Abstract: This paper will cover the Federal Information Security Management Act of 2002 (FISMA).
The 107th Congress passed the FISMA act 10 years ago recognizing the national importance of information security within the government. There are many proponents and opponents of the FISMA. Some believe that the act does not have enough details and creates a paper process that does not improve security; others believe that the basic framework that FISMA provides is enough.
Introduction The Federal Information Security Act of 2002 was passed by the 107th Congress ten years ago. The purpose of the bill was stated in six points. First, to provide a comprehensive framework for ensuring proper security controls. Second, to provide government wide management of information security risks. Third, to develop minimum controls to protect federal information systems. Fourth, to improve oversight of federal information security programs. Fifth, to acknowledge the benefit of commercial information security solutions with the federal government. Sixth, recognize that specific information security solutions, hardware and
software, should be left to the individual agencies. Since the bill was signed into law there has been much discussion as to its effectiveness. The bill does not provide many direct requirements for information security systems, but rather creates a process. Some feel that this framework allows for the flexibility needed for agencies to secure their system and address their unique needs. Others feel that this bill simply created a complicated and expensive paper process that does not improve the security of federal information systems. Proponents
�Prior to the passage of the Federal Information Security Act (FISMA), the Office of Management and Budget (OMB) reported to congress that there were a number of weaknesses in federal information security. Those weaknesses included: a lack of attention from senior management, no performance metrics, inadequate security education, failure to account for information security in budget planning, a failure to ensure that 3rd partys as contractors were properly securing systems and a failure to share and report vulnerability information. FISMA was created to directly address of all of these issues (The National Strategy to Secure Cyberspace, 2003). Specifically, FISMA required that senior management took responsibility for both security and security budgets, removing the separation between responsibility and funding that had previously been identified as a factor in information security problems (The National Strategy to Secure Cyberspace, 2003). In 2005 OMB reported that due to FISMA federal agencies made progress enhancing their information security systems. The report states that due to FISMA it is clear that agencies are correctly prioritizing the testing of security controls and that almost 90 percent of high-risk systems were properly tested. Some agencies did especially well, for example the Department of Veterans Affairs increased their certified systems from 14 percent to 100 percent (Arnone, 2006). In a 2011 report by the Office of the Inspector General, they concluded that the Nuclear Regulatory Commission
had made progress on security their systems using the guideline in FISMA. The report specifically states that the NRC has continued to make improvements to its information system security program and continues to make progress in implementing the recommendations resulting from previous evaluations. (Dingbaum, 2011, page i) Opponents Although some have seen value in FISMA there are others who question its effectiveness and consider it to be a paper process that does not improve security. A common target of these criticisms is the Certification and Accreditation process created by FISMA in conjunction with NIST. Alan Paller, Director of Research for the SANS institute spoke an RSA conference where he stated A lot of your money is being thrown away(Jackson, 2007, para. 11). While he did state that FISMA was not badly written, he pointed out that what is measured currently is not security but where you have a plan, without consideration of whether the plan improves security (Jackson, 2007). Keith Rhodes the former CTO of GAO supports FISMA but does recognize some of its weak points. He pointed out that if people view FISMA as a checklist then they will not use it to take appropriate action to increase the security of their systems. He went on to state that the process needs to not be viewed as a paper exercise or allowed to be used as a paper exercise. (Jackson, 2009, para. 13) This flaw is
