The Public Eye with Eric Chabrow

No New Law Needed to Reform FISMA?

No New Law Needed to Reform FISMA?

"You don't need ICE to fix this, meaning that OMB has always been able to make this right," says one of nation's foremost IT security experts, Alan Paller, director of research for the SANS Institute, the not-for-profit provider of computer security training and professional certification and operator of the Internet Storm Center, an Internet security monitoring system.

Legislation before Congress, including the U.S. ICE would promote real-time monitoring of IT systems' security over so-called paper compliance, in which agencies are graded in how by the White House Office of Management and Budget document their compliance with regulations. And, as Paller points out in a conversation we had Tuesday, agency CIOs and CISOs mostly care on how they're graded by OMB. "If you get your grade on how many reports you write, that would be what matters," Paller said. "If the auditors measure your continuous monitoring, that would be great."

They just couldn't do it in the old administration because it was a admitting that everything they had been doing before was wrong. 

Paller contends the Bush administration prevented its OMB administrator for e-government and IT from interpreting FISMA to emphasize real-time monitoring over paper compliance. "They just couldn't do it in the old administration because it was a admitting that everything they had been doing before was wrong," Paller said. "Plus, the northern Virginia (IT security) contractors were giving such a large amount to the (Republican) Party that they didn't want it to change at all. Anytime she started to talk about change, they had the political forces in the White House leaning on her."

Though he's hesitant to predict what new Federal CIO Vivek Kundra will do, he thinks the new administration looks more favorably than the previous one on interpreting regulations to favor real-time compliance. "It may not take the bill to get the change, but it took the writing of the bill to get OMB to see that all forces were lined up in the right direction," Paller said. "So, the bill having been written mattered. But (ICE) may not have to pass."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.