Cybersecurity Reform in the New Congress

From: Fierce Government IT

A big part of the problem is the use of the word “ensure.” FISMA uses the word “ensure” instead of the word “enforce” in the context that the chief information officer shall “ensure compliance” with FISMA. That simple word choice guarantees that the CIO, and the subordinate “senior agency information security officer,” have no authority. If you don’t believe me, a memorandum I requested from the general counsel of the Department of Veterans Affairs when I served as the chief information security officer said exactly that. On April 7, 2004, the counsel wrote an opinion stating that the word “ensure” instead of the word “enforce” guaranteed the CIO and CISO no authority to enforce policies or hold people accountable for violating policies.

The CIO or CISO at the department or agency level has a modicum of control over those systems that support the headquarters operations; they have little or no control over the subordinate operating administrations’ systems and networks. In more than half of the departments and agencies, the CIO and CISO can issue policies and hope for compliance, and even issuing policies requires the consent of the operating administrations.

That means that the many agencies that think of security as an annoyance–including the ones barely tolerating the paper-based processes of the past because they do not reveal anything about the security posture of the enterprise–will continue to fake security. Some of them will even hide behind their authorization language and ask, “Where’s the FISMA requirement?” Without a CIO or CISO who possesses the authority to hold individuals accountable and hold executive bonuses at risk, against a compliance framework that actually makes sense, then true security across executive branch agencies remains a pipedream. FISMA does a dreadful job of addressing the governance problem.

Unless Congress fixes governance, it can mandate continuous monitoring to its heart’s delight, and then watch the process devolve into FISMA-like sleight of hand.

FISMA botches other things too, like the CISO concept. It doesn’t identify the position as anything other than a “senior agency information security officer” doesn’t legislate that a community of security professionals be formed to co-mingle programs, solutions and best practices, and arbitrarily positions the CISO under the CIO .

Various drafts of new cybersecurity legislation have appeared over the past two years, and a staff draft apparently exists in the Senate. That means it may be possible for the 112th Congress to get something passed. The question is whether or not it will be an improvement over FISMA.

What the new legislation must contain, without ambiguity, is at least the following:

•A requirement that paper-based processes be replaced by dynamic, continuous monitoring processes against measures of effectiveness, by all agencies, without exception, and immediately.

•A requirement that the Office of Personnel Management create a professional job series for the cybersecurity work force, and that the Office of Management and Budget put in place a directive that all departments and agencies employ the same professional certifications that the Department of Defense requires in Directive 8570.1.

•A clear set of authorities and governance for the CISO, to include authority commensurate with accountability, and the ability for any agency to create a different chain of command for the CISO apart from the CIO.

In the end, federal information security is all about protecting our nation’s systems and networks from those who wish to do them harm. New and improved legislation will go much farther than FISMA in achieving this noble goal. Thankfully, the 112th Congress has the opportunity to enact it. This time, let’s get it right.