Those that have supported the implementation of the Federal Information Security Management Act (FISMA) of 2002 have seen a significant change and focus of information security in federal government over that past several years, including the increased attention placed on agencies through OMB policies requiring them to implement a multitude of standards and guidelines.
Obviously, right out of the box, I have seen a mix of opinions from the increased cost of security, including many negative views on the reactive approach government leaders have taken to introduce new security related policies. From the perspective of a security professional, the government has not fully made federal executives a vested champion for supporting these policies, and should require these executives who have the budgetary authority to present the value proposition FISMA and related policies/guidelines bring to the mission and business leaders of the agencies. In many agencies, FISMA compliance has become an embedded part of the IT organization, rather than managed directing from the offices of the head agencies. Although the CIO plays a critical role in executing the FISMA requirements within the organization, the business and mission are really the drivers when establishing appropriate objectives for confidentiality, integrity, and availability.
(http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills&docid=f:s3474rs.txt.pdf), which passed on October 1, 2008 through the Senate Homeland Security and Governmental Affairs Committee (see status page of bill - http://www.govtrack.us/congress/bill.xpd?bill=s110-3474) will increase the visibility on security controls applied to information system. This would greatly increase the importance placed on agencies to more efficiently and creatively implement security to ensure that additional overhead costs associated with the additional mandates, which according to the Congressional Budget Office (http://www.cbo.gov/ftpdocs/99xx/doc9909/s3474.pdf) will add an additional $150 million to currently agencies annual expenses (http://www.fcw.com/online/news/154252-1.html), do not adversely impact mission requirements.
So what changes should we expect?
The FISMA 2008 bill provides an enhancement to the current security of the Federal Government by amending the original text to add additional language to expand the role of FISMA and in some instances creates more strict oversight of day-to-day security operations. Below are just a few of the major changes that were noted:
1. Creates the Chief Information Security Officer (CISO) role, and vest the authority for enforcing security and compliance with FISMA
2. Establishes the CISO Council within the executive branch where executives from across the federal government, including, but not limited to the US-CERT, Intelligence Community Incident Response Center, DHS National Cyber Security Center, DoD, ODNI, Civilian Agencies, and OMB
3. Enhances the continuous monitoring process, through the requirement to have annual independent audits rather than allowing agencies to perform self-evaluations between audits performed as part of the system accreditations
4. Requires additional reporting from DHS related to a detailed explanation of the state of the federal security posture (outside of the annual FISMA reporting from OMB)
Among the challenges faced by the Federal Government (including a new Administration change), focus should include additional work by on capturing more security metrics, so that agencies are held accountable for allocating security funding appropriately. Currently, budgets include security costs are not tracked appropriately. For most agencies tracking should be directly managed by Agency Heads to ensure monies are really spent, and measures can be taken to itemize where cost increases are not producing a value. This will demonstrate a confidence to the business unit leaders that have the role of allocating security costs to their programs and make security a component that does in fact deliver a return-on-investment for the business units that must manage the balance between meeting mission requirements and protecting their information.