This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||
|
Suggest the article be updated to recognize: the new Federal Information Security Modernization Act of 2014. — Preceding unsigned comment added by 152.133.13.1 ( talk) 17:19, 10 February 2016 (UTC)
After five years of FISMA, experts agree that little progress has been made in improving the overall security posture of the Federal computing enterprise. The reasons for this are many, but they boil down into the following key categories.
1. FISMA measures the wrong things, measures the wrong things in the wrong ways, and fails to measure the right things. As a result, FISMA the legislation, and FISMA the process, are fatally flawed. For example, 10 points of the annual FISMA grade, or a full alphabetical grade, is devoted to Training. Therefore, and agency can receive all 10 points if its entire population receives a one-hour awareness training on-line course. However, the quality, content and effectiveness of the training is not measured. Another example is Certification and Accreditation, or C&A, which accounts for 20 points or two alphabetical grades. However, C&A is an immense amount of documentation that results in the acceptance of risk, and potentially limitless risk for a system or application. Therefore, it is possible for an agency to claim that 100% of its systems are C&Aed, but yet, not one of the systems might be considered "secure". C&A is a costly and time consuming never-ending exercise aimed at documenting security weaknesses and policy violations. However, the personnel performing these tasks often lack the security skills to accurately assess whether a risk exists, and/or the staff has a vested interest in concealing known weaknesses, to avoid embarrassment or punishment from a failed C&A. The time and money necessary to pursue C&A and thus a passing FISMA grade arguably consume the limited resources that could otherwise be used to improve security.
2. FISMA failed to recognize and overcome the culture of the various departments and agencies, especially those that are geographically distributed and fiercely independent from central authority. Thus, the agency CIOs and their subordinate CISOs are powerless to "enforce" security requirements across the stubbornly independent operating administrations. FISMA chose to use the word "ensure compliance" when defining what the CIO was responsible for accomplishing under the Act, and consciously avoided the use of the term "enforce." General Counsels across the Executive Branch have interpreted "ensure" to mean that the CIO has no real authority under FISMA. The legislators who enacted FISMA chose to ignore the most important aspect of implementing information security across large and complex enterprises -- governance! For this reason alone, FISMA is practically useless.
3. FISMA created the Chief Information Security Officer (called "senior agency information security officer") and specifically placed that person under the CIO. That construct turns out to be a mistake. The CISO under FISMA must report to the CIO and thus place the security requirements of the department or agency subordinate to the CIO's other priorities, budget pressures, political exigencies or other conditions unrelated to sound and effective security approaches.
4. FISMA was created and managed by a triumvirate of entities with no practical security experience whatsoever. The Congress created and oversees FISMA, through the House Committee on Government Reform. It was born out of the old Year 2000 (Y2K) days, but after the Y2K rollover, the committee needed a new grandstanding event to justify its political existence. It chose information security because it was topical and loosely related to Y2K. Unfortunately, the non-practitioners on the congressional staff adopted the same system-by-system, site-by-site approach for information security that it used in the Y2K days. That approach connotes very little practical understanding of information security, where interconnected infrastructures and distributed enterprise boundaries require equal or greater attention than individual systems and sites. The second element of the triumvirate of 'FISMA keepers' is NIST, the agency responsible for publishing the standards that Federal agencies must adhere to under FISMA. Again, no practitioners exist at NIST, and the result is a massive pile of paper requirements that are impossible to implement and represent a simplistic form of a security-for-the-sake-of-security academician approach. At the same time, the core of FISMA compliance (and C&A) is the NIST Special Publication (SP) 800-53, which is arguably a generic and very low minimum security baseline that lacks specific details necessary to give FISMA any real power to improve security. The third element of the triumvirate is the Office of Management and Budget, which monitors FISMA implementation across the departments and agencies. Again, not a single practitioner can be found anywhere in OMB, and the result is an endless barrage of unfunded requirements heaped upon the departments and agencies. Until such time as actual information security practitioners take charge of the process, FISMA will remain the sad failure that it has become.
5. The worst and scariest aspect of FISMA is that many Federal executives who simply don't know any better and are chasing the 'Potemkin Village' of FISMA compliance and adopting the mindless 'scorecard approach' to security. These executives are completely oblivious to the fact that their computing infrastructure has been penetrated, its sensitive information has been violated, and those who wish to do harm to Federal information resources have succeeded. FISMA aims at giving Federal executives the policy tools necessary for them to gain a more accurate awareness of security across the enterprise. But by relying heavily on C&A and on threatened financial and other penalties from Congress, executives end up getting from their subordinates an inaccurate awareness of risks, a false sense of security, and the erroneous belief that security weaknesses are being resolved.
