Lawmaker may revisit computer security law

Recent criticism of the federal law governing agencies' policies on information technology security has attracted the attention of a key legislator.

Tom Davis, R-Va., chairman of the House Government Reform Committee, said in April 3 letters to two vocal critics of the 2002 Federal Information Security Management Act that he is "not so naïve or stubborn as to think FISMA is a panacea or that important improvements could not be made."

The letters were in response to comments in a March 15 Government Executive article where several observers expressed concern that government computer systems remain insecure despite the millions of dollars agencies spend complying with the cybersecurity law.

Davis said in the letters that he is interested in discussing the concerns about FISMA, and ideas for strengthening the law.

Alan Paller, research director of the nonprofit cybersecurity research group SANS Institute and one of the recipients of the letters, said he is impressed with Davis' openness to new ideas. He said he responded with a three-page letter outlining his concerns.

Under FISMA, agencies are required to produce reports detailing risks posed by IT systems' vulnerabilities and authorizing the systems' continued use, a process known as certification and accreditation. But this process fails to test a system's true security and is 10 times as expensive as it needs to be, Paller said.

"Because you're writing a report about security instead of testing security, you don't find out what the actual vulnerabilities were," Paller said.

Former Energy Department chief information security officer Bruce Brody, the other recipient of an almost identical letter from Davis, said he is looking forward to working with the congressman on improving FISMA. Brody is vice president for information security at the Reston, Va.-based government market analysis firm INPUT.

"[FISMA] is a real paper drill that means nothing when it comes to information security," Brody said. "How do we get to the next stage of FISMA -- to get from the paper-based processes … to the more technical processes?"

Federal agencies are failing to perform a five-step litmus test that would measure their IT security better than the current requirements, Brody said. That test would involve determining the boundaries of networks, their configuration, the devices connected to them, the users of the devices and what the users are doing with the devices.

"If I just knew those five things, I'd be better off than I am today," Brody said. "Paper-based processes don't get you to those five things."

While Paller and Brody are two of the most vocal opponents of the FISMA reporting process, they are not alone in calling for reform of the law.

Former Air Force Chief Information Officer John Gilligan, now vice president and deputy director of the defense sector for the Fairfax, Va., IT firm SRA, said while there are positive aspects to the law, he would like to see the process revised.

FISMA fails to measure the entire scope of an agency's systems; rather, it focuses on specific parts of the systems, Gilligan said.

"The initial intent [of FISMA] was good," he said. "The danger is that, just because you did well on FISMA, you think you're highly secure. It may be, but it may not be."

Nevertheless, an inability to "do the paperwork" is probably a good indication that an agency's systems are not secure, Gilligan said.

Bob Dix, executive vice president for public affairs and corporate development at Citadel Security Software, a Dallas-based IT security firm, and former staff director of the House Government Reform Committee's technology subcommittee, said that the criticism of FISMA as "much ado about nothing," is not constructive. He said he is pleased that Davis is seeking input from those who believe the law needs updating.

"I would be the first guy to say that after five years of the law being in place, it should be amended to reflect the experience we've had," Dix said. "But to suggest that it hasn't contributed to security is just a mischaracterization."

The Office of Management and Budget, asked to comment on the issue of revising FISMA, referred to an April 2005 statement from Karen Evans, OMB administrator for e-government and IT. She argued that FISMA is working and said "substantial revision could delay additional progress."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.


When you download a report, your information may be shared with the underwriters of that document.