By Paul Kurtz

(Editor’s note: Paul Kurtz, COO of Good Harbor Consulting, LLC, recently testified before multiple House Subcommittees regarding the future of FISMA - The Federal Information Security Management Act. We have published an edited version below, you can also download the full testimony in PDF format)

Click here for complete FISMA Testimony of Paul Kurtz

I am here today to talk about how certain information security developments in the private sector may have an impact on the future of the Federal Information Security Management Act (FISMA) and follow-on information security regulations and controls. FISMA is a good first step in what will surely be a long – and increasingly collaborative – process between the public and private sectors in safeguarding the integrity of the Federal IT infrastructure. However, as timely and well intentioned as FISMA was in 2002, the current law must evolve if it is to be effective in light of new technology and continually emerging threats.

First, I will address the strengths and weaknesses of FISMA as it is currently implemented. Second, I will discuss how changes in the private sector will be a strong factor in how FISMA and general IT security measures within the public sector evolve in coming years. Three specific trends are:

• The need for greater empowerment of federal Chief Information (Security) Officers
• The changing nature of IT and information security
• The global drive towards common security standards

The State of FISMA

As you are aware, the effectiveness of FISMA is widely debated.  Although there are flaws in its implementation, I would argue that the overall impact of FISMA has been positive.  Even FISMA’s biggest critics acknowledge that this initiative has the potential of being a powerful mechanism for improving information security throughout the federal government.  This section briefly discusses the act’s strengths and weaknesses in order to set the stage for how private sector developments may influence FISMA’s evolution.

Strengths
FISMA has served as an important management and assessment tool for federal agency IT systems.  This effort has brought renewed emphasis to government-wide information security:

• Transparency: In order to be in accordance with FISMA, agencies must show how their overall information security strategy and budget fit in with the general mission and goals of the agency.
• Accountability: FISMA requires federal agencies to report to the Office of Management and Budget (OMB) and to Congress on their progress toward improving information security by certifying and accrediting systems, testing security controls and contingency plans, and assigning risk impact levels.  Furthermore, the resulting report cards issued by Congress raise visibility of IT vulnerabilities and expose government agencies to public scrutiny.
• Standardization: The National Institute for Standards and Technology (NIST) has issued several strong standards – notably Special Program 800-53: Recommended Security Controls for Federal Information Systems – and tools such as the [PRISMA] database to help determine the extent to which IT systems across agencies need to secured.

Personally, I recall my experience at the White House in 2000 when we had very little insight into the state of IT security across Federal agencies.  We had no common standards in place and no data on how much agencies were spending to address security.   We have certainly come a very long way in seven years thanks to the Government Information Security Reform Act (GISRA) and FISMA.

Weaknesses
Despite the near-universal participation of government agencies in the FISMA reporting process, many observers suggest that there hasn’t been an appreciable increase in Federal IT security in the past five years.  Possible reasons for this include:

• Misleading scores: FISMA does not necessarily address whether cyber security has been improved in an agency.  Rather, as currently implemented, the act measures only whether agencies pursue processes for assessing, testing, and managing IT security.  For example, agencies that simply complete dozens or hundreds of certification and accreditation reports can earn high scores even if their systems do not pass the required tests or are subsequently hardened and monitored.  Moreover, evaluation standards and techniques (especially if implemented by contractors) vary across agencies.
• Narrow metrics: Conversely, FISMA, as currently implemented, does not always accurately document or measure successful agency efforts to secure their information systems.  As Hord Tipton, CIO for the Interior Department noted last year, ““We fended off four billion probes, scans, attacks [in 2005] without any significant breaches.  It doesn’t show up in the FISMA report.”  For this reason, many critics argue that a “one-size fits all” approach to security does not make sense across different agencies,
• Lack of consequences for non-compliance: Over the past five years, three of the largest departments of the federal government – State, Defense, and Homeland Security – have received low grades from Congress on their FISMA compliance. As the Government Accountability Office concluded in 2006, many “federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls.”  Outside of OMB’s limited ability to redirect agency spending, there is no enforcement mechanism or incentive structure in place to ensure that failing departments take the necessary steps to improve IT security. 
• Inability to adapt to emerging technologies: The implementation of FISMA security controls often betrays a bias against the adoption of new and emerging technologies.  Despite the rise of software-as-a-service (which is later discussed in more detail) and mobile technologies in recent years, FISMA guidance and NIST security controls have not expanded accordingly.  Since Federal security controls do not reference third party Internet accessible software and data on demand business models, some agencies are quick to reject these solutions as non-compliant, even though they offer robust levels of security.  This creates a “catch-22” situation. Federal agencies have no incentive to invest in new technologies – due to the fact they cannot successfully be brought into FISMA compliance – and NIST will not adapt its security controls to new technologies because a critical mass of users does not exist within the public sector.  This in turn leads to increased inefficiencies and ultimately less security with respect to federal IT systems.
• Failure to address telecommunications continuity of operations:   Finally, FISMA does not require Federal agencies to establish and regularly test continuity of operations for telecommunications services.   Section 3544 (8) address continuity of IT systems, but does not explicitly address telecommunications.   As convergence continues it will be very important to ensure rigorous communication COOP programs are in place.

