“How much of FISMA is paperwork vs. actual security?” was the question that Senator Tom Coburn, R-Okla. had at a Senate hearing on Wednesday. Karen Evans, Administrator of E-Government and Information Technology Office of Management and Budget (OMB), responded “That depends on how an agency goes about doing its work. FISMA has put together a framework, but if [an agency] does it just for compliance, then it’s purely a paperwork exercise.” OMB has issued the report, “Fiscal Year 2007 Report to Congress on Implementation of The Federal Information Security Management Act of 2002.” Below is a summary from the report on the overall progress in meeting selected government-wide IT security goals from fiscal years 2002 to 2007:
| Percentage of Systems with: | FY 2002 | FY 2003 | FY 2004 | FY 2005 | FY 2006 | FY 2007 |
|---|---|---|---|---|---|---|
| Certification and Accreditation | 47% | 62% | 77% | 85% | 88% | 92% |
| Tested Contingency Plan | 35% | 48% | 57% | 61% | 77% | 86% |
| Tested Security Controls | 60% | 64% | 76% | 72% | 88% | 95% |
| Total Systems Reported | 7,957 | 7,998 | 8,623 | 10,289 | 10,595 | 10,305 |
Gregory C. Wilshusen, Director, Information Security Issues at GAO offered a different interpretation, when he stated, “Despite the progress reported by agencies, they continue to confront longstanding information security control deficiencies that limit the effectiveness of their efforts in protecting the confidentiality, integrity and availability of their information and information systems.” GAO has released a report, “Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies.” Quoting from the report, a few statistics of particular interest:
- Data from the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, showed that, as of February 6, 2008, there were about 29,000 security vulnerabilities or software defects that can be directly used by a hacker to gain access to a system or network. On average, close to 17 new vulnerabilities are added each day. Furthermore, the database revealed that more than 13,000 products contained security vulnerabilities.
- The percentage of certified and accredited systems government wide reportedly increased from 88 percent to 92 percent. Gains were also reported in testing of security controls – from 88 percent of systems to 95 percent of systems – and for contingency plan testing – from 77 percent to 86 percent.
- In their fiscal year 2007 performance and accountability reports, 20 of 24 major agencies indicated that inadequate information security controls were either a significant deficiency or a material weakness.
- Our analysis determined that 19 of 24 major federal agencies had not fully implemented agency-wide information security programs.
- The number of incidents reported by federal agencies to US-CERT has increased dramatically over the past 3 years, increasing from 3,634 incidents reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007, (about a 259 percent increase).
Niels Provos, Google’s Anti-Malware Team, cited a recent paper by researchers at Google. The paper revealed that more than 1.3% of Google search results now contain at least one malware-serving website – a number that has quadrupled in the past nine months. The graph shows the increase ratio of search results containing a URL labeled as harmful:
In government, while the percentage of certified and accredited systems is increasing, a much greater increase occurs in the number of reported incidents. OMB found a 60 percent rise in the number of reported incidents from 2006 to 2007. Evans attributed the increase in large part to improved reporting. Tim Bennett, president of the Cyber Security Industry Alliance, has a different opinion. Bennett feels the increases are real and blames the increase on a shift from attacks by lone hackers to those launched by organized crime and state-sponsored organizations.
Adam Dodge took a look at the information security breaches that occurred in 2007 at colleges and universities around the world, as reported in the news. Dodge released his results in the report “The Educational Security Incidents (ESI) Year in Review – 2007.” The report found a 67.5% increase in the number of reported incidents over 2006. This increase is in line with what the government agencies experienced.
Chris Walsh provides some interesting insight by comparing the number of reported breaches in the US and Great Britain. In the posting “Reporting on Data Breaches: US and Great Britain.” Walsh shows that both countries have seen a dramatic increase in reported breaches:
The US-CERT annual report for fiscal year 2007 reported the following number of incidents that were reported to DHS incident response center:
| Incident Categories | FY 2005 | FY 2006 | FY 2007 |
|---|---|---|---|
| Unauthorized Access | 304 | 706 | 2,321 |
| Denial of Service | 31 | 37 | 36 |
| Malicious Code | 1,806 | 1,465 | 1,607 |
| Improper Usage | 370 | 638 | 3,305 |
| Scans/Probes/Attempted Access | 976 | 1,388 | 1,661 |
| Under Investigation | 82 | 912 | 4,056 |
| Total Incidents Reported | 3,569 | 5,146 | 12,986 |
Alan Paller, director of research at SANS Institute, explains that the increase in both certified and accredited systems and reported data breaches has occurred because “the government has made progress in writing reports.” Paller goes on to state that the government has made, ”no progress in improving the security that matters – keeping the wrong people out.” Michael Smith (aka rybolov), manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, writes in his posting titled, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive:”
GAO used exactly what was reported to OMB but came up with different conclusions. Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.
Rybolov goes on to offer one possible explanation for the disparity:
Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we? The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year. You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.
Even if rybolov is correct, and there is an element of politics in government operations, the perceived risk has grown large enough that all sides see the wisdom of taking action. As the old expression goes, it has come time for the government to put up or shut up. The government has responded by “putting up” in terms of money. Jason Miller, from Washington Technology, reports in his article, “‘09 budget request has IT spending on the rise” that in the White House’s request, agency IT spending would be $70.9 billion, up from a 2008 request of $66.4 billion. That would be a 6.3 percent increase. Congress appropriated $68 billion for 2008, which makes for a 3.8 percent change when comparing actual to requested dollars. IT security is a major piece of the proposed spending increases for agencies. Information security requests have increased 73 percent since 2004. In the 2009 request, security account for 10.3 percent of the overall $71 billion funding.
How will the money be spent? There are no easy answers. Still, it is good that Senator Tom Coburn, Karen Evans, Gregory C. Wilshusen, and others are debating how the government should do its business, while agreeing the business of security must be done.
Hiyas, thanks for the quotes.
The law is there, it’s very sound. I have one small adjustment (performance/compliance-based to strategic direction, see some of my other blog posts on FISMA) I think I would like to suggest but I need to think about it some more.
The framework is there, it’s one of the best, is scalable, and is completely free.
“Real security or paperwork drill” comes down to one single criterion: what kind of people you have hired and what kind of skills do they have.
The problem is the people who execute. Not the CISOs, as a whole they are some of the brightest people I’ve ever met. It’s in their staffs, there aren’t enough good people to go around.
To quote Dan Geer in his April 2007 testimony to the Thompson committe: “Because the demands for expertise so outstrip the supply, the fraction of all practitioners who are charlatans is rising.”
If you were to take away FISMA and replace it with the SANSFramework, you would get exactly the same results because it would be exactly the same people doing it.
Until we as an industry can figure out how to suddenly make thousands of people become “clueful” overnight, we will continue to make steady plodding progress forward but continue to spend heavily and not progress as rapidly as we should.
This is the challenge we deal with in Government: how do we do all of the following:
-Provide cost-effective security
-Assure compliance with all applicable laws and national-level policies
-Deal with the IT and security industries as a downstream consumer when they aren’t meeting our needs
-Deal with the shortage of good IT security staff
-Manage the Legislative branch who do not understand the problem at hand
-Work within a budget cycle that takes 2 years before funds are available for large capital expenses
When you figure out an answer, let me know. =)