Risky business: FISMA reform hinges on managing the risks
Connecting state and local government leaders
The problem with legislating new information security practices is how quickly technologies evolve and unleash new and unforeseen kinds of threats. The better alternative, most experts agree, is instituting sound risk management disciplines.
Given the persistent concerns about protecting the government’s computer systems, the most recent of many congressional hearings on how to fix the Federal Information Security Management Act was perhaps as maddening for its old refrains as it was encouraging for the renewed desire to deal with them.
It certainly was no surprise that witnesses testifying late last month before the House Oversight and Government Reform Committee's Government Management, Organization and Procurement Subcommittee agreed that FISMA has generally failed to make agency systems more secure.
Related Stories:
Consensus growing for reform of flawed FISMA
FISMA: A good idea whose time never came
Although the messenger was new, the message was familiar: “Despite the improvement reported by agencies, the federal government’s communications and information infrastructure is still far from secure,” Federal Chief Information Officer Vivek Kundra said, adding that agencies will never get to security through compliance audits alone.
Government and private-sector experts continue to maintain that agencies need to adopt a real-time, enterprise-based risk management approach to securing the nation’s information infrastructures.
That said, the hearing reflected new attention to FISMA and the Federal Information Security Amendments Act of 2010 (H.R. 4900), which the committee is reviewing.
The bill would go beyond FISMA’s original provisions by requiring continuous system monitoring accompanied by penetration testing. It would also create a National Office of Cyberspace at the White House to oversee the nation's cybersecurity posture, require independent auditing of the effectiveness of programs, and include security requirements in acquisition policies.
However, the problem with legislating new information security practices is how quickly technologies evolve and unleash new and unforeseen threats.
So it wasn’t surprising when the technology community, while praising the intent of the legislation, quickly hoisted warning flags urging Congress not to erect barriers to innovative solutions.
The better alternative, most experts agree, is using sound risk management disciplines. Bureaucrats might find them too inexact compared with verifying compliance, but if done well — which is to say, if government taps into the insights learned by the private sector — agencies stand a better chance of mitigating cybersecurity risks more quickly and coherently than they do now.
Assuming the bill moves forward — and we hope it will — it will certainly benefit from work released last month by the National Institute of Standards and Technology, the final version of its “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” Developed jointly with the defense and intelligence communities, the new publication (S.P. 800-37) provides an important reference for moving past compliance in the battle against cyber threats.
NEXT STORY: And the password is... obvious