Relevant Technologies: Is the Windows PowerShell a Threat to Security?

< Back to Article List

FISMA is Good for America, Here's Why
By: Laura Taylor | October 14, 2009

With security intrusions continuing to plague U.S. federal agencies, some pundits have asked, "Is the Federal Information Security Management Act of 2002 (FISMA) doing its job?" Here’s the rub. No matter what sort of law is in place to require U.S. federal agencies to secure their systems and analyze risk, there will continue to be security intrusions at U.S. federal agencies (and everywhere else) for the foreseeable future. Get used to it and plan accordingly.

FISMA is a good law. Prior to FISMA, U.S. federal agencies secured their systems, applications, and networks on a voluntary basis. Some agencies did a good job and others didn’t. Today, agencies are required to secure their information infrastructure. Contrary to what is published in various trade rags, FISMA is not merely a paperwork exercise. FISMA requires security controls to be tested annually or whenever there is a major change to the system. In fact, the word "testing" is used 8 times in the text of FISMA. Testing security controls means that all major applications, systems, and networks undergo penetration testing at least annually. During penetration testing, leading vulnerability assessment tools, and manual methods are used to assess the security of applications, systems, and networks. If vulnerabilities are discovered, agencies are on the hook to remediate them, and in fact they do. Critical vulnerabilities have to be addressed as soon as possible. If vulnerabilities are not remediated, Inspector Generals may require systems to be shutdown. And I have seen that happen.

It is true that paperwork is involved, and that is a good thing. The fact that System Security Plans, Contingency Plans, and Security Assessment Reports are required is also a good thing. Without those reports, all of the information on the security of the application, system, or network remains hidden to auditors, and often times, hidden to the agency that needs to manage the systems. A System Security Plan details how all of the security controls work. It contains the security architecture information, the operations information, and the management information on all of the security controls. With large distributed enterprise systems, it would be nearly impossible for a Chief Information Security Officer (CISO) or a Senior Agency Information Security Officer (SAISO) to manage the security of a system without a System Security Plan. If a System Security Plan was not required, any CISO or SAISO worth their salt would ensure that one is written anyway. The same holds true for Contingency Plans and Security Assessment Reports. How can you manage something if you don’t know how it is put together and how it works? The System Security Plan describes the security architecture, how the security controls work, what products are used, and what data is allowed to flow in and out of the system.

FISMA was designed to force agencies to evaluate the risks to their applications, systems, and networks. The word "risk" is used 19 times in FISMA. To the FISMA cynics, I say, "How can evaluating risks to U.S. federal agencies, systems, and networks be a bad thing?" Some say, "If FISMA is a good law, we would not continue to have security intrusions at U.S. federal agencies." I say, that argument does not hold water. Here are some analogies. It is a good law that people are not allowed to commit murder but we continue to see homicides throughout the United States. As far as evaluating risk goes, it is a good idea to evaluate your medical risks and go to the doctor for a scheduled check-up. However, even if everyone did that, people would continue to get diseases and die premature deaths. Though most would agree it is still a good idea to get that medical risk assessment done on your health. Because with a periodic medical risk assessment, it increases the chance that a risk will be found in enough time to mitigate it. Due to advanced health care, people are living longer and many diseases are getting stopped before they do serious damage. But still people die of cancer because we still don’t have all the answers to fighting diseases, and not all people are able to take advantage of the latest medical procedures.

Similarly, in spite of the security intrusions that have occurred at U.S. federal agencies, without FISMA, there would be far more intrusions. According to IBM’s X-Force?security team, SQL injection attacks increased by 30% from mid 2008 to the end of 2008. IBM’s X-Force?security team also predicts that for 2009, SQL injection attacks will continue to grow by 50%. Technology is changing so quickly, and the reliance on information systems is so extensive, that cybercrime is here to stay. Congress can re-work FISMA, rename it, create new information security laws, and write legal stipulations until they are blue in the face and still there will be security intrusions. Plan for it. The way to plan for it is to write an Incident Response Plan, hold periodic incident response exercises, and actively monitor your systems and networks for intrusions. According to Pete Nicoletti, VP of Secure Information Services at Terremark, "The best way for agencies to prepare for security incidents is to have real-time log monitoring, IP traffic and behavior patterns information and full packet capture already operational and in place so that when an incident occurs, it can quickly be detected, contained, and eradicated."

