Feed on
Posts
Comments

FISMA Reform: Lieberman, Collins, and Carper Introduce Bill

Jun 10th, 2010 by John Gerber

Today, a compromise has been met allowing FISMA reform to move forward in the Senate. Homeland Security and Governmental Affairs issued the press release, “Lieberman, Collins, Carper Unveil Major Cybersecurity Bill to Modernize, Strengthen, and Coordiante Cyber Defenses.” Key elements of the Protecting Cyberspace as a National Asset Act of 2010 include:

  1. Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic. The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
  2. Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cybersecurity capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks. The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
  3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
  4. Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cybersecurity for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
  5. Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.
  6. Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
  7. Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
  8. Requiring the Office of Personnel Management to reform the way cybersecurity personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cybersecurity effort and protect its own networks.

The Committee will hold a hearing on the legislation June 15, 2010.

Background

There has been a great deal of activity since I posted “FISMA: Paperwork Or Actual Security?” The House passed on a 229 to 186 roll call vote the 2011 Defense Authorization spending bill that includes measures to upgrade the Federal Information Security Management Act (FISMA). The authorization bill now faces reconciliation with the Senate version. The Senate version has yet to be considered on the Senate floor but did pass through the Senate Armed Services Committee. The House action put pressure on the Senate to act.

Action came from the US Senate Committee on Homeland Security and Governmental Affairs, who’s chairman is Senator Joe Lieberman (ID-Conn.), an original cosponsor of the bill. Lieberman had been talking about a comprehensive cybersecurity reform bill that would incorporate much of the language in the United States Information and Communications Act (S. 921) with the FISMA reform legislation introduced in April 2009 by Senator Thomas R. Carper (D.-Del). Many provisions of Carper’s bill mirror provisions in included in the House bill. Carper was pressing to include:

  1. standardize Inspector Generals’ information security audits;
  2. create a Chief Information Security Officer Council to establish information security best practices and guidelines, while strengthening the role of Chief Information Security Officers;
  3. allow the Department of Homeland Security to conduct “red team” penetration tests against civilian agencies;
  4. allow Congress to measure the effectiveness of agencies’ information security plans and procedures.

Lieberman wanted Senator Susan Collins (R-Maine), the ranking Republican on the Homeland Security panel, named on the bill. The problem was that Collins is on record opposing the top cybersecurity official in government being housed in the White House, believing the official should be quartered in the Department of Homeland Security. It looks like Lieberman and Collins were able to come to an agreement and move forward on the bill.

Thoughts

If you are interested in learning more and keeping up with FISMA, you will find Dan Philpott (twitter danphilpott) site FISMApedia interesting. It describes itself as “a collection of documents and discussions focused on Federal IT security. This site is a database of current guidance, laws and directives on how the Federal government secures its IT assets.” Philpott also posts to the Guerilla CISO.

Federal CIO Vivek Kundra, writing on the Chief Information Officers Council Blog concerning the new FISMA states “In the past, Federal agencies spent enormous time and money creating the old paper-based reports. The State Department alone, in the past six years, spent $133 million amassing 95,000 pages of security documentation for about 150 major IT systems. This works out to roughly $1,400 per page in reports that were often outdated days within being published.” Kundra goes on to state, “As we move away from the old-style reports and into a more real-time system of security data feeds, we are implementing solutions that actually help to protect the country rather than simply generate paperwork.”

For intelligent comments on FISMA, let us turn to a few folks who eat, sleep, and breathe FISMA. Michael Smith, aka rybolov, is the creator of the Guerilla CISO blog. Concerning the $1,400 per page cost, Smith in his post “A Funny Thing Happened Last Week on Capital Hill,” writes “If you buy into the State Department’s cost of $1400 per sheet, you’re absolutely daft.” Smith goes on to point out, “The cost of a security program divided by the total number of sheets of paper is probably right. In fact, if you do the security bits right, your cost per sheet will go up considerably because you’re doing much more security work while the volume of paperwork is reduced.”

Concerning allocating money towards red teams, Smith makes the point, “Do we really need penetration testing to prove that we have problems? In Mike Smith’s world, we’re just not there yet, and proving that we’re not there is just an excuse to throw the InfoSec practitioners under the bus when they’re not the people who created the situation in the first place.” Nicely put.

