Black Hat USA 2021 Network Operations Center
August 12, 2021
Spotted: Boston Dynamics robot at the Autodesk Technology Centers
August 16, 2021

Grandson of FISMA: Why We Desperately Need New Cybsersecurity Legislation from the 117th Congress

On August 3, 2021, the Senate Homeland Security and Governmental Affairs (HSGAC) released a report entitled “Federal Cybersecurity: America’s Data Still at Risk.”

(See: https://www.hsgac.senate.gov/imo/media/doc/Federal%20Cybersecurity%20-%20America’s%20Data%20Still%20at%20Risk%20(FINAL).pdf)

The 47-page report provided significant detail to support the conclusion that “According to agency inspectors general, the average grade of the agencies’ overall information security maturity is C-.”

After nearly two decades of federal cybersecurity and risk management as practiced under the rubric of the Federal Information Security Management Act (FISMA) of 2002 and the Federal Information Security Modernization Act (also FISMA) of 2014, billions of dollars in appropriated federal cybersecurity funding have not appreciably improved the overall situation. Reports are circulating that the HSGAC is now considering a reform of the FISMA legislation, and that is simultaneously a welcome development and a cause for concern. If the new legislation repeats the flaws of the previous versions, then it would be a cause for concern. However, if the new legislation finally gets it right on the third try, then the “Grandson of FISMA” will be a welcomed contribution to the cybersecurity and risk management posture of the federal enterprise.

The two previous versions of FISMA did not adequately handle the complex and extremely important concept of cybersecurity governance, and if current discussions are any sign of the future of that concept in the reform legislation, cybersecurity governance is likely to be ambiguous once again. A big part of the problem has been the use of the word “ensure.”  FISMA used the word “ensure” instead of the word “enforce” in the context that the Chief Information Officer (CIO) shall “ensure compliance with the act.”  That simple word choice guaranteed that the CIO, and the subordinate “senior agency information security officer,” have no significant authority.  As an example, a memorandum on April 7, 2004, from the General Counsel of the Department of Veterans Affairs found that the conscious use of the word “ensure” instead of the word “enforce” guaranteed that the CIO and Chief Information Security Officer (CISO) had no authority to enforce cybersecurity policies or hold people accountable for violating their cybersecurity and risk management obligations. One seemingly innocent word can have an incredibly important impact on the effectiveness of legislation.

Further to the topic of governance, FISMA decided to subordinate the CISO to the CIO, which is an organizational design no longer in favor among enterprises throughout the Fortune 500 and Global 2000. In fact, the FISMA legislation doesn’t even use the title “Chief Information Security Officer” to identify the role; instead, it uses the less defined and ambiguous “senior agency information security officer,” and further describes the role as merely being responsible for carrying out the CIO’s responsibilities under the act. By so doing, FISMA fails to appreciate that the role of the CIO is to deliver “power, ping, and pipe” to the enterprise, while the role of the CISO is the fundamentally different continuum of “identify, protect, defend, respond, and recover.” The two roles don’t overlap cleanly and must be separate in order to govern cybersecurity effectively.

Informal conversations with staffers on Capitol Hill confirm that their concept of the CISO is merely that of information technology security, which is not consistent with the prevailing trend across commercial industry to separate the CISO from the CIO and assign to the CISO role the security and risk management of the organization’s business processes, mission, and culture. The modern CISO is more than “IT security.” A staff draft of the new cybersecurity legislation is apparently circulating in the Senate, and that means it may be possible for the 117th Congress to get something passed.  The question is whether or not it will be an improvement over previous versions of FISMA. If it doesn’t, then the opportunity to provide real cybersecurity reform will be missed, and more of the same two decades of inadequate progress as highlighted in the recent HSGAC report card will be coming.

What the new legislation must contain, without ambiguity, is at least the following:

  • An acknowledgement that the previous foundation of FISMA as a system-by-system, site-by-site approach to information security is outdated and should be replaced by an approach that focuses on hardening the workforce and managing the attack surface. The Risk Management Framework doesn’t take into account that the human is the new perimeter of the enterprise.
  • An understanding that cloud migration, cloud security, and digital transformation are prevailing cybersecurity and risk management trends in federal (and commercial) cybersecurity and risk management.
  • An elevation of risk management to the agency leadership level. NIST SP 800-39, “Managing Information Security Risk,” requires the agency leadership to define risk tolerance and risk acceptance, after which the CIO and the CISO are expected to implement their programs according to leadership direction. FISMA language is ambiguous at best on this subject.
  • A clear set of authorities and governance for the CISO, to include authority commensurate with accountability, and the ability for any agency to create a different chain of command for the CISO apart from the CIO. Coupled with this must be replacing the word “ensure” with the “enforce” as in the “Chief Information Security Officer shall enforce compliance with the act.”
  • A requirement that the Office of Personnel Management (OPM) recognize that the cybersecurity career field requires specialized knowledge, skills, and abilities, and therefore create a new cybersecurity job series, rather than placing cybersecurity specialists under the existing GS-2210 job series (Information Technology Management Series).

Companies such as Cisco are partnered with federal departments and agencies on their journey to a better overall cybersecurity and risk management posture, and an improved legislative environment would greatly assist in this journey. In the end, federal information security is all about protecting our nation’s systems and networks from those who wish to do them harm.  New and improved legislation will go much farther than the previous FISMA versions in achieving this noble goal. Thankfully, the 117th Congress has the opportunity to enact it.  This time, let’s get it right.

Bruce Brody is one of the few individuals to have been a chief information security officer at two cabinet departments – Department of Veterans Affairs and Department of Energy. He has also serviced as the CISO of Leonardo DRS and Cubic Global Defense. He is currently a Senior CISO Advisor at Cisco Systems. (The CISO at Cisco Systems does not report to the CIO.)


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn