FISMA - The Difference Between Compliance and Effective Security

Blogroll

Government CRM Systems
Government ERP Systems

government business systems

FISMA - The Difference Between Compliance and Effective Security
gov

Karen Evans, the person who oversees all federal information technology spending for the White House, recently raised the difference between FISMA compliance and FISMA effectiveness in a Senate hearing. FISMA (Federal Information Security Management Act) is an OMB requirement that kicked off in 2003 and has since resulted in both large amounts of IT spending and those infamous report cards that have embarrassed many federal agencies. Evans was clear that FISMA compliance is not the same as effective cyber security and was instrumental is applying lessons learned from the prior five years in order to create an upgraded standard.

The Senate has now drafted new FISMA 2008 legislation aimed at more effectively linking agency responsibilities under the law with the tasks needed to achieve secure federal information systems. The most cited improvements in the new law are not necessarily the most instrumental. New clauses which add strength to the chief information security officer authority and a step up in red team exercises are clearly helpful, but other less cited factors offer the opportunity to offer significant positive impact if the legislation becomes law.

For one, FISMA 2008 would require federal agencies to buy security built into products and software solutions rather than trying to add it after the fact. The Air Force proved the power of the principle with the now more than 500,000 computers the service has purchased with built-in secure configurations. The result has been savings of more than $100 million, patch upgrade delays reduced from 57 days to 72 hours, and much happier users incurring fewer problems.

Additionally, the new legislation would demand attack-based metrics, suggesting that agencies must demonstrate their information systems are effectively protected against attacks, known vulnerabilities and exploitations. Attack-based metrics requires learning the offense and then using that knowledge to develop the defense.

Lastly, and possibly most striking, the legislation would require agencies to reach governmentwide agreement on what those attack-based metrics must be by establishing a baseline of information security measures and controls that can be “continuously monitored through automated mechanisms.” That phrase marks another significant change from the annual to triannual reviews that were common under the old law.

This is an impressive step up and these changes collectively create a new foundation for dramatic transformation of federal cyber security. As an added by-product, the effort can coordinate the efforts of chief information officers and inspectors general because both will be measured against a common set of attack-based metrics.

Posted October 1, 2008 in IT Mandates
Technorati: GovernmentIT Add to Technorati Favorites
Del.icio.us: GovernmentIT Save this page to del.icio.us
View CC license
Permalink | Comments (0) | Trackback (0)

Please forward COMMENTS to howard[at]governmentblogger.com.

Trackback for this post is http://www.governmentblogger.com/fisma.htm.

GovernmentBlogger.com | Government IT Blog