�exposed in the fact that in 2008, a time when more than 90 percent of systems had completed the Certification and Accreditation process mandated by FISMA, over 80 percent of agencies suffered some form of security breach (Jackson, 2008). In a recent March 24, 2010 meeting of the House Oversight and Government Reform Committees Government Management, Organization and Procurement Subcommittee to discuss FISMA it was stated that the results have been disappointing (Jackson, 2010, para. 3). Vivek Kundra then the current Federal CIO stated that Despite the improvement reported by agencies, the federal governments communications and information infrastructure is still far from secure (Jackson, 2010, para. 4). He stated that FISMA has led to agencies focusing on meeting the compliance metrics, which is not enough to secure our systems (Jackson, 2010). The Committee continued on to state that rather than focus on compliance as FISMA currently dictates, agencies instead need to focus on performance-based metrics and the managing of real risks. Subcommittee Chairwoman Rep. Dian Watson introduced a bill in 2010 to amend FISMA and focus on continuous monitoring and penetration testing rather then just compliance (Jackson, 2010). One of the changes suggested by the Subcommittee have to some degree
been put in place; originally systems were required to undergo a new Certification and Accreditation process every three years. In September 2011 the Obama administration revised the recommendation from every three years to the new requirement of continuous monitoring. (Sternstein, 2011) Analysis Prior to the passage of the Federal Information Security Act (FISMA), the Office of Management and Budget (OMB) reported to congress that there were a number of weaknesses in federal information security. Those weaknesses included: a lack of attention from senior management, no performance metrics, inadequate security education, failure to account for information security in budget planning, a failure to ensure that 3rd partys as contractors were properly securing systems and a failure to share and report vulnerability information. FISMA was created to directly address of all of these issues (The National Strategy to Secure Cyberspace, 2003). Now 10 years later we can compare these concerns with the impact that FISMA has had on agencies operations. The first concern lack of attention from senior management has to some degree been address, in the Certification and Accreditation process senior management is required to be involved in the process and takes responsibility for their security controls (NIST SP800-37). Based on this I feel that FISMA did address this weakness. Next the OMB report found that there was a lack of performance
�metrics. FISMA and the Certification and Accreditation process does require a good deal of metrics regard they many controls listed in NIST SP800-53. However it has been debated if these compliance metrics equate to performance metrics (Price, 2008) As part of the Certification and Accreditation process senior management is required to be responsible for their systems and by design they have the budget authority to impact decision on IT security budgets. The concern has been raised however, that since FISMA is so strongly based on measuring compliance and not actual performance the budget decision may not directly strengthen the security of systems (Jackson, 2010) Conclusion In the decade since FISMA was signed into law there have been a large number of changes in Federal information security. Many of these changes are for the best; certainly the Certification and Accreditation process References:
has its flaws but, such as high cost and a compliance rather than performance based approach. But recent changes have attempted to refine the process. FISMA has had the direct impact of holding senior management responsible for information security, effectively moving it from a back room issue and into the light of day. This can only have a positive impact on security, and has directly impacted information security budgets. A rewrite or update to FISMA is warranted at this point as 10 years in information technology is a long time, however it is not as out of date as it could be due to the reliance it places on NIST documents that are updated regularly. If the federal government can find a way to streamline the Certification and Accreditation process, and make it much less expensive, the bill would have the ability to impact actual information security even further.
Arnone, M. (2006). Risk management critical for FISMA success. Retrieved Mar 2, 2012 from [Link] Dingbaum, S. (2011) Independent Evaluation of NRCs Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011. Retrieved Mar 1, 2012 from [Link] Jackson, W. (2007). FISMA's effectiveness questioned. Government Computer News. Retrieved Feb 05, 2012, from [Link]
�Jackson, W. (2008). Senate revisits FISMA. Government Computer News. Retrieved Mar 1, 2012, from [Link] Jackson, W. (2010). Consensus is growing for the reform of flawed FISMA. Washington Technology. Retrieved Feb 27, 2012, from [Link] The National Strategy to Secure Cyberspace. (2003) Retrieved Mar 1, 2012 from [Link] Perera, D. (2006). FISMA fizzles. Government Executive. Retrieved Feb 05, 2012, from [Link] Price, S. (2008). The Fallacy of the FISMA Critics. Retrieved Feb 28, 2012, from [Link] Sternstein, A. (2011). Retrieved Feb 27, 2012, from [Link] .php
