Agency Infosec Spend a Mystery to OMBCarper: $40 Billion Spent on FISMA Since 2002
Kundra said he was shocked to learn that the OMB never collected from agencies specific IT security expenditures, just aggregate data, when he took over earlier this year as the OMB's administrator for e-government and IT, his statutory title.
Without such information, Kundra said, OMB cannot effectively assess how one agency compares against another in securing IT assets as well as the ability of the government to gain a deeper understanding the value its cybersecurity investments furnish. He said OMB has begun collecting that information for the past fiscal year.
Kundra testified before Senate Homeland Security and Governmental Affairs Committee's Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, whose chairman, Sen. Tom Carper, found it disconcerting that OMB employs few if any cybersecurity experts and that specific agency spending on IT security is unknown.
Carper said that just the certification and accreditation process required by the Federal Information Security Management Act costs $1.3 billion annually, and estimates another $1 billion is spent each year for agency inspectors general to audit FISMA compliance. In total, Carper said, the government has spent $40 billion related to FISMA since its enactment in 2002.
"And even more troubling," Carper said, "agencies may be constrained from implementing the most basic of cybersecurity best practices because of inflexible requirements. Allow me to put that into perspective: federal agencies have spent more on cybersecurity that the entire gross domestic product of North Korea, who some have speculated is to be involved with some of these cyber attacks. That is simply unacceptable."
Much of the hearing focused on new ways to assess the security of federal government IT systems and data, with agreement from all the witnesses and Carper that the current process in which departments and agencies demonstrate how they comply with FISMA and OMB information security directives must be replaced with a system that validates in real-time the security of IT systems. The Delaware Democrat introduced a bill in April, the United States Information and Communications Act, to create a new process to verify IT security safeguards in the federal government. Similar House legislation is being written.
Gregory Wilshusen, Government Accountability Office director of information security issues, presented a GAO report encouraging OMB to require agencies to adopt key attributes of successful information security measures promoted by experts from nationally known organizations, academia and state agencies that offer four attributes: they're quantifiable, meaningful, clearly defined and linked to practices used to make decisions. "To the extent that agencies do not measure the effectiveness and impact of their information security activities," Wilshusen said, "they may be unable to determine whether their information security programs are meeting their goals." (Read our The Innovators profile on Wilshusen.)
Another witness, John Streufert, deputy CIO for information security at the State Department, told the subcommittee about an initiative in which departmental computers around the world are continuously scanned to identify weak security configurations as compared with FISMA, which provides a snapshot once every three years. "Since mid-July," Streufert said, "overall risk on the department's key, unclassified network measured by the risk-scoring program has been reduced by nearly 90 percent in overseas sites and 89 percent in domestic sites." (Listen to or read a transcript of our interview with Streufert: Leaving FISMA in the Dust: A True Metric for IT Security.)
Former Rep. Tom Davis, the Virginia Republican who authored FISMA, told the panel "it is time to take FISMA to the next level." But he noted that in the early 2000s, the government had no coordinated policies to address the threat of cyber attacks, and FISMA provided important first steps in protecting the government's critical IT infrastructure. "FISMA has undoubtedly served to elevate the importance of information management and information security in government," Davis said. "That said, there is room for updates and improvements." (Read a transcript of our interview with Davis.)