Security law no cause for carping

FISMA adds to management workload, but is worth the effort, IRS officials find

In recent months, perhaps nothing has done more to make government agencies mindful of computer security vulnerabilities and their root causes than the Federal Information Security Management Act of 2002.

Federal security managers often disagree on the significance of the terrorist threat to cybersecurity. But they all recognize the protection that FISMA is supposed to provide against threats to federal computer networks from intruders. Indeed, some federal officials say that if a permanent change occurs in attitudes toward cybersecurity, the biggest cause will not be the Sept. 11, 2001, terrorist attacks — it will be FISMA.

"I like what FISMA brought," said Daniel Galik, the new chief of mission assurance for the Internal Revenue Service. FISMA has created a substantial new workload, he said, beginning with its risk management and reporting requirements. The yearly tests of an agency's security controls required by FISMA are perhaps the hardest to understand of the requirements, Galik said.

Office of Management and Budget officials advise federal agencies on how to comply with FISMA's requirements. They have not yet given agencies detailed guidelines for those tests, Galik said, but developing formal test plans and independently retesting every system could be prohibitively expensive. "Most agencies have been struggling with that part," he said.

Simply understanding the concept of risk management and how to calculate it has been a challenging exercise for some. Drew Ladner, chief information officer for the Treasury Department, seems to understand FISMA's risk management requirement as well as anyone. For any federal information system, he said, agency officials must identify its security weaknesses, its importance to the agency's operations and its likelihood of being attacked.

"Risk management is really understanding how vulnerability, criticality and threat interact to yield an assessment of risk," Ladner said. "It's an equation."

FISMA also requires departments to make quarterly and annual reports to OMB and send copies to interested members of Congress who then issue report cards. Before he came to the IRS last December, Galik was the chief information technology security officer at the Nuclear Regulatory Commission. Last fall the commission received straight As on its security report card, and it was the only federal agency or department to do so.

After Galik submits the next quarterly summary of the IRS' progress, due last week, the IRS and Treasury will start preparing for their annual FISMA report to OMB. For that detailed accounting, Galik said, agencies and departments must conduct assessments of their information systems' security, beginning close to the date they receive new guidelines from OMB. "The more [the date] slips beyond spring, it just makes planning a little harder," he said.

For Galik and other Treasury officials, however, FISMA reporting could soon become a bit easier. Treasury has adopted a new approach to FISMA's reporting requirements, one that Tim Hurr, the department's chief information security officer, said will simplify and improve the reporting process.

The department will begin using a customized Web portal and content management system for collecting FISMA data from Treasury's bureaus and generating properly formatted FISMA reports. The portal, Hurr said, will be exclusively for Treasury, but an outside service provider will develop and manage it. Ladner views the portal as an ideal platform for FISMA and one that the department can build on "to manage the data more effectively."

Other security managers say the most challenging steps in achieving FISMA compliance are the twin requirements of certification and accreditation. Certification is a technical review by an independent testing group that shows how a particular information system complies with FISMA's security requirements. To achieve accreditation, a designated authority within an agency must approve a certified federal information system for use.

The lack of a governmentwide certification standard has confused agencies, Galik said. Although staff members at the National Institute of Standards and Technology are developing standards for security certification and accreditation, "they're not there yet," he said.

Despite Galik's concerns, he thinks most efforts to meet FISMA's rigorous requirements are worth the extra time and money, if the money can be found. "Every agency thinks its systems are secure," he said. But if forced to prove it, agencies often discover they are less secure than they thought, he said.

Some officials privately wonder if

FISMA's security standards are too rigorous, but others say the requirements are appropriately high. "The administration and Congress are holding agencies accountable to [FISMA] standards, which is absolutely appropriate," said Lawrence Hale, deputy director of the Homeland Security Department's U.S. Computer Emergency Readiness Team. "This is the government, so the standards should be high, and we should be doing better," Hale said.

Cybersecurity experts who argue for readiness in the face of cyberthreats debate the significance that terrorism might play. "There's a lot of disagreement even at the government level as to how real the terrorist threat is to cybersecurity," said Rebecca Whitener, director for privacy services at EDS. "In reality, most security professionals recognize that it doesn't really matter who the enemy is." What matters is the potential for attacks from outside and inside government networks.

For many federal agencies, FISMA and OMB have driven home the point that computer security is no longer optional. "Security is a cost of doing business," said Margaret Begg, assistant inspector general for information systems programs for the Treasury Inspector General for Tax Administration.

FISMA has pushed computer and information security to the forefront, and some officials say they would like to see FISMA usher in a new workplace culture. Those officials, including some of the federal government's top security executives, say attitudes and behavior are perhaps even more important than cutting-edge security technologies. "Certainly, we need better technologies when it comes to configuration management and autopatching," said Amit Yoran, director of DHS' National Cyber

Security Division. But, he said, technology is available across the board to secure almost all computer systems.

"What's generally lacking is a culture of intolerance for poor security practices," Yoran said. But now that FISMA has imposed a substantial new burden of accountability on the federal government, some security officials believe that attitudes could change.

Yoran likes to draw a comparison with the changes in attitude toward sexual harassment in the workplace. "When people were held accountable," he said, "workplace cultures developed that would not tolerate sexual harassment. Very much the same mind-set is required when it comes to cybersecurity."

***

Six steps to a secure system

The Federal Information Security Management Act of 2002 requires federal agencies to take specific steps to ensure the security of federal information and information systems. To assist agencies at each step, the National Institute of Standards and Technology offers Federal Information Processing Standard (FIPS) documents and special publications (SP).

Below are the FISMA security fundamentals and relevant NIST documents.

Inventory systems.

FIPS 199

SP 800-60

Assess risks.

SP 800-30

Create a security plan.

SP 800-18

Set security configuration and security controls.

FIPS 800-53 (interim)

FIPS 200 (final)

Certify security systems.

SP 800-37

SP 800-26

SP 800-53A

Accredit security systems.

SP 800-37

Source: National Institute of Standards and Technology