After years of proposed changes, FISMA is finally morphing. What entered the legislative record in 2002 as the Federal Information Systems Management Act is almost certain to become the Federal Information Systems Modernization Act under the new Congress, following passage by its predecessor in December.
The name change highlights a major shift, says Maria Horton, who was CIO for the National Naval Medical Center as FISMA made its way into law. “By modernization, Congress and the president are looking how to modernize in order to protect our security,” says Horton, currently founder and CEO of EmeSec, a Reston, Va.-based consultancy with federal government clients. Under FISMA 2.0, as it is commonly known, “agencies themselves must be prepared to report on a breach, how large it is, how many people are effected, and the circumstances surrounding it,” she says.
FISMA 2.0 would replace what has typically been federal agencies' triennial cybersecurity compliance assessment. More frequent reports, with a strict deadline to report data breaches, would supplant the older system. It further calls for “automated security tools to continuously diagnose and improve security.” The Department of Homeland Security, which played a coordinating role for compliance with little authority under the original legislation, would play a more formal and central role under the proposed legislation, with the department's $6 billion “Continuous Diagnostics and Mitigation” contract providing federal departments and agencies with a range of choices for cybersecurity products and services.
To appreciate the impact of the changes, it's useful to step back and look at the history, says Juanita Koilpillai, CEO and president of Waverley Labs, a Waterford, Va.-based consultancy that often works with clients in the federal government. “With the current FISMA evaluation, it is hard for implementations to be consistent across the board,” she says. “Systems that are in compliance are not secure and vice versa. Even checking for four of the 20 critical controls proposed by SANS Institute is an expensive exercise.”
FISMA: The next generation
Critics of the original FISMA implementation acknowledge that its complexity and shortcomings are the result of its rapid rollout amid a major political and bureaucratic transformation. At its outset, FISMA was essentially a post-9/11 mobilization of the feds' IT teams to systematize and generalize cybersecurity practices and performance across disparate federal agencies. The armed forces and national intelligences agencies were carved out of the new law and given their presumed IT security proficiency and requirements for ultra-secrecy.
But every other federal entity – from the sprawling array of agencies and bureaus to the massive Department of Veteran Affairs (VA) – had to get on board. Inspectors general were charged with issuing letter-grade reports to be filed with the Office of Management and Budget (OMB). The then-new Department of Homeland Security (DHS) was subsequently designated to oversee the process, but the department lacked administrative authority – and, initially, at least – the technical expertise to do so.
OUR EXPERTS: Federal breach law
Yo Delmar, VP for governance, risk and compliance, MetricStream
Karen Evans, director of the U.S. Cyberchallenge
Maria Horton, CEO, founder and CEO, EmeSec
Juanita Koilpillai, CEO and president, Waverley Labs
David Monahan, research director, risk and security management, Enterprise Management Associates
Suni Munshani, CEO, Protegrity
Larry Ponemon, chairman and founder, Ponemon Institute
Richard Schaeffer, Riverbank Associates
In the decade-plus of FISMA's existence, critics have complained that agencies had an interest in dumbing down their compliance reports, says Larry Ponemon chairman and founder of the Ponemon Institute, a North Traverse City, Mich.-based firm that conducts research on privacy, data protection and information security policy. “Historically, a lot of organizations would do poorly on this, with a letter grade of C- or D,” Ponemon says. “The lower the grade, the more money you would get from Congress. If you get an A, Congress would say, ‘we don't have to fund you.'”
But FISMA's critics often lose sight of the fact that the act was originally under the umbrella of the General Services Administration before DHS was created, says information security veteran Karen Evans, who oversaw its initial implementation as administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget. Another problem: the requirement that compliance grades had to be completed at least every three years.
The three-year reporting timeline may appear to some as evidence of bureaucratic inefficiencies. But, in fact, most agencies had a difficult time securing the IT and IT security talent and resources to perform a complex and time-consuming task, says Richard Schaeffer, who heads Riverbank Associates, a Severna Park, Md.-based cybersecurity consultancy and was a former senior executive with the National Security Agency (NSA).
“I think actually the grading was incredibly uneven, not because of FISMA, but because of people implementing it,” he said. “Very few federal agencies had a good idea of what their infrastructure looked like, how it was configured and how access control and so forth was really done,” he says.
DHS takes charge
The need for a FISMA overhaul was voiced more frequently with every documented vulnerability and data breach involving federal agencies. But as the Bush era gave way to the Obama years, the effort was stalled. Some of the delay was due to general Washington gridlock, but there was an intense debate specific to FISMA over how to both boost DHS's authority over implementation while preserving OMB's ultimate authority, says Evans.
FISMA 2.0 resolves the long-running dispute by giving DHS meaningful operational oversight while tasking OMB with charting progress in compliance, Evans says. “It allows [OMB], with variants, to measure incremental improvements from year to year. That is the key change.”
To meet those more stringent FISMA 2.0 requirements – including reports to Congressional committees – federal agencies are expected to go shoppingfor technical hardware and software information security solutions.”
Leading information security providers say they're ready. “FISMA 2.0 wants to get to insights and agility,” says Yo Delmar (left), vice president for governance, risk and compliance at MetricStream, a Palo Alto, Calif.-based service provider. That, she adds, points toward the increasing use of analytics to help agencies move from basic FISMAcompliance to risk assessment and reduced incident response times.
Federal agencies should beware of FISMA 2.0 solutions that may constrict their ability to defend against evolving threats, says Suni Munshani, CEO at Protegrity, a Stamford, Conn.-based provider of data security solutions. “The first question is about transparency,” he says. “Is this something I can change without being beholden to some black box technology?”
One of the biggest obstacles to data security improvements in civilian federal agencies is the reluctance to collaborate across bureaucratic lines, says David Monahan, research director, risk and security management at Enterprise Management Associates, a Boulder, Colo.-based industry analyst and consulting firm. “Security people are notoriously bad at sharing information, mainly out of fear or arrogance,” he says. “The government agencies have traditionally been well into the arrogance and fear part of the equation.”
FISMA 2.0, with its rigorous monitoring and reporting requirements, just might change that. “With their collective resources and the right tools, they have the capability to share information to vastly improve their overall defense posture,” Monahan says. “Even if one falls victim to a particular attack, the others can use the shared information to prevent – or at least limit – the scope of their own compromises.”