Bye, Bye, FISMA
Last week Jerry Davis, NASA’s information security chief, sent a memo that directed system managers to move away from FISMA certification of systems in favor of continuously monitoring computer systems for vulnerabilities and reporting security threats in real time. Until then, NASA had to undergo FISMA audits. Under NASA’s new direction, this agency must submit yearly status reports describing the security condition of its computing systems and networks as well as whether or not vulnerabilities that have been discovered are within acceptable levels of risk. A major catalyst for this change was testimony provided by Federal CIO Vivek Kundra before the US House Government Management, Organization and Procurement Subcommittee. Kundra argued that the US government’s approach to information security needs to be far more risk-based. Additionally, Davis said that he felt that the Obama Administration was supportive of a move towards a more risk-based approach to information security.
I predict that NASA’ decision will be the proverbial opening of the flood gates that results in a mass exodus from FISMA and towards a continuous risk-based approach to information security. The next significant development is bound to be that FISMA itself will be declared to be no longer applicable. Ongoing attempts to make this legislation more appropriate appear to be going nowhere, so the complete demise of FISMA in the not-too-distant future is not difficult to foresee.
I’ve written about FISMA several times before, saying that it is little more than a bureaucratic paperwork exercise in which documentation about security controls rather than the actual condition of security is evaluated. A US government organization can have absolutely miserable levels of security, and yet pass a FISMA audit with flying colors, something that has happened more than a few times in the past. With FISMA out of the way, government agencies and departments can adopt a much more realistic approach to security. They are also likely to be able to substantially reduce their labor costs in the process, something that Davis also pointed out.
If other US government agencies and departments follow NASA’s lead, they will have to continuously monitor the security condition of their computing systems and networks rather than having to demonstrate compliance at a particular “snapshot in time.” Funny thing—the PCI Standards Steering Committee is moving the same direction with respect to the PCI-DSS standard. If these two highly overlapping developments truly indicate a trend, the audit process will have to change drastically from how it currently normally works. This is not to say that all audits are “snapshot in time” audits—I’ve attended talks by auditors at conferences in which continuous monitoring approaches to audit have been tried. But if there is a shift to continuous monitoring, both auditors and those being audited will have to make numerous changes and adjustments. System and network administrations will, for example, have to make adjustments as auditors proverbially look over their shoulders as the administrators go about their daily tasks. The nature, meaning and resolution of audit findings are also likely to change substantially. Information security practices may possibly need full-time staff members just to continuously deal with audit questions and issues.
Change characterizes just about everything in life, and nothing seems to change as much as things in the IT arena. The winds of change regarding the nature of compliance appear to be blowing, so keeping an ear tuned to them would be an excellent idea.