[ISN] OMB official: Too soon to judge computer security law

Fri May 19 03:16:21 EDT 2006

http://www.govexec.com/story_page.cfm?articleid=34111

By David Perera
dperera @ govexec.com 
May 18, 2006 

The Federal Information Security Management Act isn't old enough for
its most effective provisions to prompt great cybersecurity
improvements, an Office of Management and Budget official said
Thursday.

The act, known as FISMA, took effect in 2002. It called for agencies,
over a period of as long as two years, to identify and categorize
their information technology systems according to the level of risk
that a compromise would pose. The second phase is implementing
security controls based on those risks, a process that's been going on
for only 18 to 24 months, said Glenn Schlarman, OMB branch chief for
information policy and technology. He spoke Thursday on a breakfast
panel sponsored by Government Executive.

The controls phase "is new, and that has never been done anywhere by
anyone," Schlarman said. The federal government has "some very strong
pockets of security, and some really weak pockets of security," he
added.

FISMA lately has been criticized as a paper-based exercise divorced
from the real needs of cybersecurity. The law "measures the wrong
things, and it measures the wrong things the wrong way," said Bruce
Brody, also a panelist at the breakfast. He is a former federal
cybersecurity chief and recently became a vice president at INPUT, a
Reston, Va.-based government market analysis firm.

The federal government is making little headway in tackling
cybersecurity problems, said Alan Paller, the third breakfast panelist
and director of research at the SANS Institute, a nonprofit
cybersecurity research organization. "In order to make progress, you
actually [have] to reduce the problem a little bit, [but] the problem
is being made harder," he said.

A chief information security officer in the audience, who asked not to
be identified, said FISMA can be effective, depending on how it is
implemented. The official cited the process of certification and
accreditation of IT systems, saying, "if you want to do C&A the
[Defense Department] way, you will not succeed." The process requires
agencies to account for all their systems, implement risk-based
technical controls and formally authorize systems' continued
operation.

Although the certification and accreditation process predates FISMA by
decades, it is a key measurement that Congress uses in its annual
score card assessing compliance with the law. But the process heavily
contributes to the ineffectiveness of FISMA, Brody and Paller
contended. Nobody reads the accompanying reports, Paller said, and the
money spent on paying contractors to prepare those reports would be
better used on real-time monitoring.

The Defense Department follows a particularly burdensome and
paper-filled certification and accreditation process, the federal
official said. But, "if you're doing this right, you're doing this
smart; you're not doing this as a paper exercise," the official said.

Continuous testing and monitoring of IT systems is part of FISMA
compliance, Schlarman said. "If it isn't being done that way, then we
have an implementation issue."

The law has called attention to the serious problem of cybersecurity,
Brody said. But "there are some evolutionary possibilities that could
take FISMA and the regulatory environment to another level," he said.  
"Benjamin Franklin said the definition of insanity is doing the same
thing over and over and expecting different results."