FISMA Reform: 6 Priorities to Consider
Security Metrics, CISO Council Discussed for New Bill
Legislation reforming the Financial Information Security Management Act could be introduced within weeks, says bill co-sponsor Sen. Tom Carper, the Delaware Democrat who chairs the subcommittee that provides oversight on federal government information security.
Carper said he wants to be partners with the Obama administration in truly reforming information security laws and regulations. "We have a new administration, senior leadership is being named, and we want to give them a chance to settle into new positions," he says in an exclusive interview with GovInfoSecurity.com. "We could introduce legislation this month, but I don't know if that would be reflective of the kind of partnership I want to begin with."
Indeed, before drafting the legislation, the Senate panel wants to examine the findings of a 60-day review of government information security by the White House cybersecurity expert Melissa Hathaway due April 17 and a soon-to-be-issued Government Accountability Office (GAO) study on information security metrics employed by select businesses and government agencies.
Congress enacted FISMA in 2002, establishing a framework for government agencies to bolster IT and network security and by requiring annual audits. The law created a process in which agencies had to show they complied with information security safeguards, but such compliance didn't necessarily assure safe IT systems. As cyber attacks have soared in the past few years, a consensus is building among lawmakers and current and former government IT security officials that Congress must enact a law making specific individuals in departments and agencies accountable for information security. The forthcoming legislation would be similar to the bill that passed the Senate Homeland Security and Governmental Affairs, but never received a full Senate vote as members turned their attention to last November's election and faltering economy.
What could be in FISMA reform or related legislation? According to Carper and others, legislation action could include:
Creating a government-run strike force, patterned after one that conducts periodic force-on-force assaults aimed at taking over nuclear power plants, to attack federal IT systems to test their security. "We would require Homeland Security to conduct red-team operational evaluations against our own networks to use what we think are likely vulnerabilities that bad guys and gals can exploit," Carper says. "We think it makes sense to be part of the law." Findings from these red-teams assaults could supplant or at least supplement agency inspector general audits.
Identifying metrics to determine whether government IT systems are truly secure, supplementing existing rules that determine whether agencies follow certain steps to comply. Some metrics could be based on security practices developed by the National Institute for Standards and Technology (NIST). But even with better metrics, government IT systems will remain vulnerable. "There's no such thing as a secure system," says Ron Ross, senior computer scientist at the NIST's information technology labs and among the institute's experts on measuring IT vulnerability. "We can reduce our risk to a tolerable degree but there is never a hope to this point of nailing everything down all of the time. It's just not achievable at this point."
Establishing a Chief Information Security Council and requiring each department and agency to have a CISO. The measure would have agencies CISOs reporting to their chief information officers. "The bottom line is accountability,' says Good Harbor Consulting chief operating officer Paul Kurtz, a top cybersecurity official in the Clinton and Bush White House. "Someone from each agency has to be accountable. That has been a huge problem; in fact, I would call it the biggest problem that we have across federal agencies."
Exploiting the government's purchasing power to get vendors to build and provide more secure IT products. "We (could) use that enormous purchasing power to obtain commercial solutions are more secure or reliable," Carper says. "We ought to find way to use that purchasing power."
Developing awareness programs to get departmental and agency employees from the cabinet secretary to the clerk to understand what each individual must do to assure IT systems and data are secure. "Just providing the awareness and education across all of the domains that the Congress has oversight in our federal government is a key starting place [for regulatory reform]," says retired Air Force Lt. Gen. Harry Raduege, who co-chaired the Commission on Cybersecurity for the 44th Presidency, a report that has been favorably received on Capitol Hill.
Encouraging more funding for information security research. The government budgeted 0.2 percent of its research and development budget on information security development, or $300 million this fiscal year, an amount the Commission on Cybersecurity for the 44th Presidency deems inadequate.
"It's a question of prioritization, and looking at the cybersecurity budget overall and the entire (government IT) R&D budget, and whether it's aligned with the environment we live in today," says Dan Chenok, a former Office of Management and Budget IT official who served on the 44th Presidency commission and Obama transition team. "Are we doing R&D on the IT problems of tomorrow, or are we still doing R&D on the projects created 10 years ago? It's not necessarily a question of new money, but also involves better aligning research that's already there."