FISMA: The GCN Roundtable
Connecting state and local government leaders
A couple weeks ago, GCN convened a roundtable of government officials in our Washington headquarters to talk about what a lot of folks have been talking about lately: the Federal Information Security Management Act. Specifically, they've been talking about what it means that the U.S. government seems to score so poorly on the FISMA report card, issued annually by the House Government Reform Committee.
We weren't so interested in re-hashing the strengths or weaknesses of the act itself (although with a staffer from Congressman Tom Davis' committee at the table, we spent a little time on the legislation). What we really wanted to get at was how agencies could improve their security in general, and thereby boost their high-profile FISMA grades.
Around the table were Karen Evans, administrator of e-government and IT for the Office of Management and Budget; Glen Schlarman, chief of the information policy and technology branch at OMB; Victoria Proctor, of the House Government Reform Committee; Ron Ross, from the FISMA implementation project at NIST; and Phil Heneghan, chief information security officer at the Agency for International Development (recipient of two straight A+ grades on the FISMA report card).
We also invited a couple executives from the security industry to get their perspectives: Terri Allen, a senior VP at Vienna, Va.-based Cloakware; and Dave Steidle, director of product management at Edison, N.J.-based netForensics Inc.
The conversation was lively and wide-ranging. Look for an in-depth article about the roundtable in the May 22 issue of Government Computer News. For now, here's a sampling of what we discussed:
Ron Ross, on criticisms leveled at FISMA: 'The legislation is broad, it's sweeping, it is changing the culture across the entire federal government, and I think we don't have a lot of patience sometimes. We're only three years in, and we're just now completing the standards and guidelines.'
Karen Evans, on whether FISMA compliance is more about security tools or policies: 'A fool with a tool is still a fool. It's not about the tools. It's really about understanding what you're managing.'
Phil Heneghan, on how USAID handles remote laptop users: 'We scan every box every three days. People found out that when they plugged it in, they'd get scanned and we'd send grades to the mission directors. After one month of that, mission directors now enforce the rule of no laptop gets plugged in until after the sys admin people have patched it.'
Victoria Proctor, on why some agencies score well and others don't: 'To a large extent, an agency like the Social Security Administration and the Labor Department have done quite well [with FISMA] because they deal with information on a regular basis. They know that if any information gets into the wrong hand, they failed in their mission.'
What you won't read in the May 22 article is Terri Allen's take on future security issues. Frankly, we just don't have the room for all the good points our panelists made. Allen was a senior VP at GTSI Corp. before joining Cloakware, so she has experience in the federal space.
'We think that identity management from an user perspective is good,' Allen said. 'We're focusing on an area of unmet need, which is the unattended server farms out there. In many cases you've got hard-coded passwords and not many people managing that piece of business. So we're talking to customers about unattended server farms and unattended applications and making sure we're securing those applications with a trusted solution.'
Bottom line: FISMA is about managing risk and putting in place disciplined processes so an agency can adapt to a changing security landscape. We hope you come away from the conversation with something that helps improve your agency's security posture.
Posted by Brad Grimes