” Kundra said. “It has also strengthened the reporting requirements and established mechanisms for the collection of agency information.”

However, reporting focuses primarily on FISMA compliance and not on effective security, said Gregory Wilshusen, the Government Accountability Office’s director of Information Security Issues.

“Agencies stated that, for the most part, they predominantly collected measures of compliance because they were focused on measures associated with OMB’s FISMA reporting requirements,” he said.

The hearing was called by Sen. Tom Carper (D-Del.), the subcommittee's chairman, to examine possible waste in spending on information technology security and ways to establish more cost-effective cybersecurity.

Carper called cyberattacks “one of the nation’s most pressing national and economic security issues,” and said OMB estimates agencies spend about $7 billion a year to protect their networks, but that nearly one-fifth of that, $1.3 billion, is spent on required paperwork exercises.

That FISMA has become an ineffective paper chase has become a common complaint since the law’s passage in 2002. Many officials and security experts have said that the requirements focus on checkbox compliance and reporting rather than on effective monitoring and response to actual threats, and as a result the security of many government IT systems has not materially improved in the last seven years.

Carper has introduced legislation, now pending before the full committee, that would increase accountability for IT security and shift focus to monitoring effectiveness.

Compliance is one of three general categories of metrics for measuring security, Wilshusen said. The others are control effectiveness and impact. However, agencies rely too heavily on compliance in their reporting, which has limited their ability to determine effectiveness of controls. Although tests and evaluations of systems are required under FISMA, “there is no measure of the quality of agencies’ test and evaluation processes or results that demonstrate the effectiveness of the controls that were evaluated.”

Kundra acknowledged the focus on compliance, calling the metrics “lagging indicators focused on compliance rather than outcomes.” But he said “during the first few years of FISMA reporting, the required metrics evolved as initial benchmarks were met.”

Although there is general agreement on the need to update FISMA, not everyone agrees that it has been ineffective.

“Compliance is not security,” said John Stewart, chief security officer for Cisco Systems. However, “I think FISMA has helped. It is easy to say that it has not helped enough,” but it has provided a consistent framework for implementing security controls and has set the bar for federal IT security, even if that bar is too low.

GAO has recommended that OMB:

• Issue revised guidance to chief information officers for developing measures of security.
• Direct chief information officers to ensure that measures exhibit key attributes of being meaningful, repeatable and actionable.
• Direct chief information officers to employ the key practices for developing a measure as identified by leading organizations.
• Revise annual FISMA reporting guidance to agencies.
• Revise its annual FISMA report to Congress to provide better status information on the security posture of the federal government.

Kundra said that OMB is addressing cybersecurity weaknesses by:

• Expediting hiring authority for 1,000 cybersecurity positions within the Homeland Security Department.
• Launching CyberScope, an automated platform for secure reporting of cybersecurity information gathered by agencies.
• Creating a task force in the Federal CIO Council to develop new reporting metrics focusing on outcome rather than processes.
• Requiring more detailed reporting from agencies on security spending in fiscal 2010.

“The administration is committed to strengthening our federal cyber defense,” Kundra said. “The threats we face are numerous, evolving faster than our cyber defense, and have the potential to do great harm.”

Creating a secure environment is a shared responsibility of agency heads and oversight organizations, as well as the public and the private sector, he said. Current actions represent a step forward, but creating the proper culture of security will not be easy or come quickly, he said.