We all know that FISMA is better than nothing, and we should know that it was a decent attempt(at the time) by legislators at implementing IT Security within the Federal Government. But the fact is, FISMA is too weak, and too slow to be effective in the world of IT Security as it exists in the year 2010. IT security controls can not go unchecked for 1-3 years while management skips happily along wearing a Certification and Accreditation (false)security blanket. Congress must have recognized this fact as there has been an attempt to update FISMA, although the efforts seem to have stalled in Congress. Reform to FISMA, or a complete replacement which removes system owner’s ability to wriggle out of providing adequate security must happen sooner than later.
What we have today is an IT Security circus caused by the lack of clear, strong guidance/policy with some form of enforcement and punishment for those individuals/agencies who fail to meet the standards. If you put four IT Security professionals in a room to discuss NIST 800-37 and/or 800-53 you will have at least three different interpretations of how to achieve compliance,and they will all use the guidance to prove that their interpretation is correct. Further, until there are some negative consequence that results from poor performance people will not take the implementation of NIST 800-53 Controls and FISMA guidance seriously. To my knowledge no Federal information systems have ever been shut down for non-compliance with NIST controls. To my knowledge the White House OMB has never pulled the plug on a failing system and forced the system owner to reach a state of compliance before granting authorization to resume operation of that system.
Managers must realize that in the current environment IT Security has two parts that are equally important. IT systems must meet FISMA compliance standards, and IT systems must have real IT security measures in place and operating effectively. My argument is, if administrators do the real security work and tighten down their system the Certification and Accreditation process will be a snap. Its much easier to document controls that are in place and operating effectively, than it is to implement a control after you have been visited by your friendly neighborhood auditor. I would dare say that if you have effective controls in place that are not documented your life would be much easier during the audit that the system owner who has tons of documents but few effective controls.
But it seems that the focus of resources on the compliance issues often causes systems to both fail to meet required compliance levels and fail to meet industry standard (common sense)practices. Often in the fog of scrambling to meet compliance goals IT staffers can overlook the basic low hanging fruit that can close many security gaps. Managers must realize that compliance with FISMA and NIST 800-53 controls are the minimum. There are so many more threats to systems out there that are not fully covered by NIST 800-53 that one would be foolish to sleep comfortably knowing that they only meet the minimum requirements of NIST SP 800-53. In order to have effective IT security agencies must go far beyond the minimum.
In order for NIST controls to have a bit more value as effective IT Security controls they must define terminology in a manner which removes ambiguity. For example NIST uses terms such as ‘Continuous Monitoring’, which is defined by NIST as monitoring the effectiveness of a particular control ‘at least annually.’ In the land of real IT Security any company that monitored a control’s effectiveness once per year would fail a test of continuous monitoring. I must give NIST some credit as they seem to be moving toward changing the definition to mean something to the effect of “near real time”, but again this term leaves too much to the imagination of an IT manager who does not want to devote the resources necessary to implement a proper automated or frequent manual process which would provide something close to continuous monitoring.
To sum it all up and put a nice little bow on top I will say that organizations need security staff that understand system vulnerabilities and emerging threats, while having the skill necessary to mitigate these risks with available resources instead of the crop of managers who surrender and throw their hands up when times get tough. Security does not have to be all or nothing. NIST needs to change the tone its control language, use precise wording, and and read each document in its entirety before publication to ensure that the top half of the document does not contradict the bottom half. Meanwhile, OMB should provide a stronger hand in enforcing guidance. IT Security will not get the proper level of attention and funding until agencies know that there are consequences to compliance failures, and before you say it… I know that compliance failures are theoretically supposed to impact the budget for the system owner or the agency, but the reality is that failures to comply with NIST guidance result in no negative consequences(that matter) to individuals or the organization responsible.
image from http://srcomblog.files.wordpress.com
Sphere: Related Content
