CISOs assess the assessors

Government chief information security officers still do not have a cure for the headache caused by the need to create quarterly or annual reports about their agencies' security status, which CISOs must complete to comply with congressional and oversight requirements. Participants in FCW’s CISO round table described the system audits and reporting processes as cumbersome, time-consuming, painful and difficult.

Some of the CISOs said the burden is easing somewhat as the reporting processes mature, particularly for the Federal Information Security Management Act. However, many still question whether periodic reporting exercises are the best way to bolster security.

“I wouldn't say they are the most effective way of improving cybersecurity, but they do improve the cybersecurity program by locating weaknesses in our program that may not have been known,” said Ryan Brewer, chief information security officer at the Centers for Medicare and Medicaid Services.

Others say FISMA can’t keep up with new risks.

“Given the rapid changes in the threat landscape, merely meeting a checklist of requirements simply shows that we are compliant to a state of security at the time the regulation was created,” said Robert Maley, Pennsylvania's chief information security officer.

Others say there should be less emphasis on reporting.

“Reporting should be a secondary function to the actual securing of our systems and applications,” said Phillip Loranger, chief information security officer and acting director of information assurance at the Education Department. “This process needs to be re-evaluated and streamlined to be less administratively focused and more action-focused.”

A July report from the Government Accountability Office highlighted ongoing weaknesses of the FISMA reporting process and its frequent failure to identify disparities between agencies’ FISMA compliance records and their security status.

Federal Chief Information Officer Vivek Kundra has called for a rewrite of FISMA that would, in addition to clarifying the reporting process, yield metrics that assess security postures and continuously identify new threats. At least one CISO fears that such efforts could fall into old traps.

“I would hope that with the next evolution of FISMA, the lawmakers and the executive branch would actually call out to the agency CISOs in a collaborative manner to come up with a better way to satisfy these requirements,” Loranger said. “If they continue to work in a vacuum, I’m afraid we’ll be faced with the same challenges as before.”

Federal CISOs rate FISMA

Federal chief information security officers characterized the effectiveness of the Federal Information Security Management Act’s reporting process. Here are their responses.

Real but uneven improvement: 48 percent

Paper exercise with little upside: 24 percent

Costs exceed benefits: 19 percent

A great success: 9 percent

Source: The State of Cybersecurity from the Federal CISO’s Perspective, (ISC)2, April