Many of these concerns can be addressed by improving current FISMA implementation guidance, and do not necessarily require a change in law.

The Private Sector

Several recent developments demonstrate the need for changing  how the federal government thinks about information security. FISMA may have been created in part to help government agencies lead by example when it came to IT security, but the private sector has shown that still more needs to be done.  As the IT security landscape continues to expand, the federal government must anticipate, react, and adapt to these new developments in order to create stronger and more effective ways to safeguard our Federal IT infrastructure.

Empowering the Chief Information Security Officer
Chief Information (and Security) Officers (CIO/CISO) within both the public and private sectors have traditionally been responsible for IT security within their respective organizations but rarely given the authority to effectively enforce security protocols.  However, this attitude towards securing information systems seems to be changing in the private sector.  While it used to be difficult to rationalize the return on investment on increased security precautions, the proliferation of worms, viruses, Trojan horses and the individuals who spread them has sparked an interest in safeguarding IT systems and networks from malicious attacks.

Several corporations have recognized the need of integrating the Chief Information Security Officer (CISO) at the highest executive levels (in some case reporting directly to chief financial and executive officers) and empowering the CISO with expansive powers and responsibilities that range from incident response to IT compliance to customer data privacy.  Moreover, many CISOs are brought in as risk managers, rather than simply IT practitioners, which grants them more influence in long-term strategic planning.

There are indications that the federal government is drawing lessons from these trends. The House Committee on Veterans’ Affairs, for instance, acknowledges that it was the lack of CIO and CISO authority that contributed to the theft of an employee laptop in May 2006.  To that end, I commend legislation by Congressman Buyer to empower the Veterans Affairs Department’s CIO to enforce information security in the VA IT department as well as the creation of new high-level information security positions within the agency.  This example should be further strengthened and replicated in other agencies across the federal government. For example, CISOs should also have the latitude to approve budgets and work on projects they perceive as critical to the agency’s information security rather than simply having to fulfill the certification and accreditation requirements posed by FISMA.

The Changing Nature of IT
In addition to the changing role of the CISO, the IT environment itself is undergoing a transformation.  Historically, the federal government has relied on the client-server model, where IT systems procured from vendors are then implemented, maintained, and upgraded in-house. 

Trends in the private sector, however, suggest a major paradigm shift.  Many companies are migrating towards internet accessible software and data services, which are often referred to as “software-as-a-service” (SAAS). Software as a Service consists of applications and databases that are delivered to customers over the internet from a shared IT infrastructure. By applying economies of scale to the development and operation of these applications, a SAAS provider can offer better, cheaper, more reliable applications than companies can provide themselves. Tens of thousands of businesses, including large financial enterprises, have already migrated sensitive data to SAAS providers and data warehouses, and it is projected that SAAS will account for nearly half of all software sales in the private sector within the next five years.

Although federal agencies have been slow to adopt SAAS, I am confident that this migration to software and data services will eventually occur in the public sector as the government begins to recognize the cost savings and performance advantages of SAAS.  This Committee should make sure that FISMA facilitates this evolution rather than hinders it. 

Global Drive to Common Standards
Given the changing nature of the IT landscape, information security legislation needs to adapt accordingly.  Guidance from OMB and NIST has been adequate in addressing the client-server paradigm, but standards should be adjusted to govern the eventual migration by the public sector to on demand services via the Internet. 

One option is to begin to more closely align FISMA to recently updated international cyber security standards.  The International Organization of Standardization has issued a revised  cyber security standard –  ISO-27001 – that can be applied towards commercial enterprises and non-profit organizations as well as government agencies.  IS0-27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an  information security management system within the context of the organization’s overall risk management processes.  ISO 27001 is comprehensive covering security policy, internal organization, asset management, human resources, physical and environmental security, communications and operations management, access control, acquisition, incident and continuity management,  In addition, ISO 27001 provides for third party certification of an entity’s security.   However, unlike the comparably rigid standards set by OMB and NIST, ISO-27001 can be customized to the needs of individual organizations, thereby avoiding FISMA’s “one-size fits all” approach to cyber security.

This is not to suggest that the standards established by OMB and NIST should be disregarded altogether.  In fact, NIST guidance is quite good, however we must move toward a common global information security standard.   The US government could lead the drive toward a common global standard for the public and private sector to secure information systems by accepting ISO 27001 as equal to FISMA.   In addition, acceptance of ISO 27001 certification would improve transparency of Federal information security and reduce the bureaucracy and costs associated with current FISMA compliance procedures..

Conclusion

Thank you for the opportunity to testify on these issues today.  As I close my testimony, I want to emphasize the fact that FISMA has played a salient role in raising awareness of IT security issues and demonstrably improved information security throughout the federal government.  When I was still working at the White House in 2001, no common standards existed. FISMA was the first legislation that took information security seriously.  Despite its flaws, it has served us well.

However for the reasons I have cited, there is still much more to be done to effectively safeguard federal information security.