Readying FISMA for an Extreme Makeover

Information Security
Readying FISMA for an Extreme Makeover

By Teri Robinson

A pair of recent initiatives have trained their sights on Federal Information Security Management Act, promising to reform the much beleaguered set of security requirements to which agencies must comply. First, the Office of Budget and Management issued a new set of security guidelines that brought changes to the reporting requirements. Among other things, agencies will be required to continuously report online their cybersecurity efforts.

Now, the National Defense Authorization Act, which has an amendment to create an Office of Cyberspace in the White House tucked away in it, was approved by a healthy margin by the U.S. House of Representatives last month.

Rep. James Langevin, D.-R.I. and Rep. Diane Watson, D.-Calif., who sponsored the amendment that includes Office of Cyberspace initiative, have made it clear that it is time to overhaul eight-year-old FISMA and bring security under a more comprehensive umbrella.

“These provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace,” Langevin said in a statement.

Government agencies have long made it clear that while adhering to FISMA requirements does seem to boost security, the compliance reporting required is cumbersome, time-consuming and costly. By some estimates filing costs about $1,400 per page. Under the new guidelines, instead of submitting paper-based compliance reports at regular intervals, agencies will report on their security efforts and submit updates every month through CyberScope, a Web-based portal that will be overseen by the Department of Homeland Security. Not only will the new automated process eliminate burdensome paperwork but it will allow an agency to present a nearly real-time view of its security status.

The changes will also empower CISOs, giving them greater latitude in gathering data from different departments and bureaus within their agencies.

Agencies applauded the new initiative, with NASA quickly announcing its plans to break from the traditional paper-based reporting structure.

In a memo, Jerry Davis, deputy chief information officer for IT security at NASA, said the move will give NASA and other agencies the opportunity to gain a “near real-time understanding of risk posture, and not the production of paperwork.”

He also noted that the old certification and accreditation system was simply not working and indeed were “largely ineffective” and didn’t “ensure a system’s security.”

The government contends that the proposed reporting changes will rectify that. And the amendment included in the National Defense Authorization Act currently making its way through Congress promises to add top-down support and accountability to FISMA, creating a National Office for Cybersecurity and a Federal Cybersecurity Practice Board that will guide agencies in meeting FISMA reporting requirements.

“Not only does this amendment make necessary and wholesale improvements to our current cybersecurity policy and management framework, but it will also ensure that agencies have a strong leader within the Executive Office of the President to assist them in their efforts,” said Watson in a statement.

But the Act still has to pass the Senate and it is unclear how easily it will do so…or if it will. The initiative also includes an amendment to end the military’s “Don’t Ask, Don’t Tell” policy, a potentially controversial directive sure to make some senators uncomfortable. That could potentially put the kibosh on the legislation.