What can the private sector learn from the government’s ramped-up IT security? Plenty, says Jerry Harold
The federal government has spent billions of dollars over the past two decades to improve the security of its information systems. After years of poor IT security, it identified two main reasons for poor performance - a lack of senior attention to IT security and broken management processes
Many of the lessons learned from this process can be directly applied to help organizations in the private sector.
If broken management processes are the problem, what is the solution? In December 2002, President Bush signed Public Law 107-347(the "E-Government Act") that contains the Federal Information Security Management Act (FISMA). Based on real-world lessons identified through years of audits and assessments, FISMA drives the federal government approach to improving
its IT security. The professional audit community helped to frame FISMA, and many of its provisions have roots in IT audit methodologies that apply to both commercial and government organizations.
Putting the weight of public law behind the government's IT security programs, FISMA gives federal executives the authority to enforce IT security actions, support budget requests and focus management on IT security. This mandate creates a compelling justification for progress when security managers face resistance from uncooperative managers and staff. It also empowers the White House through OMB to enforce FISMA, as well as good security practices across federal agencies.
Under the Act, ultimate responsibility for IT security now lies with the head of each of the federal agencies. Also implicit in the legislation is the idea that IT security responsibilities span the management chain, with each employee having some role to play in security.
Requiring management responsibility called for a change in behavior across large government organizations. Therefore, FISMA contains specific provisions for agency heads to report regularly to the White House, specific committees within Congress, and the General Accounting Office. Agencies also are publicly rated by scorecards that depict their progress and evaluate management's effectiveness.
The implications of budgeting
In addition to these requirements, questions of budgeting come into play. Each agency must now include IT security in its strategic and capital plans. The strategic plan must outline how the IT security program will apply security across the lifecycle of new and existing systems. This will require managers, who traditionally focused on the functional aspects of IT, to ensure that IT security is adequately funded
According to the Act, at some point, the role of budget becomes a motivating factor. When those controlling the purse strings begin tying budget to IT security, managers will quickly make IT security a focus in order to preserve their budgets. The White House's OMB is authorized to use "all appropriate" means to require agencies to address security by managing the budget process. The OMB won't fund new requests for IT projects unless the request includes appropriate IT security activities. In addition, the OMB will not approve additional budgets for existing IT programs unless agencies show satisfactory progress on addressing audit findings.
Under OMB direction, the Federal government has developed measures to track progress on key IT security areas of weakness. Agencies must implement processes to track progress, and report on the progress to OMB and Congress in quarterly and annual reports. Federal agencies report progress in areas such as securing (certifying and accrediting) their major applications and progress in resolving IT security audit findings.
Key FISMA requirements involve the chief information officers (CIOs) and Inspectors General (IGs), who must now perform annual security assessments. The CIO's 'self-assessments' and the IG's 'independent evaluations' are critical for ensuring that organizations continuously identify problems and work to improve them. When tied to managerial accountability and enforcement through the budget process, the government creates a very significant incentive to improve security.
Jerry Harold is co-founder and vice-president of Netsec.
Federal Information Security Management Act (FISMA)
The legislative mandate applicable to federal information security is the Federal Information Security Management Act of 2002 (FISMA). This act requires the chief information officer (CIO) of each federal agency to develop and maintain an agency-wide information security program that includes:
- Periodic assessments of risk
security policies, plans, and procedures;
- Periodic testing and evaluation;
- Security awareness training to inform personnel;
- A security deficiency remediation program;
- Incident detection, reporting, and response;
- Plans and procedures to ensure continuity of operations.
FISMA further mandates that each agency report annually on its compliance with these requirements. All of this must be accomplished against a backdrop of limited fiscal and personnel resources, and in keeping with the President's Management Agenda.