Smith’s recommendations to fix FISMA:

  1. You have to start with workforce management. This has been addressed numerous times and has a couple of different manifestations: DoDI 8570.10, contract clauses for levels of experience, role-based training, etc. Until you have an adequate supply of clueful people to match the
    demand, you will continue to get subpar performance.
  2. More testing will not help, it’s about execution. In the current culture, we believe that the more testing we do, the more likely the people being tested will be able to execute. This is highly wrong and I’ve commented on it before. I think that if it was really a fact of people being lazy or fraudulent then we would have fixed it by now. My theory is that the problem is that we have too many wonks who know the law but not the tech and not enough techs that know the law. In order to do the job, you need both. This is also where I deviate from the SANS/20 Critical Security Controls approach and the IGs that love it.
  3. Fix Plans of Actions and Milestones. These are supposed to be long-term/strategic problems, not the short-term/tactical application of patches–the tactical stuff should be automated. The reasoning is that you use these plans for budget requests for the following years.
  4. Fix the budget train. Right now the people with the budget (programs) are not the people running the IT and the security of it
    (CIO/CISO). I don’t know if the answer here is a larger dedicated budget for CISO’s staff or a larger “CISO Tax” on all program budgets. I could really policy-geek out on you here, just take my word for it that the people with the money are not the people protecting information and until you account for that, you will always have a problem.

More recently, Smith posted “How to Not Let FISMA Become a Paperwork Exercise” where he addresses and comments on the key criticisms of FISMA:

  • Reduce paperwork requirements. Yes, some is needed.  Most is not.
  • Reduce cost. There is much repetition in what we’re doing now, it borders on fraud, waste, and abuse.
  • Increase technical effectiveness. IE, get from the procedural and managerial tasks and get down into the technical parts of security.

Smith offers advice on “how do you keep from letting FISMA cripple you or turn into death-by-compliance.” Go to the post and read his advice.

Off the same site Joe Faraone, aka Vlad, gives his take in the post “Machines Don’t Cause Risk, People Do!“. He disagrees with Alan Paller, director of research for SANS, when he writes, “At the risk of bashing Alan Paller yet again, I am often turned off by the approach of ‘being able to know the status of every machine at every minute,’ – as if machines by themselves cause bad security… It’s way too tactical (incorrect IMHO) and too easy to make that claim.” Faraone goes on to make the point, “Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration.”

Paller has been very vocal in his opinion against FISMA. He is frequently quoted (ex: “Sans founder slams ‘terribly damaging’ US cybersecurity law“). Paller has told the the House Committee on Oversight and Government Reform’s Subcommittee on Government Management, Organization and Procurement that FISMA, as it has been implemented and enforced until now has been more detrimental than helpful to government IT security.

FISMA was needed to get government moving in a security focus direction. Philpott in his post “The 10 CAG-egorically Wrong Ways to Introduce Standards” makes the point “Speaking as someone who scrambled to secure Federal systems before FISMA and NIST’s extensive guidance, having that documentation greatly improves my ability to efficiently and effectively secure systems.”

Statements painting FISMA as worthless, or detrimental, might grab headlines but are not real helpful. Nor are statements by Paller like, “US House of Representatives attaches new FISMA rewrite to Defense Authorization Bill. The press hasn’t picked it up yet, but NextGov.Com will have a story in a few minutes. This puts one more nail in the coffin of the Federal CISOs and security contractors who think they can go on ignoring OMB and go on wasting money on out of date report writing contracts.” Faraone calls Paller on this statement in the post, “When the News Breaks, We Fix It.”

Richard Bejtlich in this post “Thoughts on New OMB FISMA Memo” adds his opinion on FISMA reform when he writes “Long-time blog readers should know I’ve been writing about FISMA for five years, calling it a ‘joke,’ a ‘jobs program for so-called security companies without the technical skills to operationally defend systems,’ and other kind words. Any departure from the previous implementation is a welcome change.”

OMB issued “FY 2010 Reporting Instructions for the Federal Information Security” (M-10-15 ) on April 21, 2010. It identifies a three-tiered reporting approach which includes:

  1. Data feeds directly from security management tools
  2. Government-wide benchmarking on security posture
  3. Agency-specific interviews

Bejtlich analyzes what is really changing for FISMA implementation and concludes, “It’s probably going to take .gov-savvy lawyer to really explain what these points mean, but private enterprise working with government data should probably take a close look at these new FISMA developments.”

