Goodbye FISMA (As We Know it)
I have already shared some of my views on the Federal Information Systems Management Act (FISMA) in previous blog entries. This statute was passed with the intention of creating a broad framework for safeguarding government information and computing operations against security threats. Signed into law as part of the Electronic Government Act of 2002, FISMA mandates that government officials perform yearly reviews of information security programs to mitigate risk to an acceptable level, or in some cases even lower.
Virtually everyone who has been involved in trying to achieve FISMA compliance is familiar with the many limitations of this statute. First and foremost, to comply with this statute involves generating huge amounts of paperwork to document actions (or lack thereof) taken to address the many areas that FISMA describes. A completely ineffective security practice can get high FISMA marks, as has happened numerous times before. Second, what FISMA requires has little relevance to real-world security risks. In fact, FISMA is a major distraction and resource parasite when it comes to mitigating these risks. Finally, achieving FISMA compliance gives a very false sense of information assurance.
When FISMA first went into effect, government officials’ complained vociferously. Over time, however, their opposition subsided. Why? Government agencies and departments are bureaucratic, and FISMA compliance is the epidemy of bureaucratic busyness to which they are so accustomed, leading to compatibility of expectations. Government officials quickly learned that the trick to getting FISMA compliance off of their backs was to simply hire a team of contractors and consultants to generate piles of paperwork while other activities continued.
Two US Senators, Joseph Lieberman of Connecticut and Tom Carper of Delaware, have recently introduced a Senate bill that would render the 2002 version of FISMA obsolete. S 3474, called the Federal Information Security Management Act of 2008, would end the requirement for a plethora of paperwork. Instead, it would require that each government agency have a chief information security officer (CISO), who would be given the authority to terminate access to networks on the grounds of lack of compliance with the information security policy. S 3474 would also beef up information security-related requirements in connection with contracts with external vendors. Finally, the proposed legislation would require yearly tests of the effectiveness of controls against unauthorized access to sensitive government information.
Hurrah for Senators Lieberman and Carper. FISMA as we know it may have done a little good in that it may have stimulated awareness of areas that a cybersecurity practice needs to address, but that is about all. Although S 3474 is far from perfect, at least it shifts the emphasis to mitigating real-world security risks—something that would be far more cost-effective. I predict that if the provisions of this bill are signed into law, this legislation will be only the first in a line of increasingly stronger legislation.
So—out with the old, and in with the new.