GovernmentExecutive.com

Return to Article: Focus on cybersecurity compliance called ineffective

• 15137
  

  Complying with FISMA and NIST standards and guidelines is not the problem. NIST has produced many excellent documents. There are several reasons the FISMA process is not very effective:
  

• Information security is extremely complex and takes years to learn.
• Checklists cannot provide the knowledge, training, and experience needed to adequately review security.
• Not understanding the "why" results in a meaningless paperwork exercise.
• Federal employees are depending too much on contractors.
• A good understanding of the organization's network, systems, and applications is required, and expecting a contractor to walk in the door with no background in the organization and produce good results is unrealistic.
• Inadequate federal employee management involving the contracts.
• Congressional emphasis on number of systems certified rather than focusing on the highest risk systems.
• Doing a good job on the highest risk using federal employees would provide a valuable knowledge base that is not lost with the turnover of contractors.
• Using an iteration approach, each year the number and quality of FISMA reviews would improve.

I have worked in computer security for 20-plus years, as both a federal employee and outside the government in some of the largest corporations. If non-federal companies were reviewed by OIG or GAO rather than by companies they pay, the results would be shocking to most people.

Post a Comment

To post a comment, you must provide a name and a valid e-mail address. Messages must be limited to 400 words. By using this Service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Although Government Executive does not monitor comments posted to this site (and has no obligation to), it reserves the right to delete, edit, or move any material that it deems to be in violation of this rule.