The Beginning of the End for FISMA?

Tomorrow could likely be the first day of a new era for cybersecurity in the United States. The Obama administration is expected to unveil new information that will end security by wasteful paper-based compliance measures.

The announcement is likely to come from federal Chief Information Officer Vivek Kundra in front of the House subcommittee on Government Management, Organization and Procurement. I'm hearing from my sources that he may disclose specific changes to the 2002 Federal Information Security and Management Act (FISMA) that will eliminate the irresponsible compliance measures long followed by federal agencies.

Kundra was not responsible for FISMA, so it's worth noting that this is a considerable effort from him and the White House to change a broken law. He has publicly acknowledged the waste of compliance before, but tomorrow's hearing could be the first time the discussion moves toward how to improve the system, not why it's necessary.

It's no secret that the majority of security experts within and outside of government hope Kundra will endorse continuous monitoring, a system that identifies the most common attacks and automates controls to help defend against them 24/7. John Streufert, deputy chief information officer at the State Department, already has seen considerable success identifying and mitigating attack vectors using this method. Streufert also will testify tomorrow.

Compliance has been a common practice since the implementation of FISMA in 2002, where government agencies are forced to file massive amounts of paper reports about cyberattacks to the Office of Management and Budget every three years. These reports are costly, time consuming and provide only a snap shot in time, resulting in little-to-no actual protection of the government's computers and networks. Billions of dollars have already been wasted on these reports, so these changes couldn't come soon enough. Now we'll just have to wait and see what the changes will be.

Also testifying is John Gilligan, former CIO of the Energy Department; Christopher Fountain, president and chief executive officer of SecureInfo Corp.; Phillip J. Bond, president of TechAmerica; Greg Wilshusen, the Government Accountability Office's director of information technology; and Alan Paller, director of research for the SANS Institute.