Why Isn’t It Working?
While there might be problems with the system as it exists today, I believe that FISMA and the related regulations and guidance are all on the right track. Since their inception, government agencies have been forced to take a stronger focus on security. There doesn’t appear to be a single point of failure; instead there are several problems that combine to weaken the overall system.
One of the bigger problems seems to be a lack of budgetary support to meet the requirements. Obviously, the scope of work involved requires full-time security staffing. Most organizations didn’t have such positions in the past, so getting the necessary budget increases for new positions is an ongoing battle. Security resources must have their own budget line item!
Next on the list has to be the difficulty of finding persons with the necessary skills. Knowledge and experience with security are insufficient in this case, although they’re an excellent foundation on which to build. The specific requirements of FISMA, C&A, and all the regulations and guidance are so complex that familiarity in this area is critical to implementing and managing an effective security program. The increase in awareness of government agencies has created a surge in the need for these skilled professionals, leaving behind an insufficient workforce to meet the demands.
Another large problem seems to be the metrics used in evaluating the effectiveness of security programs. Checking off the box if there’s an existing security plan does not identify whether the plan is effective, whether it has been implemented properly, or whether the controls have been tested and found to be operating as expected. The current trend seems to be changing the focus each year on another aspect of security controls. One year its vulnerability scans, ensuring that all high/critical vulnerabilities have been mediated. This year it’s likely to be a strong focus on the security of mobile data and Personally Identifiable Information (PII). There’s been a large amount of publicity in recent months related to loss of laptops containing sensitive information. This led to the publication of OMB memo M-06-16. The intent of this memo is admirable, but the proposed timeline for implementation is simply unrealistic.
Simply put, the problem seems to be a lack of funding and resources necessary to do the job properly, and there’s no easy solution for this. Vulnerabilities will continue to be discovered and exploited. Information will continue to be compromised. And with each new high-profile incident, new requirements and directives will be handed down to "solve the problem." As long as this trend continues without a corresponding increase in funding, the problem will continue.