Who is accountable for FISMA?
The Federal Information Security Management Act requires that agencies develop and report on the adequacy of their cybersecurity controls each year. But whose job is it to ensure agencies improve their systems when they report weaknesses?
A House subcommittee posed this question Wednesday in the wake of cyber breaches at the Office of Personnel Management that have compromised personal information on more than 18 million federal employees, according to some reports. OPM was one of 19 federal Chief Financial Officers Act agencies last year that failed to meet FISMA standards in some capacity, and the lawmakers want to prevent those recent hacks from becoming “the tip of the iceberg.”
Rep. Dan Lipinski, D-Ill., ranking member of the House Committee on Science, Space and Technology’s Subcommittee on Research and Technology, said “it’s not acceptable for these data breaches to occur at OPM, in the government or in the private sector,” even though they frequently do. He asked the panel of federal IT auditors and cybersecurity experts before him who they thought should enforce FISMA and be held accountable for this type of breach.
Most pointed to the Office of Management and Budget, the agency tasked with administering the policy.
Michael Esser, OPM’s assistant inspector general for audits, said that while his office is tasked with performing the tests of OPM’s systems, “we have no enforcement authority.” Since OMB already collects the governmentwide FISMA reports, he said the office would probably be best suited to hold agencies to improving.
In terms of responsibility, rather than accountability, the Government Accountability Office’s Greg Wilshusen, director of information security issues, said FISMA defines that “it is clearly the responsibility of the head of each agency” to develop cybersecurity tools and processes to reduce the harm that could occur in some sort of IT failure or breach.
Wilshusen said that while some improvements have been made to the federal government’s cybersecurity posture, especially with the 2014 update to FISMA that emphasizes effectiveness testing and continuous monitoring, he would give the the federal government a “D” grade for cybersecurity.
“There are a number of actions that agencies need to take that they just haven’t taken,” he said.
In the case of OPM, the subcommittee wished to ask Chief Information Officer Donna Seymour specifically how she thinks her agency can improve its IT security, but she declined an invitation to the hearing, according the Rep. Ralph Abraham, R-La.
Wilshusen listed a number of actions he suggested OPM and other agencies take, such as installing critical patches and fixing system weaknesses. He referenced a U.S. Computer Emergency Readiness Team alert from April to patch the top 30 known cybersecurity vulnerabilities, which could help prevent up to 85 percent of all targeted cyber attacks.
Esser pointed to instituting two-factor authentication. The panel of experts agreed this defense would have mitigated the effects of, if not prevented, the OPM breaches.
“Multifactor authentication would help to prevent or at least raise the bar” for an attack, Wilshusen said.
But there’s no one-off or even permanent solution to cybersecurity, the experts said.
“Nothing is 100 percent secure, but following those [FISMA] guidelines is the most effective way of securing a system,” said Charles Romine, director of the Information Technology Laboratory at the National Institute of Standards and Technology.
“Threats change every day,” Wilshusen said. And while he applauds the awareness that U.S. CIO Tony Scott and OMB’s recent 30-day cybersecurity sprint will bring, he said the federal government must maintain its cyber vigilance outside of daily headlines about hacks.
“After this 30 days, which expires on Sunday, if the agencies and federal government relax … I think that’s a mistake,” he said. “Cybersecurity is not a sprint, it’s a marathon.”