Legislation introduced last week in the House of Representatives proposes to update the Federal Information Security
Management Act (FISMA) of 2002, including the continuous monitoring of security threats based on government agency risk profiles.
"While some agencies have shown great success in harnessing technology and human capitol to reduce risk profiles, others simply comply with annual reviews that reveal only a fraction of the threats," said Rep. Diane E. Watson (D-Calif.). "It's clear that the notion of being compliant with current law does not equal adequate security across an agency's IT infrastructure.''
The Federal Information Security Amendments Act of 2010 (H.R.4900) would reform FISMA compliance in a number of ways:
- Establish a National Office for Cyberspace within the executive office of the president, with its director appointed by the president and confirmed by the Senate.
- Establish a new oversight body to be called the Cybersecurity Practice Board.
- Shift to real-time threat monitoring to federal IT infrastructure.
- Build security into the procurement process.
"What we're trying to do is promote the notion of harmonizing security frameworks across civilian and business systems," Watson said.
Changing cybersecurity threats and agency risk profiles
Federal CIO Vivek Kundra testified that he wants to see more federal agencies collaborating with the private sector in developing tools that would monitor and address cybersecurity risks on a continuous basis. "Agencies are leveraging platforms that didn't exist eight years ago, including cloud computing and mobile," he said.
Alan Paller, director of research at The SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group, underscored Kundra's point, describing the bill as part of the process of shifting from a "culture of compliance" to a performance-based model. "Both the guidance for implementing FISMA and the guidance for auditing FISMA compliance are focusing on out-of-date, ineffective defenses," said Paller in his written testimony.
Last October, Kundra announced the launch of Cyberscope, an interactive data collection tool that would allow meaningful analysis of performance-based security metrics developed by the Office of Management and Budget. Kundra said the federal cybersecurity dashboard populated by those metrics will launch within "a matter of weeks."
In his testimony, Kundra said the government should focus on testing for weaknesses and investing in technologies that allow network hardening, not "paperwork compliance." To that end, Kundra said the 2011 budget provides for "red teams" and "blue teams" to do penetration testing on federal systems. One group of cybersecurity professionals would attempt to defend systems, the other to find weaknesses.
The federal cybersecurity landscape has changed, according to the testimony of John Streufert, CIO for information security at the Department of State. "Programs have typically been implemented through manual updates and compliance checks, which limit our ability to implement Web 2.0 technologies, among many others," he said.
Streufert has earned praise for implementing continuous monitoring of the state department's information networks worldwide, reducing weaknesses in its IT systems. The controls that Streufert implemented were based on the Consensus Audit Guidelines put together by a consortium led by John Gilligan, president of Gilligan Group Inc. and a former Air Force CIO. Streufert testified that the State Department's "risk scoring program," based on metrics from the National Institute of Standards and Technology (NIST), has reduced the amount of risk to the department's IT systems by 90% during the past 18 months.
"Some pre-hearing press reports announced the imminent death of FISMA," said Dan Philpott, a federal information security architect at a Washington, D.C.-based consulting firm and founder of FISMApedia.org. "FISMA isn't dead, but it may have hit puberty." Philpott pointed out that HR 4900 echoes many of the elements of the ICE Act (S.921), a similar bill introduced in the Senate last year.
Philpott questioned the validity of Kundra's testimony that referenced budget numbers the State Department used to support its argument that compliance wastes money. Quoting those numbers, Philpott said that during the past six years, the Department of State spent $133 million on 95,000 pages of security documentation for approximately 150 major IT systems.
"This works out to roughly $1,400 per page on paper 'snapshots' that are often outdated a few days after being published," he said. "The word for an argument like this is fallacious."
Connecting standards to implementation
"Studies show that relatively unsophisticated attackers represent the majority of attacks -- approximately 80% as assessed by the NSA," Gilligan said. "A relatively unskilled individual can download an attack and cause significant harm."
"While NIST does a great job producing guidelines, implementation is often poor," he said, adding the entity would bridge the gap between standards and policy. He also emphasized the importance of FISMA's focus on procurement, which would enable federal agencies to not only affect prices, but also drive changes in policy.
"We're trying to create scheduled enterprise procurement, whether it's networking, firewalls or data loss prevention technologies," Kundra testified. "Frankly, security investments are actually best when they're baked into systems."