FISMA's a fizzer, says Cisco, and calls on Congress to get cyber security policy right – pronto
Organizational structure, piecemeal approach and hiring practices all need to change, says Borg security bigwig
A senior Chief Information Security Officer (CISO) advisor at Cisco has penned a commentary on the state of US cybersecurity frameworks, criticizing current government infosec and advocating for more autonomy for CISOs and a better understanding of the task at hand from those creating policies.
"After nearly two decades of federal cybersecurity and risk management as practiced under the rubric of the Federal Information Security Management Act (FISMA) of 2002 and the Federal Information Security Modernization Act (also FISMA) of 2014, billions of dollars in appropriated federal cybersecurity funding have not appreciably improved the overall situation," wrote Bruce Brody.
Brody referenced the Senate Homeland Security and Governmental Affairs (HSGAC) report Federal Cybersecurity: America's Data Still at Risk [PDF] released on August 3. The report grades overall federal agency information security at a C-.
The report is damning. The eight federal agencies reviewed all showed significant cybersecurity weaknesses, and the report concluded there is no single point of accountability nor unified strategy. Among other measures – like requiring agencies to budget for IT improvements and adopting government-wide cybersecurity approaches – the report recommends an update to FISMA 2014.
- Good news: NASA and Homeland Security just passed their government IT exams – and we really mean *just*
- Shock report: 92 per cent of US government websites totally suck
- US 'dropped the ball' on security by going it alone claims Huawei US CSO
Brody also calls for an upgrade to FISMA 2014 and offers his brilliant recommendations for making the "grandson of FISMA" a success.
The author recommends replacing the current piecemeal infosec approach with a broader one that treats the human as the weak link in the attack surface. He also wants the agencies to treat the cloud and digital transformation as the infosec risks they are.
He provides some linguistic suggestions too – like changing some wording within FISMA from "ensure" to "enforce" in order to give the CISO and CIOs actual authority over cybersecurity policies and those who violate them.
Brody has an axe to grind over the organizational structure within FISMA. Within the government regulation, a CISO is not even recognized, but rather referred to as a "senior agency information security officer". Furthermore the CISO replica role is placed as a subordinate of the CIO, going against commercial industry trends and therefore, Brody argues, proving that the governing body is out of touch.
"FISMA fails to appreciate that the role of the CIO is to deliver 'power, ping, and pipe' to the enterprise, while the role of the CISO is the fundamentally different continuum of 'identify, protect, defend, respond, and recover'," writes Brody. "The two roles don't overlap cleanly and must be separate in order to govern cybersecurity effectively."
As for the role of CISO, he recommends the position, and that of the CIO, be elevated to agency leadership level to give the experts the power to do their jobs. He also argues those with power should be accountable and agencies should have autonomy over the chain of command falling under the CISO.
Finally, Brody argues for updated cybersecurity hiring practices, enabled by the government creating a new cybersecurity job series, rather than placing cybersecurity specialists under the existing GS-2210 job series and pay scales offered to IT professionals.
"In the end, federal information security is all about protecting our nation's systems and networks from those who wish to do them harm," writes Brody. "New and improved legislation will go much further than the previous FISMA versions in achieving this noble goal. Thankfully, the 117th Congress has the opportunity to enact it. This time, let's get it right." ®