FISMA 2.0 bill will strengthen cybersecurity, experts say

A bill under consideration in the Senate Homeland Security and Governmental Affairs Committee would elevate information security governmentwide by requiring agencies to continuously monitor and measure critical criteria.

The Federal Information Security Management Act of 2008, S. 3474, which builds on the original 2002 FISMA legislation, promises to raise the bar for agencies to prove that they are adequately protecting sensitive information as foreign countries and global cyber villains become more sophisticated at attacking government networks.

The committee plans to vote on the legislation Sept. 23, a committee spokesman said.

Among its key provisions, the legislation would establish a Chief Information Security Officers Council that would develop best practices and standard measures for the most critical controls for agency information security. Also, those measures would be scrutinized continuously, said Alan Paller, research director of the SANS Institute.

“It means there are certain criteria that you have to watch all the time, not once a year, or once a quarter,” he said. “These continuously monitored, ultra-high-important metrics make the difference between your system being open for attack or hard to break into.”

Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services and Inter-national Security Subcommittee, introduced the bill earlier this month. The committee rejected an amendment to strike the establishment of the CISO Council in its first consideration of the bill Sept. 17.

“I believe this bill will dramatically increase information security in the federal government,” Carper said.
Even with committee approval, the measure must compete for attention in the Senate, which is preoccupied with addressing Wall Street’s meltdown and with appropriations. The Senate is scheduled to adjourn Sept. 26 for the campaign season. There is no companion bill in the House, Carper said.

The bill also would expand the authority of agency CISOs to enforce compliance in collaboration with their chief information officers. That empowerment would let CISOs implement security improvements that they are attempting to do now, said Michael Brown, director of the Federal Aviation Administration’s Office of Information Systems Security. Brown reports to FAA CIO Dave Bowen and said Bowen is very supportive of Brown’s CISO activities.

“But within the context of the bill, there are a lot more things that I would be responsible for,” he said. “I could go out and enforce them, and I would have the power of law behind me to do what I’m trying to do.”
Under the bill, agencies would implement security measures to fit the risk and degree of harm that would result from the loss of or unauthorized access to sensitive information or an agency’s network. The legislation would provide for the Homeland Security Department to conduct penetration testing of civilian agencies’ systems to identify where they are vulnerable.

S. 3474 would amend the original FISMA legislation, which outlined compliance activities for agencies to meet annually. But many agencies have turned FISMA compliance into a paperwork exercise, Carper said.   

The bill addresses FISMA in terms of organization and metrics, said Dan Chenok, senior vice president at Pragmatics and chairman of the Information Security and Privacy Advisory Board.

“The package of improvements points to attention by both security officers and program officials for real security and to move beyond the compliance approach that was necessary for the first phase of FISMA but is now not sufficient to ensure security in the way that agencies need to as technology evolves,” he said.

The security controls that agencies have used to comply with FISMA typically could be checked against a policy or plan, Paller said. This bill combines the objectives of prioritizing controls that block the attacks and constantly monitoring them, he said.

The Information Technology Association of America called for the bill’s quick passage by the committee. This bill requires agencies to have an outcome-oriented approach to securing their networks, said Liesyl Franz, vice president of information security and global public policy at ITAA.

Among the provisions, penetration testing of agency networks by DHS would provide agencies with a specific and predictable measurement for outcomes, which they don’t have, she said.

“It makes it more illustrative of current problems and improvements,” Franz said. For example, FISMA as it stands provides ways to measure the proportion of employees who have cybersecurity training but not to measure the improved security that results from that training, she said.