SC Magazine published a story about how the U.S. Congress and President Obama are seeking to modernize FISMA, the Federal Information Systems Management Act, originally enacted in 2002. In “Defense from the top: FISMA,” journalist Lee Sustar interviewed several experts who provided their perspective on the proposed changes and what it would mean to organizations trying to comply with the new regulations.
Congress and the president seek to modernize FISMA in order to ensure the nation’s security.
After years of proposed changes, FISMA is finally morphing. What entered the legislative record in 2002 as the Federal Information Systems Management Act is almost certain to become the Federal Information Systems Modernization Act under the new Congress, following passage by its predecessor in December.
The name change highlights a major shift, says Maria Horton, who was CIO for the National Naval Medical Center as FISMA made its way into law. “By modernization, Congress and the president are looking how to modernize in order to protect our security,” says Horton, currently founder and CEO of EmeSec, a Reston, Va.-based consultancy with federal government clients. Under FISMA 2.0, as it is commonly known, “agencies themselves must be prepared to report on a breach, how large it is, how many people are effected, and the circumstances surrounding it,” she says.
FISMA 2.0 would replace what has typically been federal agencies’ triennial cybersecurity compliance assessment. More frequent reports, with a strict deadline to report data breaches, would supplant the older system. It further calls for “automated security tools to continuously diagnose and improve security.” The Department of Homeland Security, which played a coordinating role for compliance with little authority under the original legislation, would play a more formal and central role under the proposed legislation, with the department’s $6 billion “Continuous Diagnostics and Mitigation” contract providing federal departments and agencies with a range of choices for cybersecurity products and services.
. . .
To meet those more stringent FISMA 2.0 requirements – including reports to Congressional committees – federal agencies are expected to go shopping for technical hardware and software information security solutions.”
Leading information security providers say they’re ready. “FISMA 2.0 wants to get to insights and agility,” says Yo Delmar, vice president for governance, risk and compliance at MetricStream, a Palo Alto, Calif.-based service provider. That, she adds, points toward the increasing use of analytics to help agencies move from basic FISMA compliance to risk assessment and reduced incident response times.
Federal agencies should beware of FISMA 2.0 solutions that may constrict their ability to defend against evolving threats, says Suni Munshani, CEO at Protegrity, a Stamford, Conn.-based provider of data security solutions. “The first question is about transparency,” he says. “Is this something I can change without being beholden to some black box technology?”
One of the biggest obstacles to data security improvements in civilian federal agencies is the reluctance to collaborate across bureaucratic lines, says David Monahan, research director, risk and security management at Enterprise Management Associates, a Boulder, Colo.-based industry analyst and consulting firm. “Security people are notoriously bad at sharing information, mainly out of fear or arrogance,” he says. “The government agencies have traditionally been well into the arrogance and fear part of the equation.”
FISMA 2.0, with its rigorous monitoring and reporting requirements, just might change that. “With their collective resources and the right tools, they have the capability to share information to vastly improve their overall defense posture,” Monahan says. “Even if one falls victim to a particular attack, the others can use the shared information to prevent – or at least limit – the scope of their own compromises.”