Federal information security focus shifting to next-generation FISMA, continuous monitoring

While we have seen perennial efforts in Congress to revise or replace the Federal Information Security Management Act (FISMA) and shift government agencies’ security focus off compliance efforts and reporting mountains of paperwork on their information systems, momentum appears to be building in both the legislative and executive branches to define the next generation of federal information security. The common theme surfacing out of all this activity is the government’s desire to move to a model of “continuous monitoring” as an improvement over the triannual point-in-time security evaluations that characterize federal agency security programs operating under FISMA.

Last month NIST released the final version of its revised Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, the latest product of a Joint Task Force initiative coordinated by NIST (representing civilian agencies) and involving the collaboration of the Department of Defense, the intelligence community, and the Committee on National Security Standards (CNSS). The change in title alone is noteworthy (as originally published in 2004, 800-37 was called Guide for the Security Certification and Accreditation of Federal Information Systems), as it is the largely documentation-based C&A process that has lost favor, despite the heavy emphasis on systems accreditation in annual FISMA reporting. One of the fundamental changes in the revised 800-37 is the emphasis on continuous monitoring, which has always been an aspect of the C&A process, but which now includes a dedicated Appendix describing monitoring strategy, selection of security controls for monitoring, and integration of continuous monitoring with security status reporting and overall risk management activities. NIST Computer Security Division director Ron Ross provided an overview of this and other current and planned changes to security guidance and recommended practices at a meeting on March 22 of the ACT-IAC Information Security and Privacy SIG.

For its part, OMB released the FY2009 FISMA Report to Congress,  which provides the customary annual summary of federal agencies’ aggregate progress in cybersecurity, security incidents, security metrics, and privacy performance. The forward-looking section of the report spotlights plans to implement new security metrics for 2010 intended to provide real-time indications of performance and to improve situational awareness among agencies. OMB is also focusing on several key administration initiatives with an eye to their impact on security, including transparency and Open Government, health IT, and cloud computing. Federal CIO Vivek Kundra highlighted the same theme of shifting emphasis under FISMA towards continuous monitoring in a radio interview this week, and reiterated his key points while testifying before the House Committee on Oversight and Government Reform‘s Subcommittee on Government Management, Organization and Procurement at a March 24 hearing on “Federal Information Security: Current Challenges and Future Policy Considerations.” Others testifying included State Department CISO John Streufert, whose approach to security management beyond the requirements in FISMA is regularly held up as an example of where government agencies need to go, and several individuals who have been active in the development of the Consensus Audit Guidelines (CAG) and its 20 Critical Security Controls. The general consensus at the hearing seems to be that current government security laws are insufficient, and that FISMA in particular is due for revision.

Separately, both the House and Senate moved forward with draft information security legislation. The revised version of the Senate’s Cybersecurity Act of 2010 (S.773) was unanimously approved by the Senate Commerce, Science and Transportation Committee on Wednesday, while in the House, Rep. Diane Watson of California introduced the Federal Information Security Amendments Act of 2010 (H.R. 4900). The agency responsibilities enumerated in the House bill lead with continuous monitoring, penetration testing, and risk-based vulnerability mitigation, as part of information security programs that would be overseen and approved by the Director of the National Office for Cyberspace — a position created through another provision in the bill that would be a Presidential appointee subject to Senate confirmation.