Thus, FISMA is a paper-based compliance drill and not a rigorous technology-based security program. In the five years of its existence, FISMA has failed to appreciably improve the security of the Federal computing enterprise, and will continue to fail to improve it under its current form and with its current flaws. Nonetheless, billions of taxpayer dollars have been squandered chasing "compliance," while little has been accomplished in actually getting to real security. To the enemies of our nation who wish to visit harm upon our nation's computing infrastructure, this is very good news indeed.
I think that while there is significant discussion about why the act fails to address needs, I think that the characterization of the act as "fundamentally flawed" is a statement of opinion, not factual, and as a result, the article contains a basic bias inappropriate to Wiki.
I recommend that we add "has been characterized as" to the "fatally flawed" comment in the introduction. This would encourage the reader to review the "Issues with FISMA" section.
Thoughts?
[Bruce Brody here -- I think the ultimate justification of the "fatally flawed" point is that the staffs of Sen. Carper and Sen. McCain, both of whom are on the Senate Homeland Security Committee, have concluded that change is necessary and a new FISMA is coming. Having worked with both staffs, all I can say at this point is that the "fatal flaws" are being addressed. But it's no longer relevant to debate whether or not FISMA was "faally flawed" because Congress is fixing the "fatal flaws".]
Bdevoe 18:23, 29 March 2007 (UTC)
That particular statement has probably been changed since then, so I'm content with that particular sentence, but I'm not sure about the immediately following line:
Those detractors are correct to a degree, namely that FISMA alone is not the solution to Federal information security challenges.
This sentence is written as a statement of fact, and as much as I may agree that FISMA is not a solution by itself, it needs re-wording. If there is a cyber-security (or general security) expert who could provide the precise phrasing to indicate that multiple layers of security provide a necessary or valid enhancement, it should improve the article, especially for a sentence at the end of the introduction. Daytonduck 13:08, 20 June 2007 (UTC)
I would like to see paragraph three have an addition on the order of "While it is true that placing the CISO under the CIO requires the CIO to balance security against other priorities, placing the reporting at the CEO level also has significant drawbacks. Among them, the fact that the arguments about security are less likely to be understood and that the CEO has an even larger priorities and pressures." The reporting structure that we have may not be very good, but it is about as good as it can be. Others are likely to be worse. Jonesjf 20:05, 20 June 2007 (UTC)
An important legal article that is critical of FISMA was written by Robert Silvers for the New York University Law Review in November 2006 (81 N.Y.U.L. Rev. 1844) entitled "Rethinking FISMA and Federal Information Security Policy". I don't know how to attach it, but perhaps someone can do that. In it, the author notes that FISMA "suffers from serious structural defects that account for its poor performance" and the author rips the organizational and other flaws that FISMA imposes on departments and agencies. If you read this article, then you'll probably conclude that the discussion topic above is a milder critique of FISMA. Babrody 00:30, 8 July 2007 (UTC)babrody
I've reviewed the article. FISMA act is a high level legislation, that contains several amendments to other legislation. To the most part, FISMA defines responsibilities of Federal agencies and contractors in regards to information security. FISMA is one of the key pieces of legislation related to cybersecurity. FISMA is accompanied by a number of NIST publications. As any piece of legislation, FISMA may be subject to critique, which is duly reflected in the "Issues" section of the article. Few additional references to the critique of FISMA can be added to the issues section, however, the purpose of the article is to provide encyclopedic information about the particular piece of legislation "as is", and it's relation to the rest of the body of knowledge on computer security (see Wikipedia:WikiProject Computer Security project ). It is not appropriate to mix critique with each statement of FISMA itself, or one of the accompanying NIST publications. This is affecting the neutrality of the article.
The discussion at this page is mostly related to FISMA itself, not to the article describing FISMA. Opinionated critics of FISMA, who feel that the critique of FISMA requires additional coverage as part of the Wikipedia, may want to add a separate page, and include a link to it from the Issues sections of FISMA. Such article will need to follow the usual "What, Why, When, How, Where" questions, as any article, and should include substantial references, see for guidance How to write a great article. In my opinion, if the above critique points are included directly into the "Issues" section of the FISMA article, then the neutrality of the article will indeed become questionable.
The description of the compliance process needs to be checked with the respect to the wording of FISMA itself. I believe the description is adequate with respect to the general intent of the entire framework defined by FISMA and one or more accompanying NSIT publications), but it does not correspond to the language of the FISMA act alone. Some corrections need to be made.
