Last word: Make the FISMA grade meaningful

Share this article:
Christopher Fountain
Christopher Fountain
The Federal Information Security Management Act (FISMA) is a United States federal law and part of Title III of the E-Government Act of 2002. Authored and championed by Rep. Tom Davis, the act is meant to improve computer and network security within the federal government. The National Institute of Science and Technology (NIST) and other authorized bodies have published guidance for relevant agencies to improve information security consistent with FISMA. Although the intent of FISMA is to provide a comprehensive risk management framework for ensuring that federal information assets are secure, the publicity surrounding the annual compliance reporting process and FISMA report card has taken center stage.

While the pressure of annual FISMA grades has done a good job of increasing awareness about securing our nation's vital information assets, the framers of the law were likely not interested in having federal agencies become primarily focused on compliance reporting. People working across the federal government in the information assurance profession should focus on securing information systems and sensitive personal data.

Compliance demonstration should be a collateral benefit of a comprehensive information security program. Controversy surrounding the grades and agency efforts focused on getting a good grade instead of implementing effective security programs has created negative publicity for FISMA. The challenge is taking the very complex problem of protecting information systems and boiling it down to a single grade at a single point in time. However, grades actually assess an agency's ability to demonstrate compliance. Further exacerbating the challenge is that the grades are highly subjective and based on audits performed by people with varying experience and inconsistent interpretation of regulations and guidance.

The problem can be solved by developing and implementing a standardized and quantitative assessment program to determine whether information systems are truly secure instead of assessing an agency's ability to document compliance. Conducted on an ongoing, unscheduled basis, the assessment program should include a deep inspection of key information security program elements and simulated attacks. The deep inspections and simulated attacks should be performed by a dedicated centralized group of specialized and certified information security auditors who utilize a common framework for their work.

The inspections should be based on a statistically significant random sampling much like a financial audit. The simulated attacks should be designed to identify computer system weaknesses and user awareness issues. Social engineering-based penetration testing techniques could be used to determine how effectively federal workers and contractors follow policy.

The findings would provide a consistent and substantive method for assessing the effectiveness of an agency's security posture and its ability to manage risk. Properly formulated and taken in the right context, the results would enlighten those charged with securing our nation's information assets and produce actionable results.

Beyond compliance reporting and the grade, FISMA lays a solid foundation for securing our nation's information assets. FISMA and related guidance provides federal civilian and Department of Defense agencies with a comprehensive risk management framework, clear organizational accountability, assignment of key personnel charged with securing systems, and robust instruction to aide the information security professional with fulfilling their mission. Adding a highly quantitative-based assessment program will ensure FISMA serves its intended purpose. Agency officials will be more fairly assessed and federal information systems will be more secure.
- Christopher Fountain is president/CEO of SecureInfo Corp., a provider of information assurance solutions to the federal government.
Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.