Since 2002, federal agencies have been following an unclear road of policies that have left them struggling to meet compliance rather than leading efforts to improve information security. The Federal Information Security Management Act (FISMA) has been interpreted through a multitude of policies from the Office of Management and Budget (OMB) through individual agency security programs. However, since its inception, reports continue from year to year through Department Inspector Generals (IGs) and the Government Accountability Office (GAO), suggesting that federal agencies are still persistently weak in information security.
Has FISMA really met its purpose?
The Federal Information Security Management Act, Section 301, Subsection 3541 (“Purpose”) identifies 6 purposes:
- Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.
- Recognize the highly networked nature of the current Federal computing environment and provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities.
- Provide for development and maintenance of minimum controls required to protect Federal information and information systems.
- Provide a mechanism for improved oversight of Federal agency information security programs.
- Acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector.
- Recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.
Are the purposes of FISMA (as noted above) appropriately interpreted or has the meaning of FISMA been lost through the crowded distractions of government policies?
Based on the reports from government oversight offices such as IGs and the GAO, federal agencies, although improving in their ability to meet compliance with key information security activities such as security awareness training, contingency plan testing, and testing and evaluation of security controls, are still lacking in effectively implementing security controls necessary in protecting information resources.
FISMA has offered the idea of a comprehensive framework. However, agency responses to FISMA have been plagued with inconsistencies that have prevented an effective governmentwide implementation. A consistent strategy is pertinent to ensure agencies choose to protect their information resources with a common framework. Therefore, a national strategy should be established that is very specific, but agile enough to offer both strategic and tactical objectives for agencies to use as a basis for developing their own information security strategic plans. The national strategy would bring together competing and relevant policies into a common, more meaningful set of goals for agencies to bring into their own strategic plans.
The national strategy should be focused on making security objectives: measurable, specific, consistent, and achievable.
1. The national strategy should be broad enough to cover the scope of information security across the federal government, but offer more granular, specific metrics for agencies to extend to meet their own underlying mission and business goal. Without having key performance indicators, agencies will be faced with continual challenges in demonstrating both to themselves, the OMB, and Congress the true state of security within their individual agencies. In addition, OMB will also need some way to represent the state of information security across the entire government landscape.
2. The national strategy should be specific. Without clear, concise, and targeted criteria, agencies will fail to invest appropriately in securing their information systems, thereby wasting valuable resources. By having a national strategy with specific objectives, federal agencies and offices, as well as Congress responsible for oversight of Federal agency information security programs can have a way to more effectively understand what improvements should be made to address shortcomings in agency implementations of their security programs.
3. The national strategy should be the vehicle for communicating objectives that are necessary for implementing information security consistently across the federal government. A consistent set of national objectives will encourage agencies to share information and security practices, without necessarily hindering agencies from effectively implementing security practices more closely aligned with their own mission and business security requirements. National objectives will need to support the broad vision and mission of the national strategy, however be tangible to actually be measured through specific performance indicators.
4. The national strategy should be achievable through accomplishable national security objectives that have realistic implementation timeframes. Without ensuring agencies have the capability to meet objectives, agencies will be met with resource constraints that will lead to creative responses that are currently commonplace and focus on satisfying the checkbox through inherent insecure implementation, rather than adequate information security. By establishing attainable national security objectives, agencies can better incorporate realistic steps into their agencies information security program plans that ensure actionable steps are taken and progress and can be accurately tracked and reported.
In conclusion, FISMA has not necessarily failed in its purpose, but rather the government leadership has failed in addressing the purposes through a national strategy that seeks to incorporate measurable, attainable security with common security objectives.