The Future of FISMA and Security Standardization in the U.S.

As 2018 draws to a close, it’s a good time to reflect on cybersecurity compliance. This year has seen a rise in mobile threats, ransomware, data breaches, and increased focus on the energy sector, which has been the target of foreign attacks. Thankfully it’s not all bad news: as the pressing need to protect the nation’s infrastructure and consumer interests becomes increasingly self-evident, this year has also seen the bipartisan formation of a Cybersecurity and Infrastructure Security Agency (CISA).

Slowly but surely, the federal government is taking a strong stand in the war against cyber threats. But there are still more battles left to win: statistics indicate that only 42% of local and state governments have any cybersecurity framework based on national standards. This means that vast swaths of public services and programs across the country may be susceptible to compromise as they remain unanswerable to regulative standards.

If they chose to, state and municipal governments could learn a lot from the mistakes and successes made by the federal government over the past two decades. Let’s review some of that history.

The Federal Information Security Management Act (FISMA)

FISMA is generally viewed as the first attempt to strongly regulate Information Technology throughout federal agencies and their partners. Originally passed in 2002 and later updated in 2014, FISMA named two agents to assist in developing best standards and enforcing them.

Under FISMA, the National Institute of Standards and Technology (NIST) is responsible for publishing standards, guidelines and methods, while the Office of Management and Budget (OMB) is responsible for conducting annual reviews.

While NIST has gone on to develop several new guidelines over the years, NIST Special Publication (SP) 800-53 remains the core of Federal cybersecurity standards. More recently, it was used as a basis for the Federal Risk and Authorization Management Program (FedRAMP): sometimes called “FISMA for The Cloud.”

NIST SP 800-53 defines risk-management security controls applying to any information systems: computers, networked devices, storage, etc. It is regularly updated by NIST to reflect new challenges and technologies, and currently stands at Revision 5.

Challenges in Implementation

Possibly because FISMA was blazing new trails, it was also off to a rough start. Rapid advancements in computers, operating systems, and consumer technologies quickly deprecated many of the controls that NIST had advised in 2002. By 2010, 27% of the U.S already owned a smartphone. At the same time, federal agencies were sorely lagging on compliance.

Besides the mere fact that FISMA was having little practical impact, some believed it was even counter-productive: the legislation created a “culture of compliance” more focused on checking boxes than producing actual results. Prior to FedRAMP’s introduction in 2011, one commentator even opined: “why keep FISMA if it is not working? There is a growing consensus that the law should be fixed and possibly jettisoned completely”.

There was plenty of talk about issuing a new, “performance-based model,” establishing a cybersecurity office and cutting down on meaningless and time-consuming procedures to prioritize the success of individual agencies with unique needs.

It would be three more years until FISMA was re-issued to increase incident-response time. It would be almost a decade until the government got a cybersecurity agency. But here we are: FISMA hasn’t gone anywhere, remaining the cornerstone of federal information security standards.

So how and why did things turn out so well?

Why FISMA (Still) Works

Compliance isn’t “fun.” It isn’t supposed to be. It’s supposed to hold an organization’s feet to the flames of professional scrutiny, ensuring that no shortcuts lead to incalculable loss or damage. But feet-dragging in the early 2010s may have been just that: feet dragging. After all, the consequences of receiving a low FISMA score include:

  • Strongly negative press
  • Reduced funding
  • Congressional censure

The first thing FISMA did right wasn’t to fix problems: it was to expose them. And simply by raising awareness within and outside the government, FISMA has probably contributed much to the current zeal for better national security.

Besides this, the implementation provided by NIST and OMB has four key advantages:

  1. Cross-organizational consistency, with levels recognizing the relative importance of different systems (not all organizations require the same level of security)
  2. An actionable framework for both preventing security risks and responding to them.
  3. Consistently up-to-date information that remains valid for new threats
  4. Continuous monitoring and assessment of systems certified by FISMA also ensure that organizations and agencies do not become complacent; furthermore, changes can be made incrementally rather than all at once.

At a minimum, compliance standards enable the entire industry to excel in well-defined domains, reducing labor shortages and increasing quality control wherever those standards are in effect.

It’s Not Just for The Feds

Earlier, we noted the lack of cybersecurity standards across municipal and state governments. In truth, there is no need for this lack: FISMA standards do not mandate the compliance of non-federal governments (except when providing federal services), but they can be adopted voluntarily.

Shawn Wells has argued that state CIOs should look to FISMA and other Federal guidelines while they work to digitally transform themselves:

“federal agencies have already developed several reliable cybersecurity templates that states can adopt for their own needs, saving them time, money and bolstering their security profiles… FISMA offers a single model, process and set of security controls that can ease the burden of security management regardless of whether an agency is at the federal, state, or local level”

And that seems like a very good idea. Not only has FISMA worked well for the U.S government, but it’s also working well in the private sector, where the standards first became important for contractors providing public services.

Whatever happens, one thing is for sure: as time goes on, making up standards or not complying with any will become less and less feasible. With the aid of compliance professionals, organizations aren’t just safer – they are spared from reinventing the wheel.

MathCraft Security Technologies offers a robust product line of NISPOM-compliant security applications for cleared contracts and enterprises. Our solutions are carefully engineered to improve security processes, giving Facility Security Officers (FSOs) and employees the comprehensive tools that they need to manage data, monitor visitors, and automate workflows. For ultimate convenience, they are also available on-premises or via the cloud.