FISMA Efficacy QuestionedReal-time Metrics Needed, Says Federal CIO Vivek Kundra
Recent breaches at the Federal Aviation Administration and at the vendor that hosts USAjobs.gov demonstrate that the state of federal information security is not what citizens should expect, federal CIO Vivek Kundra testified before the House Committee on Oversight and Government Reform's Subcommittee on Government Management, Organization and Procurement. He said the seven-year-old Federal Information Security Management Act has raised awareness to agencies of information security but suggested in outlived its usefulness.
"The performance information currently collected under FISMA does not fully reflect the security posture of federal agencies," he said in prepared remarks. "The processes used to collect the information are cumbersome, labor - intensive, and take time away from meaningful analysis. The federal community is focused on compliance, not outcomes."
FISMA compliance is spotty at best. Gregory Wilshusen, director of information security issues at the Government Accountability Office, told the subcommittee that 20 of 24 major agencies noted that the information system controls over their financial systems and information were either a significant deficiency or a material weakness. Wilshusen testified that most agencies in the past few years have not implemented controls to sufficiently prevent, limit or detect access to computer networks, systems or information. "An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agency-wide information security program, as required by FISMA," he said, adding that 23 of the 24 major federal agencies had weaknesses in their agency-wide information security programs.
And, he said, the number of security incidents reported by federal agencies to the U.S.-Computer Emergency Readiness Team has dramatically increased in the past three years, rising from 5,503 incidents in fiscal year 2006 to 16,843 in FY 2008, a 206 percent increase.
Even if FISMA worked perfectly, Kundra said new metrics are needed. FISMA, he pointed out, is mostly compliance based, not leading indicators. "We need metrics that give insight into agencies' security postures and possible vulnerabilities on an ongoing basis," Kundra said. "We will never achieve our security goals through compliance alone because security threats are fluid and constantly changing."
Legislation before the Senate, the United States Information and Communications Enhancement Act, would supplant FISMA by requiring continuing security monitoring of government information systems.
Margaret Graves, acting chief information officer of the Department of Homeland Security, sees merit in FISMA, credited the law and hard working departmental employees with providing the proper framework to strengthen DHS IT security posture. But she told the committee more is needed to assure IT security. "The original FISMA statute advanced the state of cybersecurity," Graves said. "What is also apparent is that simply maintaining a controls framework alone is not enough."