The Basics
FISMA
By Judi Hasson
What Is It?
During the 1990s, the government transitioned from mainframe computers to networked computing, connecting federal employees to one another as well as to the public. Agencies also began to create Web sites to present information to the public and offer new ways to access services.
But the new networked government also opened up databases to hackers as well as federal employees who were inclined to snoop through private data or wanted to cause problems. Agencies rarely included plans to secure data or deploy applications that could monitor intrusions or detect whether employees were accessing forbidden files when they began to develop a system or network. That left federal systems wide open to cyberattacks, which increased intensity for years.
Congress became more concerned about the growing number of reports that warned how vulnerable computer networks were to hacking and federal managers' lack of attention to, or concern about, securing their networks. That fear culminated in the passage of the 2002 Federal Information Security Management Act, known as FISMA.
FISMA mandates basic security standards for government information technology systems. It requires agencies to detect and report security vulnerabilities in computer systems. It also calls forthem to improve the information security framework -- the blueprint for how they will secure their networks. It includes a set of directives governing agencies' security responsibilities and how to comply with the law.
FISMA requires a federal agency to notify the United States Computer Emergency Readiness Team, a partnership between the Homeland Security Department and public and private organizations, if it detects an attempt to break into a computer system, if a security breach occurs or other security incidents such as an employee losing a government laptop. The law requires agency program officers, chief information officers and inspectors general to conduct an annual review of the agency's information security program and report the results to the Office of Management and Budget. OMB uses this information for an annual report it submits to Congress on how well agencies have complied with the law.
FISMA standards apply to 24 federal agencies. Each of these agencies receives a grade on how well its met 17 security functions. FISMA requires agencies to develop information security programs that, according to the Government Accountability Office, include:
* Periodic assessments of risk;
* Risk-based policies and procedures;
* Subordinate plans for providing adequate information security for networks, facilities and systems or groups of information systems, as appropriate;
* Security awareness training for agency personnel, including contractors and other users of information systems;
* Periodic testing and evaluation of information security procedures and practices, performed with a frequency depending on risk, but no less than annually;
* A process for planning, completing, evaluating and documenting remedial action to address deficiencies;
* Procedures to detect, report and respond to security incidents; and
* Plans and procedures to ensure continuity of operations.
Every year, agencies are graded on how well they comply with FISMA. Since the grades were first issued in 2002, most agencies have received a failing grade. FISMA is intended to advance information systems to a higher level of security, and agencies are getting better grades every year. But agency systems still have plenty of flaws and the grades reflect that.
Why Should I Care?
With the increase in electronic information, federal agencies are relying extensively on information systems to carry out their missions. But this reliance also has increased the risk of hackers breaking into federal networks to steal sensitive government data and people's identities and break into bank accounts and apply for fraudulent credit cards. More computer activity also opens up agencies to more computer viruses that can disrupt systems.
Agencies routinely integrate new technologies into existing computer systems, and each time an application or upgrade is added, it creates the possibility that a another security vulnerability has been introduced. Research shows that federal IT managers, as well as those the private sector, do not recertify and accredit the system soon after the addition.
Many agencies have not implemented controls to prevent, limit or detect access to computer networks, systems or information, according to GAO. And agencies do not consistently identify and authenticate users to prevent unauthorized access or establish sufficient protection mechanisms.
A lax approach to security may partly be the reason why the number of security incidents -- such as accessing files by persons not authorized to do so, scans and probes of networks, and malicious code finding its way into a system -- have been increasing at a rapid rate over the past few years. The number of incidents agencies reported to US-CERT rose from 3,634 in fiscal 2005 to 13,029 in fiscal 2007, a 259 percent increase, according to the organization.
"The security of these systems and data is essential to prevent data tampering, disruptions in critical operations, fraud and the inappropriate disclosure of sensitive information," GAO wrote in a letter to Congress on July 27, 2007.
The Latest Thinking
FISMA's history has been marked by controversy. Many government security experts say the law does not make agencies' systems more secure because FISMA requires agencies to report whether they've followed processes to check for system vulnerabilities, not whether they've implemented practices that directly affect information security. As such, critics call FISMA an exercise in paper pushing, requiring agencies to submit frequent reports that outline their compliance with processes. In a June 2007 report, GAO wrote: "Opportunities exist for enhanced FISMA reporting and independent evaluations. Although OMB increased its reporting guidance to agencies, the metrics used do not measure how effectively agencies are performing various activities. For example, agencies report on the number of systems undergoing test and evaluation in the past year, but there is no measure of the quality of agencies' test and evaluation processes. Additionally, there are no requirements to report on certain key activities such as patch management."
