Lawmaker may revisit computer security law

Recent criticism of the federal law governing agencies' policies on information technology security has attracted the attention of a key legislator.

Tom Davis, R-Va., chairman of the House Government Reform Committee, said in April 3 letters to two vocal critics of the 2002 Federal Information Security Management Act that he is "not so naïve or stubborn as to think FISMA is a panacea or that important improvements could not be made."

The letters were in response to comments in a March 15 Government Executive article where several observers expressed concern that government computer systems remain insecure despite the millions of dollars agencies spend complying with the cybersecurity law.

Davis said in the letters that he is interested in discussing the concerns about FISMA, and ideas for strengthening the law.

Alan Paller, research director of the nonprofit cybersecurity research group SANS Institute and one of the recipients of the letters, said he is impressed with Davis' openness to new ideas. He said he responded with a three-page letter outlining his concerns.

Under FISMA, agencies are required to produce reports detailing risks posed by IT systems' vulnerabilities and authorizing the systems' continued use, a process known as certification and accreditation. But this process fails to test a system's true security and is 10 times as expensive as it needs to be, Paller said.

"Because you're writing a report about security instead of testing security, you don't find out what the actual vulnerabilities were," Paller said.

Former Energy Department chief information security officer Bruce Brody, the other recipient of an almost identical letter from Davis, said he is looking forward to working with the congressman on improving FISMA. Brody is vice president for information security at the Reston, Va.-based government market analysis firm INPUT.

"[FISMA] is a real paper drill that means nothing when it comes to information security," Brody said. "How do we get to the next stage of FISMA -- to get from the paper-based processes … to the more technical processes?"

Federal agencies are failing to perform a five-step litmus test that would measure their IT security better than the current requirements, Brody said. That test would involve determining the boundaries of networks, their configuration, the devices connected to them, the users of the devices and what the users are doing with the devices.

"If I just knew those five things, I'd be better off than I am today," Brody said. "Paper-based processes don't get you to those five things."

While Paller and Brody are two of the most vocal opponents of the FISMA reporting process, they are not alone in calling for reform of the law.

Former Air Force Chief Information Officer John Gilligan, now vice president and deputy director of the defense sector for the Fairfax, Va., IT firm SRA, said while there are positive aspects to the law, he would like to see the process revised.

FISMA fails to measure the entire scope of an agency's systems; rather, it focuses on specific parts of the systems, Gilligan said.

"The initial intent [of FISMA] was good," he said. "The danger is that, just because you did well on FISMA, you think you're highly secure. It may be, but it may not be."

Nevertheless, an inability to "do the paperwork" is probably a good indication that an agency's systems are not secure, Gilligan said.

Bob Dix, executive vice president for public affairs and corporate development at Citadel Security Software, a Dallas-based IT security firm, and former staff director of the House Government Reform Committee's technology subcommittee, said that the criticism of FISMA as "much ado about nothing," is not constructive. He said he is pleased that Davis is seeking input from those who believe the law needs updating.

"I would be the first guy to say that after five years of the law being in place, it should be amended to reflect the experience we've had," Dix said. "But to suggest that it hasn't contributed to security is just a mischaracterization."

The Office of Management and Budget, asked to comment on the issue of revising FISMA, referred to an April 2005 statement from Karen Evans, OMB administrator for e-government and IT. She argued that FISMA is working and said "substantial revision could delay additional progress."