The Federal Information Security Management Act (FISMA) is a United States federal law and part of Title III of the E-Government Act of 2002. Authored and championed by Rep. Tom Davis, the act is meant to improve computer and network security within the federal government. The National Institute of Science and Technology (NIST) and other authorized bodies have published guidance for relevant agencies to improve information security consistent with FISMA. Although the intent of FISMA is to provide a comprehensive risk management framework for ensuring that federal information assets are secure, the publicity surrounding the annual compliance reporting process and FISMA report card has taken center stage.
While the pressure of annual FISMA grades has done a good job of increasing awareness about securing our nation’s vital information assets, the framers of the law were likely not interested in having federal agencies become primarily focused on compliance reporting. People working across the federal government in the information assurance profession should focus on securing information systems and sensitive personal data.
Compliance demonstration should be a collateral benefit of a comprehensive information security program. Controversy surrounding the grades and agency efforts focused on getting a good grade instead of implementing effective security programs has created negative publicity for FISMA. The challenge is taking the very complex problem of protecting information systems and boiling it down to a single grade at a single point in time. However, grades actually assess an agency’s ability to demonstrate compliance. Further exacerbating the challenge is that the grades are highly subjective and based on audits performed by people with varying experience and inconsistent interpretation of regulations and guidance.
The problem can be solved by developing and implementing a standardized and quantitative assessment program to determine whether information systems are truly secure instead of assessing an agency’s ability to document compliance. Conducted on an ongoing, unscheduled basis, the assessment program should include a deep inspection of key information security program elements and simulated attacks. The deep inspections and simulated attacks should be performed by a dedicated centralized group of specialized and certified information security auditors who utilize a common framework for their work.
The inspections should be based on a statistically significant random sampling much like a financial audit. The simulated attacks should be designed to identify computer system weaknesses and user awareness issues. Social engineering-based penetration testing techniques could be used to determine how effectively federal workers and contractors follow policy.
The findings would provide a consistent and substantive method for assessing the effectiveness of an agency’s security posture and its ability to manage risk. Properly formulated and taken in the right context, the results would enlighten those charged with securing our nation’s information assets and produce actionable results.
Beyond compliance reporting and the grade, FISMA lays a solid foundation for securing our nation’s information assets. FISMA and related guidance provides federal civilian and Department of Defense agencies with a comprehensive risk management framework, clear organizational accountability, assignment of key personnel charged with securing systems, and robust instruction to aide the information security professional with fulfilling their mission. Adding a highly quantitative-based assessment program will ensure FISMA serves its intended purpose. Agency officials will be more fairly assessed and federal information systems will be more secure.
– Christopher Fountain is president/CEO of SecureInfo Corp., a provider of information assurance solutions to the federal government.