At an SC Magazine Government Roundtable,
much of the discussion focused on how to
improve FISMA, reports Illena Armstrong.
hen the U.S. Congress enacted tures and ﬁnding better ways to thwart
the Federal Information Security more sophisticated and frequent attacks.
Management Act (FISMA) in John Streufert, CISO and deputy chief
2002, hopes were high that it would prove information ofﬁcer of the U.S. Depart-
a major force in compelling government ment of State, who is quite familiar with
ofﬁcials to better protect critical systems. some of the “unintended consequences”
Some eight years later, however, detrac- of FISMA, is just one government
tors of the law can cite swarms of breach- leader taking action to help improve
es across multiple agencies that highlight the security of the federal infrastructure
massive weaknesses in the federal and advocate for a needed upgrade to
infrastructure. Their contention: FISMA FISMA requirements.
has done little to produce any shoring up During an SC Magazine Government
of government network security. Roundtable held in late fall of 2009 in
The law’s core mandate obligates fed- Washington, D.C., Streufert spoke to a
eral agencies to conduct annual reviews of group of high-level information security
thoroughly documented and up-to-date leaders from the government sector who
information security programs. These gathered to exchange advice and insight
reviews are then presented once a year to about some of the challenges they’re data on the precise attacks being lobbed
the Ofﬁce of Management and Budget facing. Citing a few examples of the at their speciﬁc organizations.
(OMB) and, ultimately, to Congress to occasional illogical and absurd demands “Why not pay attention to the way
verify compliance. But, say critics, the that FISMA sometimes has placed on we’re being attacked and put our energies
various security directives underlying government agencies like his, Streufert on those?” he asked during the event,
required risk management planning and discussed at the event how the law which was sponsored by compliance and
yearly reviews only have meant end- “went wrong.” security vendor ArcSight. This, for him,
less paperwork for public ofﬁcials and “We lost track of the fact that we were means enlisting “metrics with the most
resulted in still insecure systems – this, supposed to be protecting systems and, meaning” for one’s particular agency.
despite the fact that in ﬁscal year 2008, instead, we would crunch out reports and
federal agencies reportedly spent some papers,” he explained. FISMA is faulty
$6.2 billion securing the government’s Before FISMA, his agency and likely As it stands now, FISMA doesn’t seem
total information technology investment others didn’t fail to have the necessary to be helping in this goal, according to
of approximately $68 billion. mechanisms in place to collect threat many of the government ofﬁcials who
Whether in spite of or because of and vulnerability data with the end goal attended the SC Magazine Govern-
FISMA, however, some agency leaders of making their systems more secure, ment Security Roundtable. And, in
are making strides to vastly improve he argued. Rather, agencies probably fact, what’s really needed is a change in
their overall information security pos- weren’t collecting more appropriate government policies, not U.S. law.
36 SC • February 2010 • www.scmagazineus.com
FISMA Government leaders convened recently
great principles that you [Streufert]
in Washington, D.C. for an SC Magazine espouse, so that there is a consistent