Hello fellow Wikipedians,
I have just modified 3 external links on Federal Information Security Management Act of 2002. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers.— InternetArchiveBot ( Report bug) 05:05, 29 September 2017 (UTC)
This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||
|
Suggest the article be updated to recognize: the new Federal Information Security Modernization Act of 2014. — Preceding unsigned comment added by 152.133.13.1 ( talk) 17:19, 10 February 2016 (UTC)
After five years of FISMA, experts agree that little progress has been made in improving the overall security posture of the Federal computing enterprise. The reasons for this are many, but they boil down into the following key categories.
1. FISMA measures the wrong things, measures the wrong things in the wrong ways, and fails to measure the right things. As a result, FISMA the legislation, and FISMA the process, are fatally flawed. For example, 10 points of the annual FISMA grade, or a full alphabetical grade, is devoted to Training. Therefore, and agency can receive all 10 points if its entire population receives a one-hour awareness training on-line course. However, the quality, content and effectiveness of the training is not measured. Another example is Certification and Accreditation, or C&A, which accounts for 20 points or two alphabetical grades. However, C&A is an immense amount of documentation that results in the acceptance of risk, and potentially limitless risk for a system or application. Therefore, it is possible for an agency to claim that 100% of its systems are C&Aed, but yet, not one of the systems might be considered "secure". C&A is a costly and time consuming never-ending exercise aimed at documenting security weaknesses and policy violations. However, the personnel performing these tasks often lack the security skills to accurately assess whether a risk exists, and/or the staff has a vested interest in concealing known weaknesses, to avoid embarrassment or punishment from a failed C&A. The time and money necessary to pursue C&A and thus a passing FISMA grade arguably consume the limited resources that could otherwise be used to improve security.
2. FISMA failed to recognize and overcome the culture of the various departments and agencies, especially those that are geographically distributed and fiercely independent from central authority. Thus, the agency CIOs and their subordinate CISOs are powerless to "enforce" security requirements across the stubbornly independent operating administrations. FISMA chose to use the word "ensure compliance" when defining what the CIO was responsible for accomplishing under the Act, and consciously avoided the use of the term "enforce." General Counsels across the Executive Branch have interpreted "ensure" to mean that the CIO has no real authority under FISMA. The legislators who enacted FISMA chose to ignore the most important aspect of implementing information security across large and complex enterprises -- governance! For this reason alone, FISMA is practically useless.
3. FISMA created the Chief Information Security Officer (called "senior agency information security officer") and specifically placed that person under the CIO. That construct turns out to be a mistake. The CISO under FISMA must report to the CIO and thus place the security requirements of the department or agency subordinate to the CIO's other priorities, budget pressures, political exigencies or other conditions unrelated to sound and effective security approaches.
4. FISMA was created and managed by a triumvirate of entities with no practical security experience whatsoever. The Congress created and oversees FISMA, through the House Committee on Government Reform. It was born out of the old Year 2000 (Y2K) days, but after the Y2K rollover, the committee needed a new grandstanding event to justify its political existence. It chose information security because it was topical and loosely related to Y2K. Unfortunately, the non-practitioners on the congressional staff adopted the same system-by-system, site-by-site approach for information security that it used in the Y2K days. That approach connotes very little practical understanding of information security, where interconnected infrastructures and distributed enterprise boundaries require equal or greater attention than individual systems and sites. The second element of the triumvirate of 'FISMA keepers' is NIST, the agency responsible for publishing the standards that Federal agencies must adhere to under FISMA. Again, no practitioners exist at NIST, and the result is a massive pile of paper requirements that are impossible to implement and represent a simplistic form of a security-for-the-sake-of-security academician approach. At the same time, the core of FISMA compliance (and C&A) is the NIST Special Publication (SP) 800-53, which is arguably a generic and very low minimum security baseline that lacks specific details necessary to give FISMA any real power to improve security. The third element of the triumvirate is the Office of Management and Budget, which monitors FISMA implementation across the departments and agencies. Again, not a single practitioner can be found anywhere in OMB, and the result is an endless barrage of unfunded requirements heaped upon the departments and agencies. Until such time as actual information security practitioners take charge of the process, FISMA will remain the sad failure that it has become.
5. The worst and scariest aspect of FISMA is that many Federal executives who simply don't know any better and are chasing the 'Potemkin Village' of FISMA compliance and adopting the mindless 'scorecard approach' to security. These executives are completely oblivious to the fact that their computing infrastructure has been penetrated, its sensitive information has been violated, and those who wish to do harm to Federal information resources have succeeded. FISMA aims at giving Federal executives the policy tools necessary for them to gain a more accurate awareness of security across the enterprise. But by relying heavily on C&A and on threatened financial and other penalties from Congress, executives end up getting from their subordinates an inaccurate awareness of risks, a false sense of security, and the erroneous belief that security weaknesses are being resolved.
