Why we desperately need new cybsersecurity legislation from the 112^th Congress

Guest post by Bruce Brody

After nearly a decade of federal cybersecurity as practiced under the rubric of the Federal Information Security Management Act (FISMA), billions of dollars have been wasted. Precious resources are squandered by measuring the wrong things in the wrong ways and the results lull many agencies into claiming nonsensical compliance with little relevance to actual security. Beltway vendors pocket untold billions of dollars and executive bonuses are doled out for falsifying silly scorecards that asserted the agency was a C or a B or an A, so long as nothing meaningful was measured. 

The problem is the legislation, not its implementation, and unless FISMA is reformed or rewritten, many agencies will not change their current archaic processes that measure meaningless things and assert meaningless results. Unfortunately, the longer it takes Congress to put new legislation in place, the more entrenched this problem will become.

A big part of the problem is the use of the word "ensure." FISMA uses the word "ensure" instead of the word "enforce" in the context that the chief information officer shall "ensure compliance" with FISMA. That simple word choice guarantees that the CIO, and the subordinate "senior agency information security officer," have no authority. If you don't believe me, a memorandum I requested from the general counsel of the Department of Veterans Affairs when I served as the chief information security officer said exactly that. On April 7, 2004, the counsel wrote an opinion stating that the word "ensure" instead of the word "enforce" guaranteed the CIO and CISO no authority to enforce policies or hold people accountable for violating policies.

The CIO or CISO at the department or agency level has a modicum of control over those systems that support the headquarters operations; they have little or no control over the subordinate operating administrations' systems and networks. In more than half of the departments and agencies, the CIO and CISO can issue policies and hope for compliance, and even issuing policies requires the consent of the operating administrations. 

That means that the many agencies that think of security as an annoyance--including the ones barely tolerating the paper-based processes of the past because they do not reveal anything about the security posture of the enterprise--will continue to fake security. Some of them will even hide behind their authorization language and ask, "Where's the FISMA requirement?" Without a CIO or CISO who possesses the authority to hold individuals accountable and hold executive bonuses at risk, against a compliance framework that actually makes sense, then true security across executive branch agencies remains a pipedream. FISMA does a dreadful job of addressing the governance problem.

Unless Congress fixes governance, it can mandate continuous monitoring to its heart's delight, and then watch the process devolve into FISMA-like sleight of hand.

FISMA botches other things too, like the CISO concept. It doesn't  identify the position as anything other than a "senior agency information security officer" doesn't legislate that a community of security professionals be formed to co-mingle programs, solutions and best practices, and arbitrarily positions the CISO under the CIO .

Various drafts of new cybersecurity legislation have appeared over the past two years, and a staff draft apparently exists in the Senate. That means it may be possible for the 112^th Congress to get something passed. The question is whether or not it will be an improvement over FISMA.

What the new legislation must contain, without ambiguity, is at least the following:

• A requirement that paper-based processes be replaced by dynamic, continuous monitoring processes against measures of effectiveness, by all agencies, without exception, and immediately.
• A requirement that the Office of Personnel Management create a professional job series for the cybersecurity work force, and that the Office of Management and Budget put in place a directive that all departments and agencies employ the same professional certifications that the Department of Defense requires in Directive 8570.1.
• A clear set of authorities and governance for the CISO, to include authority commensurate with accountability, and the ability for any agency to create a different chain of command for the CISO apart from the CIO.

In the end, federal information security is all about protecting our nation's systems and networks from those who wish to do them harm. New and improved legislation will go much farther than FISMA in achieving this noble goal. Thankfully, the 112^th Congress has the opportunity to enact it. This time, let's get it right.

Bruce Brody is chief executive officer of New Cyber Partners, a consulting and solutions firm dedicated to the practical application of real security engineering solutions, headquartered in Washington, D.C. He is one of the only individuals to have been a chief information security officer at two cabinet departments--at the Energy Department from July 2004 to January 2006, and the Veterans Affairs Department from March 2001 to July 2004. At both agencies, the annual FISMA grade improved under his tenure, but not for the right reasons.

Related Articles:
Cyber attack effects 'local and temporary,' not global, says study 
Smart grid cybersecurity standards still lacking, says GAO 
White House, Commerce prepare for trusted identities in cyberspace 
GSA not implementing cybersecurity policies, says IG