Analysis: In Defense of FISMA
Updated: Aug 7, 2020
Implementing government's landmark cybersecurity statute should be more than just a paperwork drill.
With the passage of economic stimulus legislation, health care reform and financial regulatory reform, the 111th Congress likely will be remembered as one of the most legislatively active periods in our nation's history. As we enter the endgame of this legislative session, there are still a number of proposals that stand the possibility of becoming law before adjournment. One such effort is the potential expansion of the federal role in cybersecurity. Given the importance of information technology to our economy, it is vital important to see this effort through.
A critical component of the cyber debate focuses on the procedures that federal agencies use to keep information safe -- a task that since 2002 has been governed by the Federal Information Security Management Act. Among various proposals introduced during this Congress, FISMA reform has been a recurring theme. The main criticism of FISMA is that over the years it has evolved into a paperwork drill, emphasizing compliance over an agency's real security. There is little doubt that the implementation of FISMA, in some cases, could have been off the mark. But the intent was not to have FISMA compliance and information security become two separate exercises. As Congress debates the future of cybersecurity policy, it is appropriate to keep the statute's origins and intentions in mind.
Despite earlier measures such as the 1987 Computer Security Act, the 1996 Clinger-Cohen Act and the 2000 Government Information Security Reform Act, federal IT security considerations were inadequate prior to FISMA. There was no overarching framework for required security measures and no oversight model to track implementation. And, all too frequently, federal systems were designed and procured solely with features and functionality in mind -- not security.
FISMA changed this and in many ways brought federal IT professionals into the modern world. Despite the constant, evolving and increasingly sophisticated cyber threats, many of FISMA's requirements are more relevant than ever.
--Explicitly calls out the importance of cybersecurity. It recognizes that the soundest approach to ensuring cybersecurity is a risk management strategy that balances resources, the relative value of various systems and data sets, and current threats.
--Requires an inventory of an agency's IT systems. Pre-FISMA, there was limited visibility of the systems a given agency was running. There was often resistance to collecting this information since it would represent a significant step toward ending an agency's control over its own IT systems. Providing a comprehensive list was a critical first step to mapping out how the systems worked together and analyzing which were redundant or vulnerable, an important step toward a stronger security posture.
--Assigns broad areas of responsibility that continue to work effectively today. The National Institute of Standards and Technology has the job of developing standards and techniques for securing government systems. Agencies perform their own risk assessments and periodically certify that the systems in their inventories have the correct, risk-based controls in place to allow them to operate safely. The Office of Management and Budget keeps tabs on agency compliance with NIST and issues score cards.
--Allows for change over time, as evidenced by the evolving White House and Homeland Security Department roles. As for direct agency responsibilities, far from being a set-and-forget function, FISMA compliance requires agencies to periodically reassess their cybersecurity plans and controls, and make needed adjustments in their risk assessments and operational responses.
FISMA has been criticized because it has been seen as a way for some agencies to obtain a good compliance score, which meets the letter of the law. In some cases, these operational approaches have left agencies more vulnerable to cyber threats. In fact, FISMA does require agency operators of IT systems to have controls in place and certify that they are functioning properly. The criticism rightfully points to the need to ensure that agencies don't excel on the compliance reporting side of FISMA alone. Agency managers must make their security plans operational and effective.
This is why continuous monitoring of networks is so important, and why, within the context of FISMA as it is written, agencies are moving ahead and adopting this technique. The most-often cited example is the State Department, where networks around the world are checked every three days to make sure all the security patches that vendors have issued are installed properly.
In fact, NIST's Cyber Security Division personnel are in the midst of revising their extensive library of standards guidance to take into account the changing threat environment and the advances in technology since the initial guidance was created.
The challenge in writing legislation is to put down a framework that's broad enough to cover core elements of an issue without being too prescriptive in how federal managers go about getting them done. And, as with any legislative mandate, executive branch execution is critical for success in achieving its goals. The Obama administration has put a high priority on operationalizing FISMA and ensuring appropriate funding to achieve results. There are still jurisdictional issues that make coordination and compliance inefficient. Much of these jurisdictional turf wars can be resolved by the administration without legislative activity -- although legal clarification can help.
Legislative authorization can fall short of the mark if it is not accompanied by the funding needed to do the job. The flurry of legislative activity in the cyber arena and the growing attention by the administration are welcome. It is best to stay focused and get it right by building on the existing requirements while allowing future administrations the flexibility to address future challenges.
As the 111th Congress winds down, the window for legislative activity is closing. There's not much time left for this Congress to take action. As we try to divine what's going to happen, we encourage Congress to stay committed in these remaining months to update our information security laws for our national and economic security.
Tom Davis, a seven-term Virginia congressman and former chairman of the House Government Reform Committee, serves as the director of federal government affairs for Deloitte & Touche LLP. JR Reagan is the head of the Deloitte Center for Federal Innovation and a principal with Deloitte & Touche LLP.