FISMA Reform or Not5 Government Cybersecurity Challenges in 2010: Part 3
Sen. Tom Carper won't be getting his birthday wish - made during an interview last year - of President Obama signing his bill to reform the Federal Information Security Management Act of 2002 in a Rose Garden ceremony by his birthday, this coming Saturday, Jan. 23.
Major provisions of the measure, the United States Information and Communications Enhancement Act, would require direct federal agencies to use real-time metrics to determine the true security of their IT systems compared with the existing practice that requires them to show how they comply with FISMA rules. And, it would standardize across the government security configurations of commercial off-the-shelf IT products and services government agencies purchase. A bill being drafted in the House would do the same thing.
But the Senate and House diverge on their approach to FISMA reform as well as the wider matter of governing cybersecurity within the federal government. The revised version of the U.S. ICE Act would give more authority than it did when first introduced to the Department of Homeland Security, including granting DHS the right to review, though not approve, the IT security budgets of other departments and agencies. And Senate bill writers last summer removed a provision from the original measure to establish a White House Office of Cyberspace to coordinate federal cybersecurity policy.
But a letter written by one of the sponsors of the House bill, Rep. Diane Watson, suggests the House bill will not grant DHS as much authority, citing "bureaucratic barriers" that included agency jurisdictional disputes, ineffective lines of authority and inadequate prioritization of protecting government cyberspace. "I am also concerned that recently appointed DHS leaders and administration stakeholders remain disorganized and entrenched in ongoing jurisdictional disputes that have historically prevented them from making the kind of critical changes that are necessary to remedy our cybersecurity deficiencies governmentwide," said Watson, chair of the House Oversight and Government Reform Subcommittee on Government Management, Organization and Procurement.
Whether FISMA itself needs to be reformed has been questioned. New guidance from the National Institute of Standards and Technology provides steps government agencies can take to monitor IT security in near real time. "Legislation will come and legislation will go," said Ron Ross, NIST senior computer scientist and FISMA implementation project leader. "We are making fundamental changes on the ground here that will significantly impact our federal agencies ability to protect their systems."
Even without legislative change, the Federal Chief Information Officers Council has established a taskforce to develop new information security performance metrics that focus on outcomes. In a blog he coauthored, federal CIO Vivek Kundra that FISMA "metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies' information and network security postures, possible vulnerabilities and the ability to better protect our federal systems."
And the Office of Management and Budget is considering implementing new metrics as part of the annual reporting processes by federal agencies required under FISMA that would involve, for the first time, real-time measurements to determine the security of IT assets. Comments on OMB's plans were due in early January.