5 Ways to Strengthen FISMA
Nation's IT Infrastructure at Risk, GAO Says"The need for improved cybersecurity in the federal government is clear," wrote Wilshusen GAO's information security issues director.
In the letter, GAO offers five ways Congress can strengthen the Federal Information Security Management Act, the law that governs IT security in the federal government. The five proposals:
- Clarify requirements for testing and evaluating security controls.
- Require agency heads to provide an assurance statement on the overall adequacy and effectiveness of the agency's information security program.
- Enhance independent annual evaluations.
- Strengthen annual reporting mechanisms.
- Strengthen OMB oversight of agency information security programs.
Wilshusen was responding to two follow-up questions by members of the House Committee on Oversight and Government Reform's Subcommittee on Government Management, Organization and Procurement, stemming from a May 19 hearing on federal information security. One question solicited the views of GAO, the investigative arm of Congress, on how FISMA could be improved; the other solicited GAO's view on the Cybersecurity Act of 2009, a bill sponsored by Senators Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine.
Wilshusen says the bill, known as S. 773, is intended to improve cybersecurity in the United States. According to the bill, America's failure to protect cyberspace is one of the most urgent national security problems facing the country, a point Wilshusen didn't dispute. In the last fiscal year, he says, GAO determined that 23 of the government's top 24 agencies did not have adequate controls in place to ensure that only authorized individuals could access or manipulate data on their systems and networks. "The present cybersecurity strategy and its implementation had not been fully effective in mitigating the threat," he wrote. He reported that the number of IT security incidents reported by federal agencies has increased dramatically over the past three years, tripling from 5,503 incidents reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008.
To remediate these problems, GAO recommended:
- Developing a national strategy that clearly articulates strategic objectives, goals and priorities;
- Establishing White House leadership;
- Publicizing and raising awareness about the seriousness of the cyber security problem;
- Focusing more actions on prioritizing assets, assessing vulnerabilities and reducing vulnerabilities than on developing additional plans;
- Bolstering public/private partnerships through an improved value proposition and use of incentives;
- Focusing greater attention on addressing the global aspects of cyberspace;
- Placing greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts; and
- Increasing the cadre of cyber security professionals.
On the five ways to improve FISMA, Wilshusen wrote:
- Clarify requirements for testing and evaluating security controls: "Federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls. Clarifying or strengthening FISMA and its implementing guidance for determining the frequency, depth, and breadth of security control tests and evaluations could help agencies better assess the effectiveness of the controls protecting the information and systems supporting their programs, operations and assets."
- Require agency heads to provide an assurance statement on the overall adequacy and effectiveness of the agency's information security program. "Such assurance statements should include an identification and analysis of significant deficiencies in information security, and should consider the impact of deficiencies identified in the agency's remedial action plans."
- Enhance independent annual evaluations. FISMA be improved by specifically requiring that the independent evaluation be conducted in accordance with government auditing standards and include (1) an assessment of management's process for developing the conclusions in the assurance statement, (2) an identification of any significant deficiencies in management's process and (3) a statement about whether, based on the independent evaluation, there are any significant disagreements with management's conclusions on the overall adequacy and effectiveness of information security within the agency."
- Strengthen annual reporting mechanisms. "(OMB) reporting instructions do not request inspectors general to provide information on the quality or effectiveness of agencies' processes for developing and maintaining inventories, providing specialized security training and monitoring contractors. In prior reports, we have also recommended that OMB develop additional performance metrics that measure the effectiveness of FISMA activities, such as requiring agencies to report on patch management and ensuring that all aspects of key FISMA requirements are reported on in the annual reports. We are currently reviewing the use of metrics to guide and monitor information security control activities at federal agencies and at leading nonfederal organizations."
- Strengthen OMB oversight of agency information security programs. "OMB does not explicitly approve or disapprove agencies' information security programs. FISMA requires OMB to review agencies' information security programs at least annually, and approve or disapprove them. This mechanism for establishing accountability and holding agencies accountable for implementing effective security programs was not used. Implementation of this mechanism can provide additional oversight."