Guest Commentary: Bruce Brody on FISMA reform

Guest post by Bruce Brody
After eight years of federal cybersecurity as practiced under the Federal Information Security Management Act, billions of dollars have been spent on the wrong things, mountains of irrelevant paper and checklists have sat on shelves and federal information systems and networks have been completely compromised. Precious resources have been squandered by measuring the wrong things in the wrong ways. The result is that many agencies have been lulled into attaining a compliance state that has little to do with actual security. 

Fortunately, and at long last, FISMA is undergoing significant revisions that will change the way federal departments and agencies approach securing their networks. That change is coming and is no longer a matter of debate. Various bills at different stages within the legislative process have been written, some harmonization between them is occurring, and the likely outcome from Congress is becoming clear: A move away from the current static, paper-based compliance processes that focus more on measures of performance to more dynamic, continuous monitoring processes that will focus on measures of effectiveness. 

The only outstanding questions, as far as the legislative process is concerned, is which bill (or bills) Congress will approve, and whether or not the legislative changes will occur prior to the November 2010 elections.

In fact, the Office of Management and Budget has anticipated Congress by issuing FISMA reporting requirements that will begin the transition away from the paper-based compliance and meaningless scorecards that characterized the former process. The new OMB reporting requirements are contained in OMB Memorandum 10-15 (.pdf). It specifically states that "this process is designed to shift our efforts away from a culture of paperwork reports. The focus must be on implementing solutions that actually improve security" (emphasis added).

At the heart of FISMA reform are three very important concepts that, if implemented correctly by federal departments and agencies, will significantly improve the status of information security throughout the federal enterprise. To put it simply, federal agencies will soon be required to perform risk-based security using continuous monitoring against measures of effectiveness. 

Unfortunately, the likelihood that federal agencies will implement and report these three important concepts correctly is not very great. 

For example, if you were to ask most agencies if they are doing continuous monitoring today, almost every one would say "yes." But if you were to then ask each agency how they define continuous monitoring, you would get at least a dozen definitions. That's not entirely their fault--OMB and the National Institute of Standards and Technology have allowed them to think they were doing continuous monitoring over the past eight years by requiring them to annually check if one-third of agency security controls were in place. Somehow, that periodic check became mistakenly defined as "continuous" monitoring. Fortunately, a legislative definition could soon provide a legal definition for "continuous monitoring":

                    "The term 'automated and continuous monitoring' means monitoring at a frequency and sufficiency such that the data    exchange requires little to no human involvement and is not interrupted" (Senate Bill S.3480).

The real power of the continuous monitoring processes is its focus on the true security posture of the enterprise with little human involvement to tamper with the results. That means all of the agencies that previously misrepresented their security posture with absurd or meaningless metrics, or failed to verify adequately the false reporting of subordinate components, or a myriad of other disingenuous activities that were allowed to exist under the previous FISMA processes.

Continuous monitoring against measures of effectiveness is a whole new challenge for almost every department and agency. Measures of effectiveness require an assessment that the controls are not just in place, but they are operating effectively. No longer will an agency get away with checking to see if one-third of its controls every year are merely in place and calling it "continuous monitoring." From now on, all controls, at all times, will have to be in place and operating effectively in the context of the risk profile of the department or agency. This is a huge leap from where most departments and agencies are today. And this huge leap will require a complete reassessment of the agency's workforce, skill sets, contractor support and overall security posture. A good risk-based continuous monitoring program against measures of effectiveness will save agencies millions of dollars compared with the inefficient and static paper-based processes of the past.

In the end, federal information security is all about protecting our nation's systems and networks from those who wish to do them harm. Risk-based continuous monitoring against measures of effectiveness will go much farther than FISMA in achieving this noble goal. Thankfully, FISMA reform is about to become a reality. This time, let's get it right.

Bruce Brody is chief executive officer of New Cyber Partners, a consulting and solutions firm dedicated to the practical application of security engineering technologies, headquartered in Washington, D.C. He has more than 20 years of executive leadership in information security, information technology, intelligence, and program management with the Department of Defense and private industry. He is the only individual to have been a chief information security officer at two cabinet departments--at the Energy Department from July 2004 to January 2006, and the Veterans Affairs Department from March 2001 to July 2004.