Fed security pros struggle with implementing outdated FISMA

A recent government report found that major federal agencies are struggling to meet U.S. data protection regulations, a finding that is less about competence and more about the ineffectiveness of the requirements.

The General Accounting Office report found “mixed progress” toward fully implementing the Federal Information Security Management Act. Of the 24 agencies the government watchdog evaluated, none had met all eight key requirements of the act, which Congress enacted in 2002.

[Bill would force agencies to take proactive security approach]

The GAO compared the progress of putting FISMA into practice from fiscal year 2011 to fiscal year 2012. During that time period, the number of agencies able to track identified weaknesses in computer systems declined from 20 to 15, while the number that had analyzed, validated and documented security incidents increased from 16 to 19.

In addition, the GAO found weaknesses in specific security controls. For example, 23 of the agencies had vulnerabilities in controls meant to limit or detect access to computer systems.

Under FISMA, the National Institute of Standards and Technology (NIST) sets the specifications, guidelines and associated methods and techniques for information security, which includes defending against cyberattacks. The act requires the GAO to do regular progress reviews for the law’s overseer, the Office of Management and Budget, which reports the findings to Congress.

The government spends roughly $12 billion a year, or 15% of its overall IT budget, on security, the OMB has reported. The amount spent, as well as the national security interests, makes data protection a top priority.

While FISMA is supposed to bolster security; its effectiveness is in question. A recent survey of more than 200 federal cybersecurity pros found just half saying FISMA improved security at their agencies, according to MeriTalk, a public-private partnership focused on improving government IT.

The poll also found that the majority of respondents believed their agencies were vulnerable to cyberthreats, and nearly three-quarters said the security in place would not be sufficient beyond the next year.

A Forrester Research report released a year ago described the NIST framework behind FISMA as “vague and confusing.”

“It outlines what to do, but not how to accomplish goals, its security control descriptions leave room for interpretation, and it functions too much like a ‘choose-your-own-adventure’ book with no ending,” the report said.

In April, the House of Representatives passed a FISMA reform that awaits attention in the Senate. One of the major changes replaces the compliance checklist in FISMA with a process of continuous monitoring to ensure that systems maintain the required level of security.

Critics argue that basing security on meeting a list of requirements does not take into account the constantly shifting attack strategies of cybercriminals and nation states looking to steal government data.

“Too often, feds are left chasing their tails — working paperwork compliance issues when real threats need their attention,” Stephen W.T. O’Keeffe, founder of MeriTalk, said.

The NIST and the Department of Homeland Security are currently working on a continuous monitoring program that provides tools and services for government agencies to bolster network security.