Tuesday, April 17, 2007

When FISMA Bites

After reading State Department to face hearing on '06 security breach I realized when FISMA might actually matter: combine repeated poor FISMA scores (say three F's and one D+) with publicly reported security breaches, and now Congress is investigating the State Department:

In a letter sent to Secretary of State Condoleeza Rice on April 6, committee Chairman Bennie Thompson asked the department to provide specific information regarding how quickly department security specialists detected the attack, whether the department knows how long the attackers had access to the network and what other systems may have been compromised during the attack. The three-page letter also asks the department to provide evidence that it completely eliminated any malicious software the attackers may have planted, as well as documentation of all of the communications between State and the Department of Homeland Security regarding the incident.

I'm going to keep an eye on the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology to see what is published on these matters. It's ironic that FISMA scores really have nothing to do with State's problems, and no aspect of FISMA can answer any of the questions cited above.


One Guy Nick said...


I have the blessing of working on both architecture and security roles for a company. This allows me to work closely with engineers very early during proposal efforts and shape their decisions. When a contract has yet to be awarded, there are no security guidelines. FISMA gives us a great bit of leverage to tell them FIPS 140-2 for all communications systems. FIPS 197 for encryption. While I agree the FISMA guidelines have gapping holes and do not keep up with the curve of technology, they do in fact give security a good start. I shudder at the thought of a group of Engineers delivering a system before FISMA was in place. At the very least it is a series of constraints that gives basic security the center stage.



David Bianco said...

What do you mean when FISMA bites? FISMA always bites.

As One Guy Nick said, it's not always bad. The real problem is that FISMA is concerned mostly with specification, documentation and reporting and doesn't really have much to do with security operations that actually protect systems.

The problem is compounded by the fact that the government doesn't seem to recognize this limitation, and thus assumes that FISMA is actually making things safer, when it's not intended for that purpose at all.

Anonymous said...

You are correct FISMA scores do have nothing to do with State issues.

Carmelo Lisciotto

rybolov said...

Scores are just an indicator. But I know Richard has worked long enough with the government to understand that nothing will change for the better unless there is a public humiliation/outcry for fixing it. That's what the scorecard is.

Yes, it's just a metric and yes, it can be gamed. But until you compare the agency heads to each other, they won't have a reason to change.

FISMA itself is easy--tie security planning into the budget. It's the implementation of that law that is the problem.

The budget is how the government can hire people like Richard to come in and build a Network Security Monitoring system. But they need to know what to do in the first place, and that's where all the C&A stuff comes in. Really, it's an excuse for a clueful person to come in and make a difference.

Yes, it's an iterative process and probably too much at that. Yes, it's very inefficient and very slow. But some of the process needs to happen in order to build the business case to justify the budget to do the real security work.

The sad part is that we have a critical shortage of clueful people. I see the shortcomings of FISMA all summed up into one statement: we need more technically-trained security people who understand what they are doing. Until we get to that point, we will be behind because 25 people can mess things up faster than 5 people can fix them. That's the state of information security in the government right now.

rybolov said...

BTW Richard, I would like to talk to you sometime about what FISMA really means because I think all this other junk gets added into it that shouldn't be there. It's a common perception around the beltway that FISMA encompasses all this other junk--I have the government coming to do "FISMA audits" in my facility and to me that phrase doesn't make any sense at all.

FISMA is not C&A. FISMA is not policies and procedures. FISMA is not the NIST guidelines or even mandatory standards. FISMA is not auditing. FISMA is not rewriting paperwork into new templates or critiquing active voice v/s passive voice.

FISMA is a law, Appendix III of the E-Government Act of 2002. It says "Do security planning and tie it back into the budget so you do it more efficiently". That's it. The rest of the junk is an implementation problem because we're making up the rules as we go along.

The problem is that all these short-sighted people can poke this law and say "this means that we should do $foo and $bar and you're going to do it because it's the law." Well, to be bluntfully honest, for the most part they are either profiteering or non-clueful. That's the part that needs to be fixed.

No matter how much I look at the problem, it almost always comes back to personnel management.

Anyway, if you're interested, I'll drop you an email with my contact information.