Network News

X My Profile
View More Activity

A makeover for federal cybersecurity reporting

The federal regulations telling agencies how to secure their computer networks are overdue for an overhaul: Even the author of the 2002 law now admits that it needs updating to reflect today's threats from hackers, viruses and cyber spies.

Critics of the Federal Information Security Management Act (FISMA) long have complained that the way it has been implemented often amounts to a massive paperwork exercise. Yet somehow that criticism seems so much more valid when you actually see all of the resulting paperwork piled up one place.

John Streufert, the chief information security officer at the U.S. Department of State, told a Senate Homeland Security and Governmental Affairs subcommittee Thursday that the department spent $133 million over the past six years on certification and accreditation (C&A) reports, a process whereby agencies evaluate every three years what defensive security protections are in place to secure federal systems.


Streufert said that money produced stacks of reports amassing a total of 50 shelf feet, or 95,000 pages, of final C&A documentation for roughly 150 information systems, and that the electronic files that support this process over the same period contain 18 gigabytes of documents (the image to the right shows just three years worth of those documents, obtained at a cost of $38 million).

"This equates to a cost of the C&A report, which does not include other related products (e.g., system security plans), [at] roughly $1,400 per page," Streufert said. "Most compliance driven 'snapshots' produce results on paper which are often extraordinarily accurate but out of date within days of being published and are only indirectly connected to the new threats heading toward the Department minute to minute."

Sen. Tom Carper (D-Del.), chair of the Senate Subcommittee on federal financial management, government information, federal services and international security, said the C&A process costs taxpayers about $1.3 billion every year. That price tag doesn't count the money that agency inspector generals need to spend to verify the accuracy of those reports, which Carper said means the true cost of producing these reports each year is probably closer to $2 billion.

"These reports would be worth the price tag if the tactics that hackers used were as static as words typed on a piece of paper," Carper said.

Carper also said he was troubled to learn that - seven years and $40 billion in information technology spending after the enactment of FISMA - the White House's Office of Management and Budget still doesn't track how much agencies are spending on cyber security, or measure whether those expenditures actually resulted in improved security.

Vivek Kundra, federal chief information officer at the White House's Office of Mangement and Budget, said he also was shocked to learn when he took the post earlier this year that OMB only collected aggregate data on security spending. He told the panel that OMB has begun collecting more detailed spending information for the past fiscal year.

Kundra said the OMB last month established a task force to develop "forward-looking metrics focused on improving security at agencies rather than merely demonstrating compliance," and that the task force is working with OMB to develop a roadmap for future reporting under FISMA that will "incorporate real-time metrics and enhance government-wide situational awareness." At the same time, the National Institute of Standards and Technology is revising its current C&A guidelines to change the focus of security protection to "continuous monitoring."

Kundra said his agency plans to release for public comment the draft metrics for fiscal year 2010 later this fall. He praised as one potential model for new reporting requirements a system that the State Department recently implemented that scans every computer and server connected to its network at least every 36 hours to test for security weaknesses such as missing software security updates or weak configurations.

State's Streufert said that program had already helped the agency reduce overall risk on its unclassified network by 90 percent since mid-July.

Tom Davis, the former Republican representative from Virginia who sponsored the original FISMA bill, told the panel that the government needs to move away from a "culture of compliance" and move toward a system that continuously tests their security.

"It's time to take FISMA to the next level," Davis said.

Many of the changes to FISMA that Davis recommended already are called for in a FISMA reform bill sponsored by Carper. For example, the U.S. Information & Communications Enhancement Act of 2009 would require agencies to conduct regular "red team" penetration tests to locate security weak spots.

By Brian Krebs  |  October 30, 2009; 1:55 PM ET
Categories:  U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: DHS: PhoneSnoop app bugs BlackBerrys
Next: FDIC: Uptick in 'money mule' scams


Its easy to say "do pentests". On what systems: all/critical? To the apps, the operating system or the network...or all of them? Pentests done by outsiders or insiders? Whats the scope? Web? Internal applications? What about third party apps (Adobe, IE). I have many questions, is it just me? Probably :-)

Posted by: FaustoCG | October 30, 2009 4:38 PM | Report abuse

Nice article bk. So who do you have to be or where will you apply to be on a red team? Sounds like a cool future article.

Posted by: dward__ | October 31, 2009 1:30 PM | Report abuse

When Worlds Collide--19th century record keeping meets 21st century technology. Whee hah!

Technology is nimble and constantly evolving. Government rules are risk averse and inherently sluggish and slow to change. This clash may be impossible to resolve. It's one reason the stealthy malefactors of the internet can stay several steps ahead of the bureaucracy based law enforcers. Any system that equires the sort of documentation described will never keep up with the cutting edge of the (in)security environment.

Posted by: featheredge99 | October 31, 2009 6:25 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company