By Daniel Pulliam
dpulliam @ govexec.com
April 10, 2006
Recent criticism of the federal law governing agencies' policies on
information technology security has attracted the attention of a key
Tom Davis, R-Va., chairman of the House Government Reform Committee,
said in April 3 letters to two vocal critics of the 2002 Federal
Information Security Management Act that he is "not so na=EFve or
stubborn as to think FISMA is a panacea or that important improvements
could not be made."
The letters were in response to comments in a March 15 Government
Executive article  where several observers expressed concern that
government computer systems remain insecure despite the millions of
dollars agencies spend complying with the cybersecurity law.
Davis said in the letters that he is interested in discussing the
concerns about FISMA, and ideas for strengthening the law.
Alan Paller, research director of the nonprofit cybersecurity research
group SANS Institute and one of the recipients  of the letters,
said he is impressed with Davis' openness to new ideas. He said he
responded with a three-page letter outlining his concerns.
Under FISMA, agencies are required to produce reports detailing risks
posed by IT systems' vulnerabilities and authorizing the systems'
continued use, a process known as certification and accreditation. But
this process fails to test a system's true security and is 10 times as
expensive as it needs to be, Paller said.
"Because you're writing a report about security instead of testing
security, you don't find out what the actual vulnerabilities were,"
Former Energy Department chief information security officer Bruce
Brody, the other recipient of an almost identical letter  from
Davis, said he is looking forward to working with the congressman on
improving FISMA. Brody is vice president for information security at
the Reston, Va.-based government market analysis firm INPUT.
"[FISMA] is a real paper drill that means nothing when it comes to
information security," Brody said. "How do we get to the next stage of
FISMA -- to get from the paper-based processes ... to the more
Federal agencies are failing to perform a five-step litmus test that
would measure their IT security better than the current requirements,
Brody said. That test would involve determining the boundaries of
networks, their configuration, the devices connected to them, the
users of the devices and what the users are doing with the devices.
"If I just knew those five things, I'd be better off then I am today,"
Brody said. "Paper-based processes don't get you to those five
While Paller and Brody are two of the most vocal opponents of the
FISMA reporting process, they are not alone in calling for reform of
Former Air Force Chief Information Officer John Gilligan, now vice
president and deputy director of the defense sector for the Fairfax,
Va., IT firm SRA, said while there are positive aspects to the law, he
would like to see the process revised.
FISMA fails to measure the entire scope of an agency's systems;
rather, it focuses on specific parts of the systems, Gilligan said.
"The initial intent [of FISMA] was good," he said. "The danger is
that, just because you did well on FISMA, you think you're highly
secure. It may be, but it may not be."
Nevertheless, an inability to "do the paperwork" is probably a good
indicator that an agency's systems are not secure, Gilligan said.
Bob Dix, executive vice president for public affairs and corporate
development at Citadel Security Software, a Dallas-based IT security
firm, and former staff director of the House Government Reform
Committee's technology subcommittee, characterized the criticism 
FISMA as "much ado about nothing," but said he is pleased that Davis
is seeking input from those who believe the law needs updating.
"I would be the first guy to say that after five years of the law
being in place, it should be amended to reflect the experience we've
had," Dix said. "But to suggest that it hasn't contributed to security
is just a mischaracterization."
The Office of Management and Budget, asked to comment on the issue of
revising FISMA, referred to an April 2005 statement from Karen Evans,
OMB administrator for e-government and IT. She argued that FISMA is
working and said "substantial revision could delay additional
=A92006 by National Journal Group Inc. All rights reserved.
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference