GAO: Agencies Can't Get FISMA Just RightDHS Responds That Guidance Needs To Be Updated
Major agencies continue to struggle with implementing the Federal Information Security Management Act, the law that governs federal government cybersecurity, more than a decade after Congress enacted the measure.
That's the gist of a new Government Accountability Office report , which contends it's essential for federal agencies to improve their efforts to establish a robust security posture.
"Until steps are taken to address these persistent challenges, overall progress in improving the nation's cybersecurity posture is likely to remain limited," says the report's author, Gregory Wilshusen, GAO director of information security issues.
The GAO takes to task the Office of Management and Budget and the Department of Homeland Security, which oversee federal agencies' implementation of FISMA, for not developing effective measures or establishing performance targets to report on agencies' progress. That makes it more difficult to assess accurately the extent to which agencies are securing their IT systems, Wilshusen says.
FISMA requires each agency to establish an information security program that incorporates eight key components (see end of story for list), and each agency inspector general is required to annually evaluate and report on the information security program and practices. FISMA also requires the OMB to develop and oversee the implementation of policies, principles, standards and guidelines on information security at agencies, And it requires the National Institute of Standards and Technology to develop security standards and guidelines.
The GAO reports says that of the 24 major agencies it studied, the number that had analyzed, validated and documented security incidents increased from 16 in 2011 to 19 in 2012. But the GAO says the number of agencies able to track identified weaknesses fell to 15 from 20. And in 2012, all but one of the 24 major federal agencies had weaknesses in the controls that are intended to limit or detect access to computer resources.
The GAO recommended that OMB and DHS develop:
- Compliance metrics related to periodic assessments of risk and development of subordinate security plans, and
- Metrics for inspectors general to report on the effectiveness of agency information security programs.
DHS concurs with the recommendations. But one of its officials suggests the focus on the current compliance-based metrics framework required by FISMA is outdated. Instead, says Jim Crumpacker, director of DHS's GAO-OIG Liaison Office, IT security governance should use an approach that establishes targets for acceptable security and measures performance and outcomes. Crumpacker says the government is doing just that with its continuous diagnostics (formerly continuous monitoring) and mitigation program, known as CDM.
"With the advent of CDM, the focus will shift to security outcomes and prioritization of risks," he says. "Under the current FISMA compliance framework, specific data as to the effectiveness of mitigations and the true cost of non-compliance remain limited."
A survey of federal IT and IT security managers, published days before the GAO report, shows that 83 percent believe continuous monitoring will improve security at their agencies. Just over half of the managers surveyed by MeriTalk, a public-private partnership aimed at improving government IT, say FISMA improves government IT security.
Echoing Crumpacker's comments, Mark Weber, president of the U.S. public sector business at storage provider NetApp, which sponsored the survey, says there's a continuing shift from compliance to continuous monitoring. "FISMA's compliance model is not keeping up with the evolving security landscape or the security demands," he says.
Those weaknesses caught the attention of the leaders of the Senate committee with IT security oversight. Sen. Tom Carper, the Delaware Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee, says the GAO report makes clear that federal agencies have their work cut out to enhance their information security.
"Federal agencies need to fully implement meaningful security programs that can withstand the serious cyberchallenges we face today and will face for the foreseeable future, and they need the proper oversight, resources and guidance from Congress and the administration to help them accomplish that critical goal," Carper says.
The senator hints that FISMA reform legislation is coming, but neither he nor his staff provided specifics on the progress of such legislation. "I continue to work closely with my colleagues in the Senate and House, especially Dr. Coburn, on bipartisan legislation that will address the very serious cyberthreats facing our country, including updating our current FISMA framework to provide continuous, real-time security," says Carper, referring to the ranking member on the committee, Sen. Tom Coburn, R-Okla.
Coburn says the GAO report confirms a disturbing fact: The federal government has miles to go to protect its own systems.
Past Efforts at FISMA Reform
In the past two Congresses, Carper sponsored legislation to reform FISMA but his bills never came up for a vote (see Senate, Again, Fails to Halt Filibuster). It's not that there isn't bipartisan support for FISMA reform; there is. But in the last Congress, FISMA reform was combined with other bills that contained more divisive provisions into the Cybersecurity Act of 2012. Among those contentious provisions: creation of IT security standards that critical infrastructure operators could voluntarily adopt and processes for tne government and private sector to share cyberthreat information; some lawmakers contend the information sharing provision didn't provide sufficient liability protections to business.
"FISMA reform isn't terribly contentious, so that's good," says Allan Friedman, research director for the Brookings Institution's Center for Technology Innovation. "It could be part of a low-hanging-fruits bill that might also include cybercrime provisions, cybersecurity research and education and some basic DHS directives, but avoid the controversial questions of regulation or information sharing. "This would hand Congress an easy win, and could be pointed to as a bipartisan victory. This sort of approach didn't fly in the last congress because the leaders in the cybersecurity space were still trying for something substantial."
The eight key FISMA components are:
- Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification or destruction of information or information systems;
- Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system;
- Subordinate plans for providing adequate information security for networks, facilities and systems or groups of information systems, as appropriate;
- Security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency;
- Periodic testing and evaluation of the effectiveness of information security policies, procedures and practices, performed with a frequency depending on risk, but no less than annually. That includes testing of management, operational and technical controls for every system identified in the agency's required inventory of major information systems;
- A process for planning, implementing, evaluating and documenting remedial actions to address any deficiencies in the information security policies, procedures and practices of the agency;
- Procedures for detecting, reporting and responding to security incidents; and
- Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.