While agencies make progress to implement certain information security requirements, critics say the law still has left federal systems vulnerable. "FISMA has overbureacratized [security] to the point you don't know what it means," says Bruce Brody, vice president for information assurance at CACI International Inc. and associate deputy assistant secretary for cyber and information security at the Veterans Affairs Department from 2001 to 2004. "It does not mean that an 'A' makes you secure and an 'F' makes you not secure."
How Do I Get Started?
Most agencies are far along since they've had five years of FISMA reporting. They should have compliance procedures in place and be evaluating their grades every year with an eye toward improving them.
OMB has specific guidance about individual FISMA requirements, which include:
* Make an inventory of systems for monitoring, testing and evaluating information security controls
* Provide information security for systems that support the agency's operation and assets, including those managed by another agency or contractor.
* Develop planning, implementation, evaluating and documenting remedial action to deal with deficiencies.
How Do I Get Better Grades?
The goal of any security program is to have nothing happen. But you can never be sure that you will have a quiet year or your security systems will not be attacked.
One of the most significant problems information security executives face today is where to invest in security. Should money be devoted to fight specific new types of security attacks, or would it be better to direct funds elsewhere if there is no evidence of routine attacks?
One way to attack the problem, security experts say, is to think about complying with FISMA. Make sure you know what part of your security system got bad grades so you'll know what need to improve. Also, be sure you stay in compliance with your highest grades so they don't drop.
Judi Hasson is a Washington-based freelance journalist who covers government information technology.
FISMA Reports:
SPONSORED BY BearingPoint
This article has been brought to you by BearingPoint Click here to learn more now.
RECENT NEWS STORIES
- IT security concerns slow telework adoption (04/03/08)
Private sector moves ahead of federal government in security measures and technical support. - Defense to focus more on content, less on the network (04/01/08)
"Content-centric" model will allow the department and civilian agencies to pool information in a more secure way to make better decisions. - Passport system breach highlights shortcomings in agency privacy practices (03/21/08)
House chairman seeks names of State Department contractors fired for inappropriately accessing presidential candidates' files. - Feds losing war on information security, senators told (03/13/08)
Experts testify that preventing cyberattacks is getting harder. - Cyberexercise shows need for better training to avoid major network failures (03/13/08)
During the largest cyberexercise ever organized, backup systems worked but personnel need more training, DHS official says. - Agencies to share custom IT security training practices (03/12/08)
But lack of requirements could stall efforts. - Senate panel to weigh agencies' information security practices (03/11/08)
Hearing comes on heels of Office of Management and Budget report showing some progress. - U.S. unprepared for ongoing cyberwar, say top military and intelligence officials (03/06/08)
Civilian agencies and private sector are the most vulnerable to cyberattacks from countries like China and Russia. - Contractor networks create security risk, Defense official says (03/04/08)
Department launches initiatives to better protect sensitive data. - Users continue to compromise federal computer networks, says tech community (03/03/08)
Survey results predict significant growth in identity management to combat security weaknesses. - OMB reports 60 percent increase in information security incidents (03/02/08)
The news is "not necessarily a bad thing," says administration's top IT official. - Military services launch projects to beef up data sharing and security (02/22/08)
Officials at IT conference detail plans to consolidate information networks for the Navy, Air Force and Army. - Industry hoping for action on data security bill this year (02/19/08)
Legislation would update the six-year-old bill establishing requirements for securing personal or sensitive data. - TSP tech upgrade progressing, officials say (02/19/08)
Two-year plan to improve efficiency and enhance security is on track. - Government still suffers from information insecurity (02/15/08)
Ensuring only authorized users have access to data is among the top challenges facing agencies, says GAO. - Bush administration proposes $7.3 billion for IT security (02/07/08)
Five agencies rank as unsatisfactory in cybersecurity compliance. - Defense Information Systems Agency seeks big budget boost (02/05/08)
Requirement to support operations in Iraq, Afghanistan leads to request for 30 percent increase. - Bush asks for 4 percent increase in IT spending (02/04/08)
OMB says number of poorly managed and planned technology projects jumped 47 percent last year. - Poor management continues to plague Homeland Security, IG reports (02/01/08)
Lack of a unified IT infrastructure said to prevent the department from operating effectively. - Information security managers need to be more than technicians, guide says (01/18/08)
Ability to articulate how security helps agencies meet missions now a requirement.
PROMO RIGHT: EVENTS
Webinars provide a unique way for federal managers to access first-hand the latest information on government best practices and industry solutions. Click here to see archived Webinars.
UPCOMING WEBINARS
MAY 22
Keys to Effective Asset Management
PROMO RIGHT: DIRECTORIES
