Content

Is FISMA fizzling?

Can the Federal Information Security Management Act have an upside to the government, Eric Butterman asks.

When the Federal Information Security Management Act of 2002 (FISMA) was enacted, there was a sense of uncertainty mixed with hope. Uncertainty, as there always can be with a government initiative, and hope that maybe vital technology standards would finally be met.

But for Rob Rachwald, director of product marketing at Fortify Software, a San Mateo, Calif.-based security company, the initiative presented something IT staffs didn't need more of: paperwork.

“FISMA is strong in theory, but in the end you're rewarding people for filling out forms. And for those that fail the FISMA test, where's the punishment? You get published in the Washington Post as being ‘bad.' That hurts you for all of two weeks. That's not a solution. It's a joke,” he says.

But Andy Purdy, former acting director of the National Cyber Security Division/US-CERT of the Department of Homeland Security, argues that FISMA lent some punch to technology reform, and not just punch lines.

“FISMA has helped drive progress and effort by creating awareness,” he says. “That's something we needed, but it hasn't made sure that money goes to building the most important capabilities of the agency's organizations.”

Many hope that FISMA will be revised to help make it a better reflection of the progress of security, he adds. “So if you have a good score, it should mean you have good infrastructure.”

Purdy notes that the problem that FISMA presents goes further than its rules – all the way to the private sector.

“There's not enough sharing of information across agencies. You don't know how many endpoints connect to the network. If we could share information across government agencies and have private sectors throw in technology knowledge, the results are unlimited,” he says.

Howard Schmidt, former White House cybersecurity advisor, says serious consequences abound from FISMA's inadequacy in assigning responsibility.

“We're starting to see more and more that there's a lack of accountability. Who is accountable if the CIO has the technical controls and somebody doesn't follow them? It's up to each agency to act like an HR department,” he says.

Who's doing it right?
One program that Purdy believes FISMA needs to learn from is the Federal Desktop Core Configuration initiative. This U.S. Air Force program created a standard configuration for two Microsoft Windows operating systems. The USAF then leveraged its procurement power to drive vendors to install the secure configuration in its computers.

“This program works for baseline con-figurations,” Purdy says. “It's a work in progress and requires companies to have certification before they can be deployed from the networks. It's going to help reduce risk.”

It's all about finding management for the information systems' security line of business, he adds. “It's about finding excellence for capabilities so agencies that can't do it for themselves can use other agencies that can.”

The Federal Desktop Core Configuration initiative will be extended beyond Windows, says Purdy. White House officials have asked the private sector to protect networks, but are hoping that will move from the information-sharing model to a collaboration model, he adds.

Schmidt also feels positive about the Air Force initiative in comparison to FISMA.

“This initiative is the way you want to make progress,” he says. “The more complex the environment, the harder it is to secure flexibility. We need to do business as easily as possible. We don't need all these things running on a desktop. We have to be much better at being preventative and having standardization.”

Yet the practice of standardizing might fall short of its promises.

Jeff Henry, director of government business for AirMagnet, a Sunnyvale, Calif.-based wireless firm, argues that the standardization on the desktop applications is a positive, but this step also carries a negative component.

“Government entities can all have different needs for specialized software depending on what's being developed for that particular government agency. You can have codes being developed outside the United States, but have to go to vendors and say, ‘I want you to build this software specifically for me,' and it will cost a lot more money,” he says.

Where do we go from here?
Henry thinks there are tough challenges looming ahead for government initiatives in the coming years.

“As far as helping the tech community, we in the private sector and those in the government need to get better control of the way software is done and that means closing the loopholes,” he says.

A primary example is when a government agency awards a contract to a vendor and the vendor doesn't meet criteria. If the government procuror lets the vendor slide, and then the application doesn't mesh to everything, then the whole solution isn't usable, he points out.

However, some experts believe the future is brighter than others might think.

“We've seen in defense and energy that [the government] turned the tide to get [vendors] to build secure products for their needs. Government has influence when it comes to awareness and will have opportunities to use it.”

Schmidt cites as an example feedback after recently giving a speech. “People were commenting that we haven't had major international events for four years. That shows we're getting better at this and we are attacking vulnerabilities early.”

Still, questions remain, not only about how to change initiatives like FISMA, but whether or not the government will veer away from these guidelines.

Says Henry: “I don't think the government will scrap FISMA, but it will morph into Department of Defense regulation points because FISMA itself is lax. These days you need to have a higher level of enforcement all across the board.”

Fortify's Rachwald agrees that FISMA isn't going anywhere, especially with the support of the paper shufflers.

“It's been great for people who know how to fill out forms. Why would they want it to go away?”

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.