Compliance with the Federal Information Security Management Act (FISMA) of 2002 has been just that–compliance. Critics rail against it, calling the reg a paperwork drill that has done little to improve the security of federal government IT systems and networks. Agencies continually earn failing grades and reams of classified and unclassified data, reportedly, still leak out of government computers into the hands of foreign conspirators.
Lawmakers are trying to reverse the tide by calling for an overhaul of FISMA, and wanting an implementation of real-time threat and vulnerability monitoring, and meaningful metrics for federal networks. On Wednesday, the House Oversight and Government Reform’s government management, organization and procurement subcommittee, heard testimony from high-ranking government IT officials, including federal CIO Vivek Kundra, who made it abundantly clear that FISMA is outdated, pointing out that it was written and passed before the age of mobile computing and cloud services.
“Significant issues have hindered the federal government’s effectiveness in cybersecurity,” Kundra said. “This culture of compliance (born of FISMA), a lack of coordination between agencies, a failure to take an enterprise approach to security, and a fragmented research and development agenda.”
Kundra said he has been working closely with newly appointed cybersecurity coordinator Howard Schmidt in the development of a national cyber incident response plan that outlines key roles and responsibilities across the nation linking all levels of the government as well as the private sector.
Chairwoman Diane Watson (D-Calif.) introduced a bill last week, HR-4900 or the Federal Information Security Amendments Act of 2010 that would give FISMA its much-needed do-over. The bill combines policy recommendations and legislative proposals from both the Cyberspace Policy Review and the Commission on Cybersecurity for the 44th President. Foremost, the bill would establish a national office for cybersecurity within the executive office that would oversee the cybersecurity posture of the federal government, Watson said. Its mission, she said, would be to develop and manage an inter-agency board that includes the Office of Management and Budgets, military agencies and the public sector that would craft policies and guidance to help with cybersecurity response.
“This would move agencies away from the paper-intensive process of FISMA and would use automated technologies and outcome-based performance measures for determining a risk profile,” Watson said. “Using these capabilitiees, agencies have complete data at their disposal for mitigating significant vulnerabilities and combating future threats.”
Watsons’ bill would require the OMB and agencies to cooperate on security procurement decisions around commercial security products and services, as well as vulnerability assessments.
“Those provisions offer the best way forward to ensure information security is built into agency systems from the beginning of the procurement lifecycle,” Watson said.