When the U.S. Congress enacted the Federal Information Security Management Act (FISMA) in 2002, hopes were high that it would prove a major force in compelling government officials to better protect critical systems. Some eight years later, however, detractors of the law can cite swarms of breaches across multiple agencies that highlight massive weaknesses in the federal infrastructure. Their contention: FISMA has done little to produce any shoring up of government network security.
The law's core mandate obligates federal agencies to conduct annual reviews of thoroughly documented and up-to-date information security programs. These reviews are then presented once a year to the Office of Management and Budget (OMB) and, ultimately, to Congress to verify compliance. But, say critics, the various security directives underlying required risk management planning and yearly reviews only have meant endless paperwork for public officials and resulted in still insecure systems – this, despite the fact that in fiscal year 2008, federal agencies reportedly spent some $6.2 billion securing the government's total information technology investment of approximately $68 billion.
Whether in spite of or because of FISMA, however, some agency leaders are making strides to vastly improve their overall information security postures and finding better ways to thwart more sophisticated and frequent attacks. John Streufert, CISO and deputy chief information officer of the U.S. Department of State, who is quite familiar with some of the “unintended consequences” of FISMA, is just one government leader taking action to help improve the security of the federal infrastructure and advocate for a needed upgrade to FISMA requirements.
During an SC Magazine Government Roundtable held in late fall of 2009 in Washington, D.C., Streufert spoke to a group of high-level information security leaders from the government sector who gathered to exchange advice and insight about some of the challenges they're facing. Citing a few examples of the occasional illogical and absurd demands that FISMA sometimes has placed on government agencies like his, Streufert discussed at the event how the law “went wrong.”
“We lost track of the fact that we were supposed to be protecting systems and, instead, we would crunch out reports and papers,” he explained.
Before FISMA, his agency and likely others didn't fail to have the necessary mechanisms in place to collect threat and vulnerability data with the end goal of making their systems more secure, he argued. Rather, agencies probably weren't collecting more appropriate data on the precise attacks being lobbed at their specific organizations.
“Why not pay attention to the way we're being attacked and put our energies on those?” he asked during the event, which was sponsored by compliance and security vendor ArcSight. This, for him, means enlisting “metrics with the most meaning” for one's particular agency.
FISMA is faulty
As it stands now, FISMA doesn't seem to be helping in this goal, according to many of the government officials who attended the SC Magazine Government Security Roundtable. And, in fact, what's really needed is a change in government policies, not U.S. law.
According to one federal government official, rather than saying the law is broken and, therefore, needs repairing – even though most agree it is inadequate – many of the problems felt by government agencies can be addressed through changes in policy. The problem, though, is that not all agencies may be motivated to implement the correct policies. So, if the OMB uses the State Department as a success story, with the added provision of offering policy advice and various templates that other agencies could enlist in their own organization, then perhaps calls to change the law would become moot.
“And the wonderful thing about policy is that if it doesn't apply to a particular system or program you could waive it. But, if you go after a law, you get a lot of unintended consequences with changing it. Even if you give the language to a staffer, you might not recognize it by the time it comes out of the Congressional committee process,” the government official said. “And the challenge is, once it's in the law, even if it doesn't make sense for a particular instance, you can't waive the law. You don't have authority.”
Still, whether it's welcomed or not, FISMA is here to stay and changes to it are expected, said Bill Crowell, a member of the ArcSight board of directors. “It is quite likely that we will get a new FISMA whether we want it or not, and the question then becomes how to guide that process so that we adopt the really great principles that you [Streufert] espouse, so that there is a consistent outcomes-oriented nature to that law and not a prescription, not an annual report,” he explained. “We want federal systems to meet certain kinds of standards in terms of protecting personally identifiable information (PII), sensitive but unclassified data, classified data, and so on╔so that, as has happened with Sarbanes-Oxley, the people who have to implement it are more focused on how to deliver those outcomes and how to meet the inputs that somebody has specified in the law.”
It turns out that various objectives Sen. Tom Caper, D-Del. is proposing in his FISMA amendment (see sidebar, below) reflect many of the thoughts shared by government officials at the SC Magazine Government Roundtable. As well as the discussion on creating standard policies that all agencies can use and adapt as needed to strengthen their security postures, Roundtable attendees also voiced beliefs that the government's use of its buying power was integral to improving security. However, some practitioners at the event did caution that such government-wide purchasing muscle would come with limitations.
“Anyone try to negotiate an enterprise license with Microsoft lately?” asked one lead official with a large government agency, who wished to remain anonymous. “It's very difficult, very difficult.”
For him, during such instances of challenging negotiations with vendors, a successful contract rarely is reached “unless you have [an entity] like the OMB behind you that is negotiating for the whole federal government.” And, even then, the question becomes: What standards for purchasing do agencies enlist?
Unifying procurement principals across multiple agencies to strengthen overall buying power and to implement standard procedures for purchases is a commendable idea, said ArcSight's Crowell, but there always will be tweaks to agency contracts and features required by some agencies in offerings that aren't necessary for others.
“It's difficult to get conformity among the agencies. It's a worthy notion and we ought to be trying to achieve some of it, but we won't really be able to use federal buying power to drive industry direction because our federal buying power comes in very lumpy,” Crowell said.
Still, another federal government official at the event, whose comments also must remain anonymous, said some efforts already were underway. A guide is available that was created with input from private industry players to help agencies ease and shorten procurement cycles. These and other such efforts also could have the ancillary result of convincing major vendors to provide to agencies software and hardware solutions that have the most secure configurations possible to meet cybersecurity requirements specific to the federal government.
“I'd like to think that the need for the Department of Homeland Security, for example, to buy products that don't have exploitable software inside them is not just a DHS problem. The enterprise is the one that's at risk, so there have to be ways that enterprises can get procurement organizations to start focusing [on security],” he explained further. “A lot of companies have understood that by building security into their products or servers, it actually is a market differentiator, as opposed to the guys who come in and say, 'Look, security is going to cost you extra.' It basically says we are providing you a shrink-wrapped product that has already had [security] built in.”
Along with standards that could be adopted agency-wide to help with the purchasing of more secure technologies, and perhaps, in the end, drive vendors to make safer solutions, departments also will need to implement better policies, procedures and tools. These will help them to truly understand the threats to their networks, the attacks that are being directed at them, the actions staff and other individuals are taking when using and accessing data, and the ways to remediate against both outsider- and insider-driven cyber incidents. Streufert said that a comprehensive and sound information security program based on continuous monitoring of the infrastructure, like the one his department is just beginning to launch, could go a long way in reaching this vision.
“After six years of studying this, mobilizing to lower risk and quantifying it is both feasible and fast,” he explained to the group. “When you organize as the Department of State, you can see a significant difference in 11 months. Further, change occurred in 24 time zones without any face-to-face contact. So we had to build a system that was self-instructional,” he said. “There's not going to be a single step that is going to do it. These concepts are both adaptable and scalable to other parts of the federal government and I have a personal belief this technology and approach should be applied to other sectors.”
Just last spring, Sen. Tom Caper, D-Del. introduced the U.S. Information and Communication Act of 2009 (ICE) to amend FISMA, with the goal of both unifying security policies across government systems and establishing standards around purchases of security products and services by government agencies. It also looks to drive better coordination among agencies when they are forced to respond to cyberattacks and push agencies to develop a stronger understanding of what information they have and who has access to it.
Photos of SC Magazine Government Roundtable by Ralph Alswang