How to move past the FISMA mind-set

Jamil Farshchi is chief information security officer and Ahmad Douglas is senior cybersecurity leader at Los Alamos National Laboratory.

The federal government’s information security strategy is unsustainable. Enacted in the Federal Information Security Management Act and implemented in a framework developed by the National Institute of Standards and Technology, that strategy is built on a set of controls whose unintended consequence is to stifle agility and innovation. However, as new technologies and threats emerge, today’s paper-focused compliance paradigm must give way to a more sustainable long-term option.

Let’s begin with a quick digression on economics. All organizations, whether in the public or private sector, are built on the fundamental principle of value creation. In the private sector, an organization executes a set of business processes to create value for its shareholders, while simultaneously assuming the risks inherent in those processes.

Absent annual board meetings and quarterly financial reports, federal agencies might forget that, just like the private sector, their ultimate objective is to create value for U.S. taxpayers. Whether negotiating trade agreements, protecting the country or maintaining our strategic nuclear arsenal, each federal agency has its own set of core business processes that create value for the nation. Central to executing those business processes effectively is the wise management of their inherent risks.

It is in this regard that the NIST framework falls short. Because the framework does not account for business processes, applying the NIST controls can sacrifice business productivity to mitigate risks of low relative importance. And because the NIST compliance paradigm is primarily paper-based, the best possible outcome is point-in-time — or static — compliance. Unfortunately, point-in-time assessments do not capture the real risk inherent in a dynamic production system.

We need to move to a compliance paradigm that better suits the federal government’s diverse set of business processes. Rather than trying to minimize all risks, as the NIST framework encourages, we should identify the most significant risks to our core business processes. Information security officers would then implement an elegant set of controls to manage those risks. Finally, compliance would move from a check-the-box exercise to an honest, holistic assessment of an organization’s risk management framework.

In a sustainable compliance paradigm, we must first focus on value and then integrate risk. Such a paradigm would adhere to the following guidelines.

1. Start with business processes. The chief information security officer should intimately understand the business processes the organization uses to create value. Supporting and accelerating those processes are the core facets of a sustainable information security strategy.
2. Adopt true risk-based decision-making. You manage risks through the lens of value creation by asking: How will mitigating a given risk affect my organization’s productivity? Will the reduction in potential loss or liability more than offset the productivity cost?
3. Streamline the core control set. The number of core information security controls that support almost any mission are few. Place them at the center of a new, mission-focused framework. Make other controls optional or discontinue them.
4. Use documentation wisely. The existing certification and accreditation process is time-, labor- and paper-intensive. Certainly, some information security aspects can be assessed effectively on paper, such as process and governance. Others, such as configuration and vulnerability management, cannot. Create documents when they add value. Implement spot-checks or continuous monitoring elsewhere.

Our goal is to open a dialogue on value-focused risk management in the federal government. We hope that federal decision-makers will realize the significant long-term challenges presented by the compliance approach in place now and will consider steering the federal information security compliance paradigm toward a better balance of value and risk.