Questioning FISMA Reform Without a New LawA Call to Strengthen the CISO's Authority in Agency's Hierarchy
A recent article concerning how to reform the Federal Information Security Management Act without enacting new legislation caught my attention.
In my take on that article [see 6 Ways to Reform FISMA without New Law], two former Office of Management and Budget officials contend that agency inspectors general should adopt an enhanced risk management framework, after which the National Institute of Standards and Technology would reorient its volumes of guidelines to center on the unknowable threat, which would then drive a more threat-informed risk management framework in each agency. That, in turn, would compel the IGs to prioritize their annual findings against the agency's risk profile, upon which the chief information officers would incorporate the IGs findings into the agency's strategic plan.
FISMA is flawed and must be reformed. To assert otherwise is to not fully appreciate the degree to which FISMA missed the mark on information security and risk management.
Is this a move that mirrors the best practices of the security programs at the Fortune 500 companies? It's not even close. This approach disregards the inadequacies of the FISMA legislation and adds naively considered processes to the mountain of processes that clog the agencies' security arteries.
Simply stated, FISMA is flawed, and FISMA must be reformed. To assert otherwise is to not fully appreciate the degree to which FISMA missed the mark on information security and risk management. And continuing to paper it over is not an approach; it's a never ending tragedy.
5 Things Every CIO, CISO Needs to Know
Let's start with the basics - the five things that every CIO and chief information security officer must know before he or she even has a prayer of managing the risk and improving the security in a large enterprise:
- The interconnected boundaries of the enterprise.
- The devices that connect to the interconnected boundaries of the enterprise.
- The configurations of those devices.
- Who is accessing those devices.
- What they are doing when they are accessing those devices.
Of course, there are many more things that need to be known, but if these five things are not known at any point in time, then the enterprise is not, and cannot be, secure. It is safe to assert that no federal CIO or CISO has complete knowledge of these five things now, or even is on a path to getting there any time soon. It is not entirely clear that Congress, OMB, NIST or any agency IG thinks these five things should be a priority effort. Nor will the six ways to reform FISMA get us there, or anywhere close.
Ensure vs. Enforce
CIOs and CISOs are not authorized to gather this knowledge, because FISMA tragically botched governance. By using the word "ensure" instead of "enforce" as in the "CIO shall ensure compliance with the act" FISMA gave no authority to the CIO or the CISO. Take a look at the general counsel decision of April 2004 at the second largest cabinet-level department, where the use of the term "ensure" was determined to be devoid of any direct authority to alter the behavior of any agency system owner who chose to disregard the legislation. After all, such system owner also had in his or her hands an annual appropriation, along with authorization language instructing how to use that appropriation, and never did any one of those bills require the system owner to "do FISMA."
When the subject of the word "ensure" having no authority was brought to the attention of the House in 2006, a bill was drafted to change FISMA to read "...ensure, and to the extent determined necessary by the agency head, enforce..." That language passed the House, but never made it through the Senate, joining the many similarly doomed efforts to bring some measure of reason and sanity to the mess that is FISMA.
Which brings us back to how the CIO can gather the knowledge of the five things he or she must know in order to have a prayer at securing an enterprise. Thanks to FISMA, it can't happen unless the agency head commands it, and the agency head typically commands nothing unless the layers of concurrence and coordination populated with recalcitrant system owners provides consent. By providing consent, the system owners would also acquiesce to the discovery of years and years of misrepresentation of their security posture, which is about as likely to happen as is the IG's acceptance and understanding of an enhanced risk management framework, which is where we began this blog.
Continuing in the vein of botched governance, which alone is reason enough to reform FISMA, consider the plight of the CISO. In the original FISMA, the CISO was introduced to us as a senior agency information security officer, or SAISO, and was organizationally planted under the CIO. In subsequent drafts of various reform bills, the SAISO went all the way from a full-blown CISO to being seemingly eliminated as a senior role.
Herein lies a major problem for federal information security and risk management, and a total disconnect from the best practices emerging in the Fortune 500 world. We learned from a 2012 IBM study, Finding a Strategic Voice, that the role of the CISO is evolving much like the CFO role evolved in the 1970s and the CIO role evolved in the 1990s. Because they are charged with protecting some of the most important assets of the organization, the strategic role and value of the CISO is skyrocketing in importance and stature. Unfortunately, it has long been the view of OMB that the CISO is merely an underling of the CIO, which reflects the kind of flawed understanding that would also assert that six additional bureaucratic processes can reform FISMA without rewriting the legislation.
Unshackling the CISO from the CIO
Many private corporations are unshackling the CISO from the CIO [see CISO as Chief Privacy Officer], recognizing that the CISO only has a portion of responsibilities in the information technology infrastructure, and must also be the individual who holds the CIO accountable for security implementation in major information technology programs. The CISO also has distinct and meaningful responsibilities with respect to the chief compliance officer, the chief security officer and the chief risk officer, and many private corporations are recognizing this span of authority and this increasingly important strategic role.
The CISO is flourishing in the private sector and diminishing in the public sector. That's the kind of disconnect even Congress must understand, so there really is only one reasonable bottom line: FISMA is badly flawed, and must be reformed.
Bruce A. Brody is the former chief information security officer of the U.S. departments of Veterans Affairs and Energy.