With Congress in a stalemate over cyber legislation, a different path to updating the Federal Information Security Management Act (FISMA) is available.
A group of former federal cyber experts is recommending three major changes to Office of Management and Budget Circular A-130. The goal is to codify continuous monitoring, the role of the Homeland Security Department in overseeing the operational aspects of FISMA and the definitions of national security systems and major IT systems.
Current efforts only ‘marginally effective’ The cadre of experts — Alan Paller of the SANS Institute; Jim Lewis of the Center for Strategic and International Studies; Karen Evans, director of the U.S. Cyber Challenge; Dan Chenok, executive director for the IBM Center for the Business of Government; and Frank Reeder, director of the Center for Internet Security — released a white paper today detailing their suggestions for improving A-130.
“OMB didn’t request us to do this,” said Karen Evans, a former OMB administrator for e-government and IT in an interview with Federal News Radio. “If you want to make changes in cybersecurity and legislation is not going to happen — that was the hypothesis — what kind of recommendations could be done today in absence of legislation that would really move the ball forward? It emanates from A-130.”
Evans, Reeder and Chenok are former OMB officials, while Paller and Lewis are outspoken critics of the long-time approach to FISMA. The group has been working on the A-130 recommendations for the better part of a year. “The federal government is spending substantial sums on security measures that are either marginally effective, or unmeasured in their effectiveness,” said Tony Sager, former National Security Agency senior cyber official, in a release. “This report recommends ways that government policy can help lead agencies to improve their security as part of the management of risk across the entire federal enterprise.”
House and Senate bills have tried to update FISMA to include the requirement to continuously monitor agency networks for cyber threats and vulnerabilities. Only the Senate’s version of the legislation would put into law DHS’s role in FISMA, as described by OMB’s July 2010 memo.
The House version of the FISMA updates would reestablish OMB’s role in developing and overseeing cyber policy, essentially reversing the White House’s memo.
No update since 2000
Evans said their recommendations would be for A-130 to follow the Senate and the White House’s lead in regards to DHS’s role. “This closes the policy loop of what OMB wrote in the memo and puts it into the circular,” she said. “The circular hasn’t been updated since 2000. So it removes this barrier to success, so to speak, between the inspector generals and chief information officers. Usually CIOs will go by the OMB policy memo, but then the IGs will come back and say the circular hasn’t been updated so here’s the pecking order of how it works. It removes that whole argument, so you can get to the point where you are talking about what is the right risk posture for the agency.”
Evans said that is why changing A-130 to require continuous monitoring and cement the DHS role will address the discrepancy in what IGs and CIOs follow.
“The way the policy world works, because we may not necessarily get legislative changes, and how can you make a big change or make an impact or sustain that impact — so it’s statute, then OMB circular then OMB policy memos,” she said. “If you want IGs, for example, to really take continuous monitoring seriously, and sustain it and build an evaluation program around it, they go to the circular. They’ll look at the statute, the circular and then they look at the policy memos. If it’s only in policy memos then it’s a little bit harder to get it institutionalized through that fabric in the civilian agencies. That’s why it’s critical for the circular to be updated to reflect that.”
One of the biggest changes the group is proposing is to change the definition of a national security system. Ruffle some feathers
Reeder said that may “break some china” in the federal government.
The paper said the historic distinction between national security and non-national security systems is “an anachronism,” and creates a gap attackers could exploit when data moves between the two systems.
The experts recommend OMB base its cyber policy on risk principles detailed in its 2004 memo on authentication.
Along those same lines, the experts believe OMB also needs to change the definition of a major information system.
“We recommend a new definition to continue to allow flexibility for agencies, but also allow for a common understanding by all parties of what goes into a system,” the paper stated. “The revised definition should be consistent with the Clinger-Cohen Act and FISMA definitions for information systems, which is ‘a discrete set of information resources for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.'”
Evans said the goal is to look at the type of information an agency is managing and what is the risk to their mission if it gets stolen or changed or deleted.
She added too often the data discussion gets lost in the need to protect the system. For example, a system or data that are non-sensitive for the Interior Department may be considered sensitive or even classified for the CIA.
“Because of the type of information you have to look at it and say, ‘Is this really a national security systems or a non-national security system? Or is it really about securing the information at a higher level?'” she said. “You don’t have to duplicate that one layer of review.”
Evans said the white paper also recommends A-130 adopt the security-capability maturity model to measure progress toward achieving acceptable risk levels.
“That model would allow for flexibility if one agency isn’t as mature in its processes or the people are going through a transition, it would allow for IGs to baseline it on an agency by agency basis, and then measure the progress,” she said. “You could see who is making progress and along what lines.”
The group of experts reached out to OMB and the CIO Council as they developed the white paper.
“We hope … OMB and DHS will use what they feel is aligned with their priorities so they can make some of these changes,” she said.
A request to OMB for comment on the recommendations was not returned.
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.
Francis Rose is the host of In Depth, which airs weekdays from 8-10 a.m. on 1500 AM in the Washington, D.C. metro area and online everywhere. Francis has covered all three branches of the federal government as a broadcast journalist since 1998. He joined Federal News Radio in 2006, and launched In Depth in 2008 as a daily show focused on connecting federal executives to the information they need to do their jobs better.