By: Steve O'Keeffe http://meritalk.com/blog.php?user=SteveOKeeffe&blogentry_id=1520
As schoolboys, growing up in London in the ‘80s, we’d sing “I’d like to teach the PTA to blow up all the schools” to the tune of the Coca-Cola advertisement “I’d like to teach the world to sing.” We’d skulk and smoke behind the bicycle sheds and kick the can down the road in the rain. It was the worst day of the year – report cards. So Federal CISOs, I think many of us can sympathize with you about the FISMA thing.
The bickering over FISMA has persisted since it was introduced in the E-Gov Act of 2002. Do the grades really provide any insight into the actual security of agencies’ information? Is the grading process fair? Does the IG properly understand the IT function? Is there any relationship between agencies’ security grades and their security budget – or for that matter between their FISMA grades and their overall IT budget?
To net it out, is this a paper exercise that has no impact on agencies’ security and would the time and funding dedicated to FISMA be better spent elsewhere?
All good questions, but despite numerous studies based on interviews with Federal CISOs that have shown that the process is significantly flawed – www.merlin-intl.com/IAstudy.asp – FISMA continues to limp onward. Agencies are required to complete the testing even though Capitol Hill – the primary audience – has long since lost interest in the results. In fact, Tom Davis was the last public official to pay any attention to the FISMA grades – and that was more than two years ago. In 2007, the last time Davis announced the grades, it did not even warrant a house hearing – he called a press conference at the Center for Innovative Technology in Virginia – http://pcworld.about.com/od/researchreports/Survey-Gov-t-CISOs-say-FISMA.htm
Certainly, all of this is interesting bar-room conversation – and, to be sure, many of us have adopted pro and con FISMA positions over pints – but, how do you get to an up or down decision? What if you heard that of the $6.2 billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA Certification and Accreditation – C&A – paperwork? Would that cost epiphany make you see the light? Let’s put that number in some additional context, that’s more than the GDP of Samoa, Tonga, and East Timor combined, or put another way 21.1 percent of our nation’s cyber security spending. To clarify, we are not saying that it’s not important to establish metrics for measuring performance, but does it make sense to spend almost one quarter of your cyber security budget on generating FISMA paperwork? And, does the paperwork make us any safer? By all reports, the temperature of the cyber security “inferno” keeps getting hotter. So, that would be like fireman devoting 15 minutes out of every hour to reporting while the Capitol building is ablaze – even Nero would shake his head…
Here’s the rationale for the calculation of the cost of FISMA across the Federal government:
According to OMB’s Fiscal Year 2008 Report to Congress on Implementation of the Federal Information Security Management Act of 2002 – http://www.whitehouse.gov/omb/assets/reports/fy2008_fisma.pdf – the population of Federal systems is 10,257. The breakdown against the three FISMA system C&A categories is 1,143, high; 3,924, moderate; 4,507, low; with 683 “not categorized.” Based on interaction with Federal CISOs on cost associated with executing each C&A against these specific FISMA system categories, the prices are as follows: $193,205, high; $167,643, moderate; $74,057, low. We took an average across the three FISMA system categories’ C&A costs and applied it to the population of “not categorized” systems to monetize the dangling element.
And, for those of you scoring at home, here’s the math, or maths as we said at school:
High 1,143 x $193,205 = $220,833,315
Moderate 3,924 x $167,643 = $657,831,132
Low 4,507 x $74,057 = $333,774,899
Other 683 x $144,968 = $99,013,144
Total: 10,257 $1,311,452,490
Consistent with President Obama’s transparency mantra, isn’t it time to show the cost of the process? While there have been various discussions about FISMA reform, none to date have come to much. Next week, on October 29th, Senator Tom Carper’s (D-Del.) Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security will hold a hearing on FISMA reform. The panel of speakers includes Vivek Kundra, the Federal CIO at OMB; John Streufert, Deputy CIO and CISO at the State Department; Greg Wilshusen, Director of Information Security Issues at GAO; and Tom Davis, former Congressman, long-time Federal IT and cyber security advocate, now with Deloitte. Word on the street is that Streufert will talk about how State Department has moved to a more proactive posture at next week’s hearing – shifting funding from C&A to automated continuous monitoring.
The government IT community is keenly interested in next week’s testimony – and more importantly in the potential for change. Clearly it’s time to wrestle this paper tiger to the ground – to reinvent Federal cyber security as a proactive discipline. How about establishing an automated security managed services program across the Federal government that provides common defenses and automatically reports penetration incidents and data loss? Or perhaps taking a spoonful of the medicine that the Hill is feeding to the private sector by establishing government liability for security breaches and making the agency CEO – the cabinet secretary – accountable? Let me be clear, CISOs we hear you loud and clear, it’s time for the FISMA beatings to stop. Oh, and off the record, I’ll let you in on a little secret of my own – those questionable report cards of mine in the ‘80s didn’t have any bearing on my performance in the real world either.