The Public Eye with Eric Chabrow

Death Knell for FISMA?

Death Knell for FISMA?

Federal CIO Vivek Kundra, in testimony presented to a House panel on Tuesday, threw his weight behind efforts to rid FISMA as the guiding force of federal IT security compliance. Succinctly, Kundra outlined his feelings about the seven-year-old law:

  • The performance information currently collected under FISMA does not fully reflect the security posture of federal agencies;
  • The processes used to collect the information are cumbersome, labor intensive, and take time away from meaningful analysis, and;
  • The federal community is focused on compliance, not outcomes.

From his desk within the White House Office of Management and Budget, Kundra says he's actively seeking ideas from a variety of quarters to evaluate new metrics to succeed those outlined in FISMA. Kundra says he's collaborating with federal agency CIOs and chief information security officers, inspectors general, the National Institute of Standards and Technology and a broad array of organizations, from the public and private sector as well as academia.

The federal community is focused on compliance, not outcomes. 

Though Kundra didn't endorse specific legislation in his prepared remarks before the House Committee on Oversight and Government Reform's Subcommittee on Government Management, Organization and Procurement, the CIO words seem to back a Senate bill, the United States Information and Communications Enhancement Act, introduced several weeks back by Sen. Tom Carper, D.-Del.

"Our sense is that too often we have agencies who manage what we call paper compliance rather than really addressing the security of their networks, we want to go beyond paper compliance," Carper told earlier this year. "We want to the best of our ability just ensure that our networks are more secure."

Few see the usefulness FISMA these days, even its author, former Rep. Tom Davis. In an interview with a few months ago, Davis said:

"Well, I think we are ready to take it to the next stage at this point, but at the time I think it took it to a level where you created an awareness in the department, you created some appropriate awareness within it and some guidelines for them to follow and we followed it up with the grades, and I think as a result of that we made some improvements. That was years ago and I think we are ready now, and we have been ready, to take it to another level."

Now, Kundra is turning up the heat on FISMA reform. His voice counts a lot, especially if he's speaking for the Obama administration. And, we suspect, he is.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.