Application Security
4/22/2010
10:27 AM
50%
50%

New Policy Revamps Agencies' Approach To FISMA Compliance

Guidance takes a 'three-tiered approach'

The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending.

Many observers both inside and outside government have come to the conclusion that the government's cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. "These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect," federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt.

Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies' cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.

The new policy outlines what Kundra described as a "significant departure" from the way cybersecurity has been measured and managed in government. It is contained in an Office of Management and Budget memo penned by federal chief performance officer Jeffrey Zients, Kundra, and Schmidt, and developed with input from federal CIOs.

Kundra and Schmidt said on the conference call that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.

The guidance takes a "three-tiered approach" to FISMA that includes automatic reporting of cybersecurity data feeds directly from agency security and management tools to a tool hosted by the Department of Homeland Security; government-wide benchmarking on agencies' security postures; and agency-specific interviews to help determine the needs and proper metrics for individual agencies.

First, agencies will be required to feed cybersecurity information directly and in near real-time from their own security management tools into the recently implemented Cyberscope security reporting tool, which DHS is now operating. The White House is convening with agencies on May 7 to discuss how they will move forward with this plan, and what new metrics will be included in the new reporting.

This automated reporting should both decrease the amount of money agencies are spending on cybersecurity reporting, and also help the White House best determine where and how resources should be spent on cybersecurity across government, said Kundra and Schmidt. "Capital can and should be used to invest in systems that will be actually enhancing security," Kundra said.

Agencies will begin feeding this data to Cyberscope by June of this year, but Kundra admitted that some agencies will have to make investments in order to get tools like asset management systems and security information management systems in place to feed data to Cyberscope. Some agencies, like the Departments of Justice, Treasury, State, Veterans Affairs, and NASA are already able to report to Cyberscope, and will be among the first to do so. The due date for reporting through Cyberscope is November 15, and those agencies which can't yet directly feed information into Cyberscope will be able to provide a data feed as an XML upload to Cyberscope.

Along with this new reporting structure will also come new metrics for agencies to use. Those metrics have been developed in concert with the private sector, academic community, and federal CIOs and CISOs. The new data feeds will include summary information about inventory, systems and services, hardware, software, external connections, security training, and identity management and access.

In terms of government-wide benchmarking, CyberScope will be asking agencies a set of questions on their security posture online, rather than in the submission of an annual signed letter to do the same task. The White House will also be carrying out agency-by-agency interviews on cybersecurity. "We recognize not all agencies perform the same mission and function," Kundra said. "Historically it was just a lowest common denominator approach, but the nature of the threat can be unique to each agency."

Finally, in addition to the three-pronged approach to overhauling FISMA reporting, the White House memo answers dozens of potential agency questions about FISMA, including some issues outside the scope of the new approach, like whether national security systems fall under this guidance (not typically), who should have the ultimate say over an agency's security posture (the agency head), and whether SAS 70 compliance audits often used by private sector to determine whether third-party systems are secure is sufficient for FISMA compliance (it depends).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.