Since its inception into law, the Federal Information Security Management Act of 2002 (FISMA) has faced many challenges, both through establishing itself in the federal landscape, and developing the necessary framework for applying the principles into practice. Although FISMA has been in existence for 5-years, many would say that security has only shown limited improvement, while others would stand by its success.
Those familiar with FISMA have experienced the uncertainty of the initial implementations, and identified with some key improvements brought about through the increased visibility of security. FISMA has now made security a mandated priority, whereas, prior to its enactment security was only given limited attention. The work performed by the National Institute of Standards and Technology (NIST) has been instrumental in taking a legislative mandate, and through multiple attempts, refine processes and practices that have taken shape across the federal government. However, there is still a great deal of work to be done to provide the assurance needed for federal agencies and contractors hosting federal information and information systems to sustain a measurable security posture that can be monitored more effectively and efficiently.
I would not consider FISMA in itself to be a failure, but instead believe the major weaknesses that exist are tied to the lack of a baseline set of measurements that can be used to show measurable improvements. According to the Office of Management and Budget (OMB) 2009 IT Budget Summaries, IT security spending could see an effective increase of at least 10.3 percent from the actual 2008 budget, which would mean agencies need to have better parameters for demonstrating where failures exist when a D or F rating is given on the Computer Security Report Card.
IT security is not an exact science because not all environmental characteristics that affect security can be completely relieved of risk. Management of the risk requires proven measurements to demonsrate security can be adequately managed, if properly planned and implemented. This could also help to provide assurance to senior leaders within these federal government, that if funding was properly allocated to support IT security requirements, there is some direct relationship to meeting security goals. Without a platform to capture these performance measurements, security will only be an increasing spiral of cost with no tie-back to a return-on-investment.
As far as I am concerned, there are several problems with how FISMA has been implemented. There is needs to be more standardization on what is truly required. Right now, the C&A is very cumbersome. It is more of a measurement of compliance to policy rather than the true status of a system's security. In addition, there is a lot of duplication of effort in the documentation required.
We need to streamline the C & A processes. Currently, it takes several months and hundreds of thousands of dollars to accredit a system. After is it all done, the information in the documentation may already be outdated.
Posted by: John Dittmer | 02 June 2008 at 14:34
"IT security is not an exact science because not all environmental characteristics that affect security can be completely relieved of risk."
I will start by saying that there is no silver bullet in IT Security, who believes that there is a total risk mitigation for IT does not understand risk management and theconcept of integrating IT in the business model (IT Governance)
"Management of the risk requires proven measurements to demonsrate security can be adequately managed, if properly planned and implemented. "
Not sure what is the meaning of this statement but I can say that the management of ANYTHING requires using metrics. Metrics do not prove that a security implementation can be managed...
Posted by: Bogdan Dragomir | 23 July 2008 at 16:40