«

»

Apr
26

Federal Legislation to Update FISMA Can Speed Shift to Continuous Monitoring

From: EMC Public Sector Blog

by Shannon Kellogg

It’s hard to believe that it’s been nearly 10 years since the Federal Information Security and Management Act (FISMA) was enacted. I know that I am growing older but it seems like only yesterday that staff working for former U.S. Representative Tom Davis (the lead sponsor of FISMA legislation in 2002) were in the throes of drafting that legislation. The final product was included in the E-Government Act of 2002 and after becoming law, FISMA provided a sound framework, baseline standards and drove additional accountability within federal agencies for implementing information security practices.

Well, 10 years is practically a millennia in technology terms and after years and years of ”discussions” about reforming FISMA, Congress is finally on the verge of taking action this week. Legislation co-sponsored by U.S. Representative Darell Issa (R-CA) and Elijah Cummings (D-MD), the Chairman and Ranking Member respectively of the House Oversight & Government Reform Committee is expected to pass the House on April 26th. This bi-partisan legislation, the Federal Information Security Amendments Act of 2012 or H.R. 4257, will update FISMA, including requirements for federal agencies to adopt, or accelerate adoption of, continuous monitoring practices. In the bill, “Automated and Continuous Monitoring” is defined as “monitoring, with minimal human involvement, through an uninterrupted, ongoing real time, or near real-time process used to determine if the complete set of planned, required, and deployed security controls within an information system continue to be effective over time with rapidly changing information technology and threat development.”

While the shift to continuous monitoring has been underway within the federal government during the last few years, updating the law will move agencies away from focusing on the annual certification and accreditation process to real-time operational risk management. That is a needed change and one that is long overdue, particularly in an era of advanced cyber threats. While there was more focus on information security as result of the old FISMA, it became clear (at least in my view) half-way through the last decade that compliance with FISMA was not resulting in a reduction of cyber security incidents within federal agencies. Billions of dollars on compliance later, cyber attacks on government systems have not decreased but substantially increased and it’s time to update the law.

Enacting an updated FISMA reform law is a critical next step toward better safeguarding federal networks. Next, Congress must fund the shift to continuous monitoring that is underway. Despite deep federal budget cuts that are sure to come as a result of disagreements over top-line federal spending or possible sequestration, $200 million as requested by the Administration for Automated and Continuous Monitoring in FY2013 is the logical next step strengthen federal information security and it is imperative that those investments are made now. Federal departments and agencies that have shifted away from the paperwork-intensive compliance focus of the old FISMA to a more flexible and operational risk management approach, have eliminated unnecessary costs and are more effectively mitigating cyber attacks in the process. There will be more bang for the buck and cyber incidents — at least those that result in substantial information loss and other damage — should go down.

Fortunately, FISMA reform is also an area of strong agreement with the U.S. Senate, so the possibility of getting a bill to the President’s desk to sign is very doable before the August recess of Congress. The U.S. House of Representatives should take the first step in that process this week.

Leave a Reply

Please Answer: *