DHS Addresses New FISMA Responsibilities
"It's going to be phased implementation," Bruce McConnell, counselor to Deputy Undersecretary Philip Reitinger of DHS's Protection and Programs Directorate, the highest ranking IT security official at the department, and in an interview with GovInfoSecurity.com. "We're not instantaneously going to do everything that is envisioned. The idea is over the next year to really build this up into a much more robust program than what OMB been able to do. So it will be of course as you know very lightly staffed."
In the interview, McConnell addresses:
- Why the administration sees this approach as more efficient.
- New DHS staffing needs to tackle the new FISMA tasks; and
- Working relationship between DHS and federal agencies on FISMA compliance.
ERIC CHABROW: Why is giving the Department of Homeland Security more responsibility to assure civilian federal agencies compliance with the Federal Information Security Management Act a good idea?
BRUCE McCONNELL: It's a good idea for a couple of reasons. First of all, by having DHS do this it assures that an agency in operational perspective will be brought to bare on the reporting requirements for government agencies. In other words, DHS has to comply with these requirements just like anybody else. We think that will help make the reporting requirements under FISMA more meaningful, more useful from an operational standpoint. One of the main thrusts of this to move away from more of a paper exercise and certification and box checking compliance to operational monitoring and making sure we're measuring what the actual state of security is. So, by having the kind of agency operational perspective in this, will improve that.
This will cause it to be better integrated into the work that DHS does protecting the agencies. So the federal network security group that administers these FISMA requirements works very closely with U.S.-CERT (United States Computer Emergence Readiness Team) which is the place where we do all our alerting from, and so by having those organizations basically right down the hall from each other, we think that there will be a faster feedback loop between issues that arise out of the FISMA reporting and reporting to CyberScope (a reporting tool) and the kinds of information that we're getting through the U.S.-CERT process will have a faster correction move for resolving vulnerability.
CHABROW: From a practical approach, what do these responsibilities mean to departmental and agencies chief security information security officers and chief information officers?
McCONNELL: The most important piece is that what is measured will is be what is operational useful for improving security. So at the CIO level and the agency head level, and even at the CISO level, there will be better visibility into the current state of actual security that will make it easier to identify where the issues are and work to correct them.
CHABROW: Will they be working with people at the DHS that they hadn't been working before, and who will these people be?
McCONNELL: I think they'll be working more with the people at DHS. I think we've been working with them a lot, but the shift of responsibilities is requiring us to bring some more people into the loop on this and staff up a little bit. The group that is doing this is headed by a Matt Coose in the Office of Cyber Security and Communications, and his group which is called Federal Network Security, has already been working with the agencies on a variety of things. They will be the people who work with the CISOs on this particular piece.
CHABROW: And when you say additional staffing, getting a sense of how big?
McCONNELL: We're still discussing that transition plan with the Office of Management And Budget because these are new responsibilities with us. It's going to be phased implementation. That is to say, that we're not instantaneously going to do everything that is envisioned. The idea is over the next year to really build this up into a much more robust program than what OMB been able to do. So it will be, of course as you know, very lightly staffed.