FISMA: The Misunderstood Law
"We can't just automatically assume that they are going to be just attacking someone else because they are more critical, what they work with is more critical than what we do," says Patrick Howard in an interview with GovInfoSecurity.com (transcript below). "History has demonstrated to us that any agency can be viewed as a conduit because we are so interconnected with each other on the federal side. They can pass through us because we're maybe a weak link in order to get to their real target, which we happened to be connected to.
In the interview, Howard also addressed problems he sees with the Federal Information Security Management Act. "The legislation requires risk management, but it has been interpreted as a piece legislation that requires compliance, so we kind of lost sight of risk management ... and that's the biggest problem I see with FISMA today," Howard says.
In the interview, Howard also discussed the NRC's five-year information security strategic plan and the top cyber threats the NRC IT systems face.
Howard spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: In January, in the Federal Register, the Nuclear Regulatory Commission solicited comments on an information security strategic plan for 2010 to 2015. What is NRC's information security vision for the next five years?
PATRICK HOWARD: I think that was really the purpose of our strategic plan, was to identify that very thing. We have a whole lot of equities, a lot of different offices that are involved in information security here. The plan, we did want to outline who is doing what, what are the role's responsibilities, what are we doing today. Measure that against what the best practices are, where do we want to be down the road in order to have an affective coherent well-integrated program and then start to fill the gap.
We are building the government structure to do that. I think it is a matter to be able to support our mission. both the internal one, as far as how we protect information here internally, as well as the external one. A lot of our offices deal with our licensees, our regulated entities. We want to bridge that and be able to have a program that is able to address both.
CHABROW: You've been there for a year and a half now?
HOWARD: Sixteen to seventeen months, something like that yes.
CHABROW: How would you describe the IT security office back when you arrived and the way it is today?
HOWARD: Well, hopefully it is better, and I think it is. It was a pretty new office when I came on board in March 2008. NRC did not have, until recently, a computer security office. The function of IT security was integrated in with our IT operation staff, because of the need for independence and to meet some of the requirements of FISMA (Federal Information Security Management Act). It was smart to establish a new office, called a computer security office; the commission did that back in late 2007.
When I came on board there were shortages in personnel. The positions had been created, but not all had been hired against. There really was no policies and procedures, up to date ones anyway in place. I just received an "F" on the most recent FISMA report, so I had a lot of work to do there to get into compliance with that mandate. Also saw a whole lot of people working very hard, trying to improve security. I think it was a matter of just needing some direction, some coordination, some processes and some experience in implementing best practices. That was kind of the picture when I got here, and we're making strides in all of those areas.
Probably the most notable ones are the material weaknesses that we had when I got here have been taken care of. They are no longer at play. Last year's audit report, they indicated that we had made significant progress in certification and accreditation of our IT systems and contingency planning at the system level, and we've made great improvements there. We've made even more in just this last year we're up around the 90-percent mark now as far as having all of our systems certified and accredited, and then all of our systems do have contingency plans.
CHABROW: A major complaint of FISMA, as you well know, is that it is sort of focused on certification and accreditation, and not necessarily reflects IT security, whether systems are truly secure. Were commission computer systems secure despite the low grades?
HOWARD: Probably so in a lot of ways. I think we were still doing a lot of the right things here, as far as perimeter security and a lot of the policies and procedures. We didn't have a good implementation of certification and accreditation, however. I think our approach to it was maybe a little bit more stringent then it had to be or didn't have the understanding of the requirements and it was very difficult for them. I think the No. 1 ingredient there to making progress was educating people on a process and maintaining its stability, making sure that it was consistent that it was understandable and that is was not ever changing. C&A did not, or our lack of C&A, didn't necessarily demonstrate that weren't secure in our case. C&A just provides another means of providing additional assurance of security and that is kind of the way that we've looked at it.
CHABROW: What do you think of FISMA; do you it definitely needs to be changed now? Do you think there should be new metrics for to IT security?
HOWARD: I think there is room for improvement. I've never had much issue with FISMA itself as a piece of legislation. I thought it was well-crafted and it met the government's need at the time. I think the problem is the way it's been measured, the way it's been implemented across the agencies. A lot of people have cast aspersions on FISMA and called it a paperwork exercise, and I think in some agencies that is true because there hasn't been that objective evaluation of the performance of agencies against FISMA's standards. It hasn't been consistent over the years, so that has kind of devalued the letter grades that are issued to agencies. In a way, FISMA is a little unfair in the way they do that. Those large agencies, it is extremely difficult for them to get a good letter grade because the scope of the task is just so great so broad, where smaller agencies can wrap their arms around complying with FISMA a lot easier. That is one of the problems of FISMA, the issue of how various IGs (inspectors general) measure or evaluate compliance with FISMA. As I said, it's been a little uneven. Agencies have the wear with all to just kind of go through the motions or just check the boxes, a lot of people say. But it kind of defeats the intent of the legislation. It's legislation that requires risk management, but it's been interpreted as a piece of a legislation that requires compliance. We kind of lost sight of risk management because of compliance. That is the biggest problem I see with FISMA today. We need something that allows us to really assess risk and apply controls appropriate to satisfy that risk, while continuing to be able to support the business.
CHABROW: What is your biggest concern in regards to information security at the moment?
HOWARD: State sponsored cyber attacks are something that is substantially different than it was five years ago. I think there is more of a persistent threat because of the capabilities of the attackers, of those that are trying to exploit our systems. They have a great deal of capability and resources and patience to be able to attack our networks in a expediently greater way than an individual hacker would have been able to in years past or even now. I think it's probably those large groups, the state sponsored attackers that are probing in a lot of cases and are already inside of our networks.
CHABROW: Is this something that you as a specific agency need to defend against, or do you have to do this part as government wide?
HOWARD: I guess I'm speaking to it from a government-wide point of view, but we do have some critical access, just like other agencies do. It makes us concerned. We can't just automatically assume that they are going to be just attacking someone else because they are more critical, what they work with is more critical than what we do. History has demonstrated to us that any agency can be viewed as a conduit because we are so interconnected with each other on the federal side. They can pass through us because we're maybe a weak link in order to get to their real target, which we happened to be connected to.
CHABROW: Is there any question I should have asked you and didn't?
HOWARD: There's been a whole lot of talk about focusing on the kinds of controls that every agency needs to implement mandatorily in order to protect themselves, and I think that is all well and good. All of us need to be aware of those government-wide risks that are out there. We can use help from outside the agency to define those, and also define controls that help us to defend ourselves against those. I think there is also a place for having IT security programs, and that's where over the past five years, six years with FISMA that most of the effort has been directed and that is in building IT security programs having mechanisms, processes, structures in place to be able to provide defense and depth. Between those two poles there has to be a balance; there has to be an ability to respond to specific attacks in a very immediate kind of way. But in addition to that, I think there still is a place to have an IT security program that has a strategy that it's following, has goals that need to be achieved, that supports the business. You have to have both, not just one or the other. So in really trying to respond to attacks, we don't want to loose sight of the fact that you have to have an affective program to manage that.