Thus, FISMA is a paper-based compliance drill and not a rigorous technology-based security program. In the five years of its existence, FISMA has failed to appreciably improve the security of the Federal computing enterprise, and will continue to fail to improve it under its current form and with its current flaws. Nonetheless, billions of taxpayer dollars have been squandered chasing "compliance," while little has been accomplished in actually getting to real security. To the enemies of our nation who wish to visit harm upon our nation's computing infrastructure, this is very good news indeed.
I think that while there is significant discussion about why the act fails to address needs, I think that the characterization of the act as "fundamentally flawed" is a statement of opinion, not factual, and as a result, the article contains a basic bias inappropriate to Wiki.
I recommend that we add "has been characterized as" to the "fatally flawed" comment in the introduction. This would encourage the reader to review the "Issues with FISMA" section.
Thoughts?
[Bruce Brody here -- I think the ultimate justification of the "fatally flawed" point is that the staffs of Sen. Carper and Sen. McCain, both of whom are on the Senate Homeland Security Committee, have concluded that change is necessary and a new FISMA is coming. Having worked with both staffs, all I can say at this point is that the "fatal flaws" are being addressed. But it's no longer relevant to debate whether or not FISMA was "faally flawed" because Congress is fixing the "fatal flaws".]
Bdevoe 18:23, 29 March 2007 (UTC)
That particular statement has probably been changed since then, so I'm content with that particular sentence, but I'm not sure about the immediately following line:
Those detractors are correct to a degree, namely that FISMA alone is not the solution to Federal information security challenges.
This sentence is written as a statement of fact, and as much as I may agree that FISMA is not a solution by itself, it needs re-wording. If there is a cyber-security (or general security) expert who could provide the precise phrasing to indicate that multiple layers of security provide a necessary or valid enhancement, it should improve the article, especially for a sentence at the end of the introduction. Daytonduck 13:08, 20 June 2007 (UTC)
I would like to see paragraph three have an addition on the order of "While it is true that placing the CISO under the CIO requires the CIO to balance security against other priorities, placing the reporting at the CEO level also has significant drawbacks. Among them, the fact that the arguments about security are less likely to be understood and that the CEO has an even larger priorities and pressures." The reporting structure that we have may not be very good, but it is about as good as it can be. Others are likely to be worse. Jonesjf 20:05, 20 June 2007 (UTC)
An important legal article that is critical of FISMA was written by Robert Silvers for the New York University Law Review in November 2006 (81 N.Y.U.L. Rev. 1844) entitled "Rethinking FISMA and Federal Information Security Policy". I don't know how to attach it, but perhaps someone can do that. In it, the author notes that FISMA "suffers from serious structural defects that account for its poor performance" and the author rips the organizational and other flaws that FISMA imposes on departments and agencies. If you read this article, then you'll probably conclude that the discussion topic above is a milder critique of FISMA. Babrody 00:30, 8 July 2007 (UTC)babrody
I've reviewed the article. FISMA act is a high level legislation, that contains several amendments to other legislation. To the most part, FISMA defines responsibilities of Federal agencies and contractors in regards to information security. FISMA is one of the key pieces of legislation related to cybersecurity. FISMA is accompanied by a number of NIST publications. As any piece of legislation, FISMA may be subject to critique, which is duly reflected in the "Issues" section of the article. Few additional references to the critique of FISMA can be added to the issues section, however, the purpose of the article is to provide encyclopedic information about the particular piece of legislation "as is", and it's relation to the rest of the body of knowledge on computer security (see Wikipedia:WikiProject Computer Security project ). It is not appropriate to mix critique with each statement of FISMA itself, or one of the accompanying NIST publications. This is affecting the neutrality of the article.
The discussion at this page is mostly related to FISMA itself, not to the article describing FISMA. Opinionated critics of FISMA, who feel that the critique of FISMA requires additional coverage as part of the Wikipedia, may want to add a separate page, and include a link to it from the Issues sections of FISMA. Such article will need to follow the usual "What, Why, When, How, Where" questions, as any article, and should include substantial references, see for guidance How to write a great article. In my opinion, if the above critique points are included directly into the "Issues" section of the FISMA article, then the neutrality of the article will indeed become questionable.
The description of the compliance process needs to be checked with the respect to the wording of FISMA itself. I believe the description is adequate with respect to the general intent of the entire framework defined by FISMA and one or more accompanying NSIT publications), but it does not correspond to the language of the FISMA act alone. Some corrections need to be made.
Hello fellow Wikipedians,
I have just modified 3 external links on Federal Information Security Management Act of 2002. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers.— InternetArchiveBot ( Report bug) 05:05, 29 September 2017 (UTC)