Government Blog
| | | | |

About This Site

This blog is intended to share, cooperate with and learn from IT professionals serving the public sector. It is my intent that this blog may evolve to become a public sector industry forum for the exchange of technology advice, reviews, experiences, recommendations and best practices.

public sector


Search Government Blog

public sector


Government CRM Systems
Government ERP Systems


government business systems



FISMA - The Difference Between Compliance and Effective Security

Karen Evans, the person who oversees all federal information technology spending for the White House, recently raised the difference between FISMA compliance and FISMA effectiveness in a Senate hearing. FISMA (Federal Information Security Management Act) is an OMB requirement that kicked off in 2003 and has since resulted in both large amounts of IT spending and those infamous report cards that have embarrassed many federal agencies. Evans was clear that FISMA compliance is not the same as effective cyber security and was instrumental is applying lessons learned from the prior five years in order to create an upgraded standard.

The Senate has now drafted new FISMA 2008 legislation aimed at more effectively linking agency responsibilities under the law with the tasks needed to achieve secure federal information systems. The most cited improvements in the new law are not necessarily the most instrumental. New clauses which add strength to the chief information security officer authority and a step up in red team exercises are clearly helpful, but other less cited factors offer the opportunity to offer significant positive impact if the legislation becomes law.

For one, FISMA 2008 would require federal agencies to buy security built into products and software solutions rather than trying to add it after the fact. The Air Force proved the power of the principle with the now more than 500,000 computers the service has purchased with built-in secure configurations. The result has been savings of more than $100 million, patch upgrade delays reduced from 57 days to 72 hours, and much happier users incurring fewer problems.

Additionally, the new legislation would demand attack-based metrics, suggesting that agencies must demonstrate their information systems are effectively protected against attacks, known vulnerabilities and exploitations. Attack-based metrics requires learning the offense and then using that knowledge to develop the defense.

Lastly, and possibly most striking, the legislation would require agencies to reach governmentwide agreement on what those attack-based metrics must be by establishing a baseline of information security measures and controls that can be “continuously monitored through automated mechanisms.” That phrase marks another significant change from the annual to triannual reviews that were common under the old law.

This is an impressive step up and these changes collectively create a new foundation for dramatic transformation of federal cyber security. As an added by-product, the effort can coordinate the efforts of chief information officers and inspectors general because both will be measured against a common set of attack-based metrics.

Posted October 1, 2008 in IT Mandates
Technorati:  Add to Technorati Favorites Add to Technorati Favorites Save this page to
View CC license
Permalink | Comments (0) | Trackback (0)

Please forward COMMENTS to howard[at]

Trackback for this post is




gsa | Government IT Blog