Lawmakers and the White House on Wednesday called for changes to long-standing federal information security policies that would require vendors to incorporate safeguards into systems when they are being built rather than later in the development process -- an approach that could significantly affect federal contractors' products and services.
Rep. Diane Watson, D-Calif., introduced on Monday the 2010 Federal Information Security Amendments Act (H.R. 4900), which would update the 2002 Federal Information Security Management Act. The bill would establish a national office of cyberspace within the Executive Office of the President. It also would mandate its director be a permanent, presidentially appointed position subject to Senate confirmation. The current highest-ranking cyber official, White House Cybersecurity Coordinator Howard Schmidt, fills a post created by the president. His appointment was not subject to Senate approval and can be eliminated by any future administration.
Critics of FISMA say it wastes resources that could be better spent tightening the security of federal networks, because it requires government officials to fill out long reports to prove they are in compliance with the law. Watson's bill aims to reduce the reporting burden by requiring agencies to deploy automated tools that monitor and measure how vulnerable networks were to cyberattacks. In addition, the bill directs agencies conducting IT acquisitions to factor in the information security capabilities of commercial products and services.
"I believe those provisions offer us the best way forward to ensure that information security is built into our agency systems in a technology-neutral manner from the beginning of the procurement life cycle," said Watson, chairwoman of the Government Management, Organization and Procurement Subcommittee. She convened a hearing on Wednesday to discuss her bill.
John Gilligan, a former chief information officer for the Air Force and a member of the team that formulated President Obama's IT agenda, praised the bill in his testimony.
"The emphasis in the bill on minimum controls and the use of automation to continuously monitor the controls is both properly aligned and much needed," said Gilligan, now a private consultant. "The bill addresses an often overlooked area: the need to leverage the government acquisition buying power to require dramatic improvements in the security and reliability of software and hardware products."
Federal Chief Information Officer Vivek Kundra, who also testified, said agencies should "not bolt-on security afterwards." He explained that, too often, IT systems launch, go through upgrades and only at that point do departments try to apply controls.
"Frankly, security investments are best when they are actually baked in to the systems that we're looking at and not where they are treated as discrete investments across the board," he said.
The 2002 FISMA was supposed to result in more secure systems, but the law has not lived up to its potential, Gilligan said. OMB has relied on a large catalog of security controls published by the National Institute of Standards and Technology, an impossible mission that resulted in a scattershot approach to improving security, he said, and a better route would have been to deploy only the minimum controls stipulated by the law.
Gilligan asserts agencies should focus on the 20 most frequent cyberattacks and install controls to protect against them. Federal security specialists partnered with private sector security firms about a year ago to devise such a strategy, which includes maintaining an accurate and automated inventory of hardware, software and external connections.
For the past 18 months, the State Department followed a top 20 strategy and improved its security, according to Gilligan. "While these so-called good hygiene control areas will not ensure that the trillions of logic statements are absolutely correct, they provide a solid foundation level of security needed to thwart relatively unsophisticated attackers," who account for 80 percent of the problems, he said in his testimony.
In their annual reports on compliance with FISMA, federal agencies have shown progress in following security guidelines. For example, agency systems that were tested for security controls increased from 60 percent in 2002 to 90 percent in 2009, according to Kundra.
But compliance statistics do not indicate systems are secure. "The FISMA measures reported on annually have led agencies to focus on compliance," he said. "However, we will never get to security through compliance alone."
To alleviate some of the reporting hassle, OMB launched in 2009 a digital application that automatically and continuously collects information on compliance. CyberScope, which uses two identification checks to verify a person's permission to access the system, allows employees to derive more complex analyses of how secure systems are, Kundra said.
The administration is taking other steps to reform FISMA. For the first time, OMB asked agencies during this reporting cycle to detail the costs associated with information security, rather than requesting what it traditionally had--reports on the percentage of spending tied to cybersecurity for each IT investment. In future reports, agencies will break down expenses into categories for spending on personnel, reporting, certification and accreditation, and security management.
"Recognizing that the best security is baked in to information technology investments and not added in separately or well after the investments have been deployed, OMB needs to determine where, in the life-cycle development of systems, agencies are spending their resources," Kundra said in his written testimony. "In the coming years, access to continually refined cost data will allow OMB to evaluate the efficiency of federal expenditures on security."
The IT industry supports many aspects of Watson's bill and wants to work with the House to expedite its passage. If the ideal comprehensive proposal "proves too complex to be realized this session, FISMA reform must not wait," Phil Bond, president of trade group TechAmerica, said in a statement. "With a few adjustments, this bill can provide badly needed tools for protecting the people's information and networks."
But Gary "Gus" Guissanie, the Defense Department acting deputy assistant secretary of Defense for identity and information assurance, said deficiencies in rolling out FISMA policies are not in and of themselves sufficient reason to alter the law. He urged lawmakers to retain some attributes of the law. For example, the agency chief information security officer and CIO should continue overseeing FISMA responsibilities within the same office, he testified.