NASA hits FISMA reset button

If only it were possible to improve cybersecurity by doing more thorough paperwork. Alas, eight years after the passage of the Federal Information Security Management Act, it hasn’t worked yet. That, anyway, is the conclusion of Jerry Davis, deputy chief information officer of information technology security at NASA.

Davis struck a blow last month for the many security experts who see diminishing returns from the millions of dollars that agencies spend to certify that their systems are compliant with FISMA requirements.

In a memo dated May 18, Davis informed NASA’s information systems security officials that they would not be required to recertify their existing systems as normally done every three years. Instead, agency officials plan to invest their time and money in systems and processes that will allow them to continually monitor the security of their systems, according to the memo.

The traditional certification and accreditation processes “have proven largely ineffective and do not ensure a system’s security, or a true understanding of the system’s risk posture,” Davis wrote in the memo, which was obtained by Jill Aitoro at Nextgov.com.

The C&A processes also have been costly. In an interview with FCW’s Ben Bain, Davis said NASA officials could end up saving close to $20 million this year by not putting their systems through the FISMA grind.

It’s worth noting that FISMA was passed at a time when security processes in government were largely haphazard. Although some agencies did a good job with security, there was no way to replicate those successes at other agencies. FISMA was an effort to create a security baseline across government and systematize the process of measuring compliance at individual agencies.

It was never intended to be the final word in security, just a baseline. But the C&A process was so costly and labor-intensive that the paperwork associated with FISMA compliance has become a cottage industry unto itself at agencies — but an industry with a product of questionable value.

“The mounds of paperwork currently required to perform certification and accreditation activities over federal systems amounts in nothing more than a pro forma exercise that gives officials a false sense that their systems are actually secure,” writes Jeff Bardin at CSO Online.

But it’s not as if federal cybersecurity experts haven’t seen the problem. It’s just that they never had much say in the matter, given the unassailable reporting requirements that the Office of Management and Budget issued. Those requirements were based on security guidance that the National Institute of Standards and Technology issued.

But everything changed with an April 21 memo in which OMB officials detailed FISMA reporting requirements for 2010. The memo notes that NIST’s guidelines allow a certain amount of latitude in application, which “can result in different security solutions that are equally acceptable and compliant” — a line featured prominently in Davis’ memo.

But the shift at OMB did not come out of the blue. Alan Paller, director of research at the SANS Institute, gives kudos to Federal CIO Vivek Kundra and White House Cybersecurity Coordinator Howard Schmidt for encouraging agencies to focus on reducing security risks rather than simply complying with security policies.

The only question was who was willing to step into the opening that OMB created. The answer is Davis.

“The NASA innovation is the breath of fresh air that every CIO and every major program manager in government has been (secretly) hoping for,” writes Paller in a SANS NewsBites newsletter.

However, one security blogger was more skeptical. FISMA has not worked because agencies did not incorporate it, along with other NIST guidance, into a comprehensive security strategy. It’s not that FISMA has failed, the blogger writes. It’s that “I don’t think we’ve really done FISMA yet.”