Lawmaker may revisit computer security law

Recent criticism of the federal law governing agencies' policies on information technology security has attracted the attention of a key legislator.

Tom Davis, R-Va., chairman of the House Government Reform Committee, said in April 3 letters to two vocal critics of the 2002 Federal Information Security Management Act that he is "not so naïve or stubborn as to think FISMA is a panacea or that important improvements could not be made."

The letters were in response to comments in a March 15 Government Executive article where several observers expressed concern that government computer systems remain insecure despite the millions of dollars agencies spend complying with the cybersecurity law.

Davis said in the letters that he is interested in discussing the concerns about FISMA, and ideas for strengthening the law.

Alan Paller, research director of the nonprofit cybersecurity research group SANS Institute and one of the recipients of the letters, said he is impressed with Davis' openness to new ideas. He said he responded with a three-page letter outlining his concerns.

Under FISMA, agencies are required to produce reports detailing risks posed by IT systems' vulnerabilities and authorizing the systems' continued use, a process known as certification and accreditation. But this process fails to test a system's true security and is 10 times as expensive as it needs to be, Paller said.

"Because you're writing a report about security instead of testing security, you don't find out what the actual vulnerabilities were," Paller said.

Former Energy Department chief information security officer Bruce Brody, the other recipient of an almost identical letter from Davis, said he is looking forward to working with the congressman on improving FISMA. Brody is vice president for information security at the Reston, Va.-based government market analysis firm INPUT.

"[FISMA] is a real paper drill that means nothing when it comes to information security," Brody said. "How do we get to the next stage of FISMA -- to get from the paper-based processes … to the more technical processes?"

Federal agencies are failing to perform a five-step litmus test that would measure their IT security better than the current requirements, Brody said. That test would involve determining the boundaries of networks, their configuration, the devices connected to them, the users of the devices and what the users are doing with the devices.

"If I just knew those five things, I'd be better off than I am today," Brody said. "Paper-based processes don't get you to those five things."

While Paller and Brody are two of the most vocal opponents of the FISMA reporting process, they are not alone in calling for reform of the law.

Former Air Force Chief Information Officer John Gilligan, now vice president and deputy director of the defense sector for the Fairfax, Va., IT firm SRA, said while there are positive aspects to the law, he would like to see the process revised.

FISMA fails to measure the entire scope of an agency's systems; rather, it focuses on specific parts of the systems, Gilligan said.

"The initial intent [of FISMA] was good," he said. "The danger is that, just because you did well on FISMA, you think you're highly secure. It may be, but it may not be."

Nevertheless, an inability to "do the paperwork" is probably a good indication that an agency's systems are not secure, Gilligan said.

Bob Dix, executive vice president for public affairs and corporate development at Citadel Security Software, a Dallas-based IT security firm, and former staff director of the House Government Reform Committee's technology subcommittee, said that the criticism of FISMA as "much ado about nothing," is not constructive. He said he is pleased that Davis is seeking input from those who believe the law needs updating.

"I would be the first guy to say that after five years of the law being in place, it should be amended to reflect the experience we've had," Dix said. "But to suggest that it hasn't contributed to security is just a mischaracterization."

The Office of Management and Budget, asked to comment on the issue of revising FISMA, referred to an April 2005 statement from Karen Evans, OMB administrator for e-government and IT. She argued that FISMA is working and said "substantial revision could delay additional progress."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.