A makeover for federal cybersecurity reporting
The federal regulations telling agencies how to secure their computer networks are overdue for an overhaul: Even the author of the 2002 law now admits that it needs updating to reflect today's threats from hackers, viruses and cyber spies.
Critics of the Federal Information Security Management Act (FISMA) long have complained that the way it has been implemented often amounts to a massive paperwork exercise. Yet somehow that criticism seems so much more valid when you actually see all of the resulting paperwork piled up one place.
John Streufert, the chief information security officer at the U.S. Department of State, told a Senate Homeland Security and Governmental Affairs subcommittee Thursday that the department spent $133 million over the past six years on certification and accreditation (C&A) reports, a process whereby agencies evaluate every three years what defensive security protections are in place to secure federal systems.
Streufert said that money produced stacks of reports amassing a total of 50 shelf feet, or 95,000 pages, of final C&A documentation for roughly 150 information systems, and that the electronic files that support this process over the same period contain 18 gigabytes of documents (the image to the right shows just three years worth of those documents, obtained at a cost of $38 million).
"This equates to a cost of the C&A report, which does not include other related products (e.g., system security plans), [at] roughly $1,400 per page," Streufert said. "Most compliance driven 'snapshots' produce results on paper which are often extraordinarily accurate but out of date within days of being published and are only indirectly connected to the new threats heading toward the Department minute to minute."
Sen. Tom Carper (D-Del.), chair of the Senate Subcommittee on federal financial management, government information, federal services and international security, said the C&A process costs taxpayers about $1.3 billion every year. That price tag doesn't count the money that agency inspector generals need to spend to verify the accuracy of those reports, which Carper said means the true cost of producing these reports each year is probably closer to $2 billion.
"These reports would be worth the price tag if the tactics that hackers used were as static as words typed on a piece of paper," Carper said.
Carper also said he was troubled to learn that - seven years and $40 billion in information technology spending after the enactment of FISMA - the White House's Office of Management and Budget still doesn't track how much agencies are spending on cyber security, or measure whether those expenditures actually resulted in improved security.
Vivek Kundra, federal chief information officer at the White House's Office of Mangement and Budget, said he also was shocked to learn when he took the post earlier this year that OMB only collected aggregate data on security spending. He told the panel that OMB has begun collecting more detailed spending information for the past fiscal year.
Kundra said the OMB last month established a task force to develop "forward-looking metrics focused on improving security at agencies rather than merely demonstrating compliance," and that the task force is working with OMB to develop a roadmap for future reporting under FISMA that will "incorporate real-time metrics and enhance government-wide situational awareness." At the same time, the National Institute of Standards and Technology is revising its current C&A guidelines to change the focus of security protection to "continuous monitoring."
Kundra said his agency plans to release for public comment the draft metrics for fiscal year 2010 later this fall. He praised as one potential model for new reporting requirements a system that the State Department recently implemented that scans every computer and server connected to its network at least every 36 hours to test for security weaknesses such as missing software security updates or weak configurations.
State's Streufert said that program had already helped the agency reduce overall risk on its unclassified network by 90 percent since mid-July.
Tom Davis, the former Republican representative from Virginia who sponsored the original FISMA bill, told the panel that the government needs to move away from a "culture of compliance" and move toward a system that continuously tests their security.
"It's time to take FISMA to the next level," Davis said.
Many of the changes to FISMA that Davis recommended already are called for in a FISMA reform bill sponsored by Carper. For example, the U.S. Information & Communications Enhancement Act of 2009 would require agencies to conduct regular "red team" penetration tests to locate security weak spots.
Posted by: FaustoCG | October 30, 2009 4:38 PM | Report abuse
Posted by: dward__ | October 31, 2009 1:30 PM | Report abuse
Posted by: featheredge99 | October 31, 2009 6:25 PM | Report abuse
The comments to this entry are closed.