A new bill known as US-ICE to amend chapter 35 of United States Code 44, has been introduced by Thomas Carper, Senator (D) from Delaware. The new bill is being touted as the panacea for America’s cyber security woes. While the United States continues to be plagued by cyber security attacks, and continues to experience cyber break-ins, this bill is no cure.

US-ICE maligns the Federal Information Security Management Act of 2002, implying that it has done nothing to bolster the security of federal agency systems which could not be farther from the truth. While U.S. federal agencies have been victims of intrusions since FISMA was passed, without FISMA, the number of intrusions would be far greater than it is today than if FISMA did not exist. Having worked in FISMA compliance for a long number of years, I can vouch first hand that I have seen a multitude of information security vulnerabilities corrected as a result of FISMA compliance audits. The number of security vulnerabilities that have been brought to the attention of agency officials through FISMA Certification & Accreditation practices is huge. Agencies now keep an on-going list of plans for mitigating those vulnerabilities. High vulnerabilities are mitigated expeditiously, and other vulnerabilities are mitigated as required.

The US-ICE bill suggests moving the development of security guidance and standards from the National Institute of Standards & Technology (NIST) to a new office called the National Office for Cyberspace ?that would be a colossal mistake. NIST has done an excellent job in defining and developing security controls. The NIST security development standards have been years in the making. Each year the NIST standards become more sophisticated and succinct. Developing new and separate standards would be a ridiculous waste of money because it would mean paying to build, for the 2nd time around, something that already exists today.

Ron Ross is in charge of the FISMA Project at NIST. Ron’s group is in charge of writing the various security technical publications that U.S. federal agencies use to comply with FISMA. The security controls as defined by NIST are among the best I have seen. I asked Ron if he thought FISMA had achieved its objectives, and he said, "FISMA has given the federal government a solid foundation for building, operating, and maintaining more secure information systems. We need to continue to build on that foundation to mature the strategies, tactics, training, and technologies that will help our senior leaders more effectively manage information system security-related risks in a world of ever increasing and more dangerous cyber threats."

Focusing on abolishing FISMA is only serving as a distracter to securing the systems. If more stringent rules were put in place for non-compliance of FISMA, that might help. What is one of the biggest stumbling blocks for U.S. federal agencies is that funding of cyber security projects is not near what it should be. In fact, as U.S. federal agency budgets are cut, funding for cyber security is often the first to go. One of the best ways to improve the security of U.S. federal agencies is to budget for more security resources. More security resources mean more people available to lock down systems, more people available to perform risk assessments and test security controls, and more auditors available to flag vulnerabilities and more technical security controls put in place.

In the meantime, count on the fact that no matter what laws are put into place, security intrusions will continue to occur. Plan on it.

Green Bay Packers 6-Pack Food Storage Containers,Women's Seattle Seahawks 5th and Ocean by New Era College Navy Snap Count Pullover Hoodie,Men's Denver Broncos Nike Navy Stadium Classic Performance Track Jacket Oakland Raider Jerseys Sale.Nike Baltimore Ravens Fast Wordmark T-Shirt - Purple,Women's Cincinnati Bengals Nike Gray New Day Tri-Blend Tank Top Oakland Raiders Jerseys Cheap.wholesale nfl logos t,buy wholesale jerseys cheap free shipping,cheap nfl leggings,New York Giants Black Blitz Fanny Pack,Infant Tampa Bay Buccaneers Red New Rookie Bodysuit.Arizona Cardinals ProToast MVP Toaster,Men's Green Bay Packers Concepts Sport Green Fusion Printed Pant,Women's Denver Broncos Majestic White/Orange Draft Me Fashion T-Shirt Oakland Raiders Jerseys for Sale.Women's Washington Redskins '47 Brand Burgundy McKenzie Tassel Knit Hat with Pom,Women's Kansas City Chiefs '47 Brand Red Homerun Long Sleeve V-Neck T-Shirt.Women's Oakland Raiders G-III 4Her by Carl Banks Black All World Pro Full Zip Hoodie,Dallas Cowboys Navy Blue Basic Knit Beanie Cap Future Of The Oakland Raiders.Men's Baltimore Ravens Nike Black Stadium Classic Club Crew Sweatshirt,Men's Seattle Seahawks Nike College Navy Kick Off Staff Performance Pullover Hoodie.buy wholesale nfl,wholesale jerseys nancy,cheap nfl hoodies kd,New England Patriots 50-Pack Collectible Cards,Men's Carolina Panthers G-III Sports by Carl Banks Black Strong Side Soft Shell Jacket