Is FISMA fixable?
Is FISMA fixable?
According to the federal government's latest cybersecurity report card, the U.S. Department of Defense — the organization executing military operations in Iraq and Afghanistan — fails. So does the State Department, the agency negotiating with the likes of Iranian president Mahmoud Ahmadinejad and North Korean leader Kim Jong-il. Also branded with an F is the Treasury Department, which houses the Internal Revenue Service and the U.S. Secret Service.

At first glance, the federal government's information security grades, according to the Federal Information Security Act of 2002 (FISMA), are cause for concern — if not sleepless nights. The cybersecurity infrastructure of eight departments failed the law's checklist during fiscal year 2006, the same number as the year before, although the government's overall grade rose from a D+ to a C–.

However, there are success stories. The Departments of Energy and Health and Human Services pushed 2005's failing grades to a C– and a B, respectively. The Department of Justice improved from a D to an A–, while Housing and Urban Development went from a D+ to an A+ during that time. One way for information security officers to better FISMA grades is to follow the example of these agencies, by better organizing departments' reporting processes in preparation for audits.

Before cybersecurity leaders can properly configure their systems to meet the auditors' demands, they have to find out exactly what comprises their networks, gauge employees' security expertise and then organize a strategy. That requires leadership from the agency CISO or CIO, says Abe Kleinfeld, president/CEO of nCircle, a San Francisco-based provider of agentless security risk and compliance management solutions.

“The reason [for poor grades] is the sheer size of the agencies,” he says. “And they have to change the ways that they do things. It takes a very strong individual and it takes a strong person to change the way things are done.”

Professional experience organizing the network of a non-centralized corporation or organization can be a great help in this process. Because a CISO securing networks for the State or Defense Departments, for instance, must fend off cyberattacks in a number of countries, it's beneficial to have personnel with experience at large corporations with a number of offices, says Tracy Hulver, vice president of marketing and product management at netForensics, an Edison, N.J.-based security and compliance solutions provider.

“One of the problems is that in order to secure something, or to give a level of adequate security, you have to know what you have. You have to know what's on those systems — some of which are so large, and so distributed, that going through the process of what comprises a network is such a large task,” he says. “They have to make sure they get security experts who have worked on commercial side. You get your CIO from Bank of America or somewhere like that — people who have experience with securing massive networks and who have had to answer to CEOs or boards.”

Should FISMA grade on a curve?

Andy Purdy, president of DRA Enterprises, a consulting firm, and the former acting director of the National Cyber Security Division, says the single most positive development regarding a federal agency is the Justice Department's use of the Cyber Security Assessment and Management program
to prepare for FISMA audits.

“They're creating the ability to have a picture across all federal agencies so they can see where they stand. They're creating the ability to see where the shortcomings are and to see the ways that management is improving it,” he says.

Security pros trying to improve on a FISMA grade must also mind the element many regard as the weakest link of any organization, public or private — employees. Despite FISMA raising awareness of cybersecurity issues — as have recent cyberattacks against the Estonian government — educating end-users remains a challenge, in addition to organizational structure, says Chris Fountain, president/CEO of SecureInfo, a San Antonio-based  provider of information security solutions.

“It's hard to say that there's one thing across the board that they could do [to improve scores]. Historically there's an inventory issue, where if you don't know what you have, you can't secure it. If you look across all these departments, some of the CSOs and the CIOs don't have the level of authority they need,” he says. “Awareness is an issue across government, and there's clearly a gap there. The people factor is a very significant issue, so with a penetration testing program you really need to reflect that by doing social engineering attacks.”

Cybersecurity experts with opinions on FISMA are plentiful, many claming that the law forces government employees to spend too much time preparing for the inspector general, instead of working to improve their department's actual security infrastructure. The key to a good FISMA grade is organizing paperwork in the way that auditors want to see it, says Alan Paller, director of research for the SANS Institute, citing the improvement of the Justice Department from a D to an A– from 2005 to 2006.

Dealing with the audit
“What [the Justice Department] did was to take FISMA reporting out of the hands of consultants and basically write the reports that were required in a computer program and generate the reports automatically. So once they persuaded the [inspector general] that the program was answering all the right questions, they got past the hurdle of the IG,” says Paller. “See, your grade doesn't have anything to do with how you're doing, it has to do with how well you deal with the audit.”

FISMA critics also say that the grades don't present an accurate barometer of federal preparedness for a cyberattack or loss of data. The Defense Department, for example, is prepared for many unique cyberthreats, but the Pentagon still received a failing FISMA grade for the second consecutive year, says Mike Guiterman, Snort community manager at Sourcefire.

Linking FISMA with security
“If you look at the Department of Housing and Urban Development for instance, they improved from a D+ to an A+ by completing an inventory of their assets that they hadn't been able to improve in the past. Not being compliant with FISMA or getting an F doesn't mean they're insecure,” he says. “I think everyone acknowledges that the Defense Department's F is not a reflection that they have a porous network. Using that as a measuring stick, someone can get an A+ and their network can be porous.”

The public embarrassment of a failing grade, combined with the fact that no CIO or department chief wants to be hauled in front of Congress to testify about a porous network, means that security professionals in the public sector often must spend myriad hours ensuring that their paperwork is in place, as well as securing their networks. That could be improved by more closely linking FISMA requirements with operational security procedures, says Amit Yoran, CEO, NetWitness, a Herndon, Va.-based provider of network forensic analysis products. Yoran is also former National Cyber Security Division director.

“I've had CISOs in significant government agencies saying, ‘I'm spending more time and money on FISMA than the actual security itself.' FISMA has the right intent, but oftentimes an inverse impact on an organization's security,” says Yoran, who sees no changes to the law during this Congress. “There are a couple of different theories about where [FISMA] is going, but I think ultimately the biggest flaw is that there is no operational tie to the actual reality of systems monitoring and security monitoring.”

Cutting cybersecurity funding?
While emphatic that FISMA must have “teeth” — significant penalties for failing or lackluster grades — financial, resource-cutting consequences could hinder the overall cybersecurity effort. Cutting cybersecurity funding would hurt a CISO's overall mission, while more personal responsibility could improve an organization's security infrastructure, says Hulver.

“I don't think that losing funding is an answer because the lack of funding could be a reason that they're getting the bad grades,” says Hulver. “There should be penalties, like losing your job, or stiffer penalties that say, for instance, ‘If you don't improve by two grades, we will audit you twice a year.'”

Despite a tense political climate on Capitol Hill, Purdy notes that there are forces in the legislative branch working to refine FISMA, giving hope that a new version of the law will better reflect preparation for cyberattacks and other threats facing federal networks.

“I do hope there are some revisions to FISMA so...the grades reflect adequate cybersecurity. I think efforts on the Hill...trying to revise FISMA should make it a better reflection of the cybersecurity aspects,” he says. “You need to make revisions to make the actual requirements very dynamic and to address vulnerabilities and attacks and crime remediation. Those are dynamic real-world issues so that cyber-preparedness is reflected in FISMA.”