Talk:Federal Information Security Management Act of 2002
From Wikipedia, the free encyclopedia
 |
This article is within the scope of WikiProject Law, an attempt at providing a comprehensive, standardised, pan-jurisdictional and up-to-date resource for the legal field. | |
| ??? | This article has not yet received a quality rating on the assessment scale. | |
| ??? | This article has not yet received an importance assessment on the assessment scale. | |
After five years of FISMA, experts agree that little progress has been made in improving the overall security posture of the Federal computing enterprise. The reasons for this are many, but they boil down into the following key categories.
1. FISMA measures the wrong things, measures the wrong things in the wrong ways, and fails to measure the right things. As a result, FISMA the legislation, and FISMA the process, are fatally flawed. For example, 10 points of the annual FISMA grade, or a full alphabetical grade, is devoted to Training. Therefore, and agency can receive all 10 points if its entire population receives a one-hour awareness training on-line course. However, the quality, content and effectiveness of the training is not measured. Another example is Certification and Accreditation, or C&A, which accounts for 20 points or two alphabetical grades. However, C&A is an immense amount of documentation that results in the acceptance of risk, and potentially limitless risk for a system or application. Therefore, it is possible for an agency to claim that 100% of its systems are C&Aed, but yet, not one of the systems might be considered "secure". C&A is a costly and time consuming never-ending exercise aimed at documenting security weaknesses and policy violations. However, the personnel performing these tasks often lack the security skills to accurately assess whether a risk exists, and/or the staff has a vested interest in concealing known weaknesses, to avoid embarrassment or punishment from a failed C&A. The time and money necessary to pursue C&A and thus a passing FISMA grade arguably consume the limited resources that could otherwise be used to improve security.
2. FISMA failed to recognize and overcome the culture of the various departments and agencies, especially those that are geographically distributed and fiercely independent from central authority. Thus, the agency CIOs and their subordinate CISOs are powerless to "enforce" security requirements across the stubbornly independent operating administrations. FISMA chose to use the word "ensure compliance" when defining what the CIO was responsible for accomplishing under the Act, and consciously avoided the use of the term "enforce." General Counsels across the Executive Branch have interpreted "ensure" to mean that the CIO has no real authority under FISMA. The legislators who enacted FISMA chose to ignore the most important aspect of implementing information security across large and complex enterprises -- governance! For this reason alone, FISMA is practically useless.
3. FISMA created the Chief Information Security Officer (called "senior agency information security officer") and specifically placed that person under the CIO. That construct turns out to be a mistake. The CISO under FISMA must report to the CIO and thus place the security requirements of the department or agency subordinate to the CIO's other priorities, budget pressures, political exigencies or other conditions unrelated to sound and effective security approaches.
4. FISMA was created and managed by a triumvirate of entities with no practical security experience whatsoever. The Congress created and oversees FISMA, through the House Committee on Government Reform. It was born out of the old Year 2000 (Y2K) days, but after the Y2K rollover, the committee needed a new grandstanding event to justify its political existence. It chose information security because it was topical and loosely related to Y2K. Unfortunately, the non-practitioners on the congressional staff adopted the same system-by-system, site-by-site approach for information security that it used in the Y2K days. That approach connotes very little practical understanding of information security, where interconnected infrastructures and distributed enterprise boundaries require equal or greater attention than individual systems and sites. The second element of the triumvirate of 'FISMA keepers' is NIST, the agency responsible for publishing the standards that Federal agencies must adhere to under FISMA. Again, no practitioners exist at NIST, and the result is a massive pile of paper requirements that are impossible to implement and represent a simplistic form of a security-for-the-sake-of-security academician approach. At the same time, the core of FISMA compliance (and C&A) is the NIST Special Publication (SP) 800-53, which is arguably a generic and very low minimum security baseline that lacks specific details necessary to give FISMA any real power to improve security. The third element of the triumvirate is the Office of Management and Budget, which monitors FISMA implementation across the departments and agencies. Again, not a single practitioner can be found anywhere in OMB, and the result is an endless barrage of unfunded requirements heaped upon the departments and agencies. Until such time as actual information security practitioners take charge of the process, FISMA will remain the sad failure that it has become.
5. The worst and scariest aspect of FISMA is that many Federal executives who simply don't know any better and are chasing the 'Potemkin Village' of FISMA compliance and adopting the mindless 'scorecard approach' to security. These executives are completely oblivious to the fact that their computing infrastructure has been penetrated, its sensitive information has been violated, and those who wish to do harm to Federal information resources have succeeded. FISMA aims at giving Federal executives the policy tools necessary for them to gain a more accurate awareness of security across the enterprise. But by relying heavily on C&A and on threatened financial and other penalties from Congress, executives end up getting from their subordinates an inaccurate awareness of risks, a false sense of security, and the erroneous belief that security weaknesses are being resolved.
Thus, FISMA is a paper-based compliance drill and not a rigorous technology-based security program. In the five years of its existence, FISMA has failed to appreciably improve the security of the Federal computing enterprise, and will continue to fail to improve it under its current form and with its current flaws. Nonetheless, billions of taxpayer dollars have been squandered chasing "compliance," while little has been accomplished in actually getting to real security. To the enemies of our nation who wish to visit harm upon our nation's computing infrastructure, this is very good news indeed.
[edit] "Fatally Flawed"?
I think that while there is significant discussion about why the act fails to address needs, I think that the characterization of the act as "fundamentally flawed" is a statement of opinion, not factual, and as a result, the article contains a basic bias inappropriate to Wiki.
I recommend that we add "has been characterized as" to the "fatally flawed" comment in the introduction. This would encourage the reader to review the "Issues with FISMA" section.
Thoughts? Bdevoe 18:23, 29 March 2007 (UTC)