Other Important Legislation

With more than 35 cybersecurity-related measures before Congress right now, take some time to review the presentation “Cybersecurity: The U.S. Legislative Agenda” by Melissa E. Hathaway, former acting senior director of cyberspace for the Obama administration who now runs Hathaway Global Strategies and has advisory roles at several IT companies. You might remember Hathaway from her work on the “Cyberspace Policy Review,” which was the result of a 60-day, comprehensive, “clean-slate” directed by the President to review and assess U.S. policies and structures for cybersecurity. To quote Hathaway concerning the nine key legislation to watch:

  • Data Breach Legislation (S. 139): It will normalize the 46 State Data breach laws into one national umbrella. It may be expanded to include more than Personal Identifiable Information (PII). One issue with this bill is that it would consolidate all reporting to the US Secret Service, which is not helpful for broader information sharing with industry or across government.
  • Data Accountability and Trust Act (H.R. 2221): It was voted out of the House of Representatives in early December 2009. It requires the ISPs to make victims aware of infection if seeing breach across network. I
    believe the Comcast Denver, CO pilot program could be anticipatory market movement associated with this bill (to better understand costs). It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone. As you may know, Germany just passed a law requiring their ISPs to inform their citizens/consumers if they have been infected.
  • International Cybercrime Reporting and Cooperation Act (S. 1438 and H.R. 4692): This bill was introduced by Sen Gillibrand, and co-sponsored by Sen Hatch, which will give it strength in the Judiciary Committee. The bill requires the President to produce an annual report to Congress providing an assessment of every country’s level of ICT utilization and development; assesses how each country’s legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated 5 years of “bad behavior”. This Bill and any hearing around it will certainly draw attention to the recent Google/PRC debacle. It has a sister bill in the House of Representatives, H.R. 4692 mirrors the areas of focus. **Note Sen Kerry and Sen. Gillibrand have also introduced S. 3193 (International Cyberspace and Cybersecurity Coordination Act of 2010) to authorize the creation of a senior coordinator at the State Department, with the rank and status of Ambassador at Large.
  • Cybersecurity Enhancement Act (H.R. 4061): It passed the House of Representatives in February (2/2/10). In addition to providing additional responsibility to NIST, it creates an office for a national coordinator for
    the networking and information technology research and development program to improve cybersecurity research and development and coordination between the federal government, academia and private sector. The NITRD office (within the Office of Science and Technology Policy) already coordinates all of the Cyber R&D which for this year is well over $4B. While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, its not clear how the new office will interact with the current OSTP responsibilities.
  • FISMA II (S. 921): It updates FISMA I from compliance driven (check-list) to measures that are performance based. It uses the State Department’s Risk Scoring tool which measures its systems on a continuous basis against known vulnerabilities and offers meaningful feedback in the form of actionable remediation techniques to the operators and high level feedback to senior managers to ensure accountability is one example that could serve as a model for the rest of government. It also affords the department and agency chief information security officer the focus and attention it need and deserve. Finally, it is possible that FISMA II will address procurement reform.
  • Intelligence Authorization Act (H.R. 2071): It strengthens and enhances America’s intelligence capabilities, and improves congressional oversight of our intelligence agencies. It provides our intelligence community
    with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts, and more effectively prevent the spread of weapons of mass destruction. Contains multiple Congressionally Directed Actions for CNCI.
  • Cybersecurity Act of 2009 (S. 773): The bill combines audits, industry-developed and government-backed standards, increased information-sharing, and other mechanisms to bolster private sector cybersecurity. It
    establishes a Cybersecurity Advisory Panel (Presidential Level) and a National Clearinghouse for information sharing. Additionally, it extends the Scholarship for Service program (increases to 1000 scholarships) and increases the National Science Foundation’s budget for R&D.
  • The Grid Reliability and Infrastructure Defense Act (H.R. 5026): The bill amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to mandate measures to protect against system “vulnerabilities” if it finds that the North American Electricity Reliability Corp. (“NERC) standards are insufficient. If passed, the legislation will provide a security framework for the Smart Grid.
  • Energy and Water Appropriations Act 2010 (Law): It appropriates additional funds for Cybersecurity: $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

Final Thoughts

The Committee will hold a hearing on the legislation next week, starting on June 15, 2010. Watch for analysis from the folks listed above. I am sure they will have interesting analysis as more details are released. This is going to be interesting.

Related Posts:

Posted in FISMA, Law | 1 Comment »

« Newer Posts - Older Posts »

Bad Behavior has blocked 19438 access attempts in the last 7 days.