Hollywood on the Potomac
The genesis of that script can be found in the U.S. ICE - the United States Information and Communications Enhancement Act of 2009 - introduced this week by Sen. Tom Carper, D.-Del. The bill - an update of the Federal Information Security Management Act of 2002 - contains provisions in which government-led red teams of hackers assault government systems to test their vulnerabilities.
Such real-time tests are aimed at providing agency heads, CIOs and CISOs with more relevant and current information about IT vulnerabilities than the audits conducted every few years by an inspector general or the Government Accountability Office. These so-called Red Team assaults are one of a number of new ways government agencies will measure IT security under U.S. ICE, if enacted.
I have a CISO who always gets me to green on my FISMA grades, but the reports he produces have no impact at all on security of our computers or networks.
Other U.S. ICE provisions empower agency heads to implement automated controls that can stop attacks. A combination of Red Team assaults and automated controls will prove more effective in assuring agency systems are safe than the so-called paper-based compliance required under FISMA that seems to measures the actions of individuals and not the machines they're paid to protect. Typical is the comment voiced at a Senate hearing Wednesday by Allan Paller, research chief at the SANS Institute, which provides IT security training:
"Federal agencies cannot move effectively to more secure systems unless you shift the emphasis of the FISMA assessments from paper reporting to automated monitoring of essential controls. If agencies are asked to implement critical controls and to automate reporting but still are forced to produce the current FISMA paper reports, they just won't be able to do so.
"Two weeks ago, a federal CIO told me, 'I have a CISO who always gets me to green on my FISMA grades, but the reports he produces have no impact at all on security of our computers or networks, I am setting up a separate group to do real security.' This CIO can do both because of a surge of funding his organization has received from the new stimulus bill. Most CIOs do not have enough money to pay for both the FISMA reports and the important security improvements."
Still, some old practices under FISMA will remain, such as regular audits by agencies' inspectors general. Except, instead of being every two or three years, these audits will be performed annually.