The Government Accountability Office will recommend that federal agencies take a more qualitative and risk-based approach to evaluating their information security.
In a report to be released later this year, auditors will advocate changes in the Office of Management and Budget’s policy guidelines for complying with the Federal Information Security Management Act·(FISMA). Greg Wilshusen, GAO’s director for information security issues, said GAO is closely reviewing the performance measures that OMB uses to ensure that agencies are implementing proper security controls.
The review comes as lawmakers and others are criticizing FISMA for failing to improve the security of government computer systems. Meanwhile, experts differ on whether a risk-based approach would improve the situation.
The system of letter grades that Congress assigns to rate FISMA compliance “appears to have no connection to the security of the agencies,” said Rep. Zoe Lofgren (D-Calif.). Lofgren was one of several lawmakers who questioned FISMA’s effectiveness during a recent hearing about attacks on State and Commerce department computer systems last year. The House Homeland Security Committee’s Emerging Threats, Cybersecurity and Science and Technology Subcommittee sponsored the session.
One security expert said federal agencies might be better off spending less time documenting security and more time monitoring it. “Federal IT security practices have been aimed at rewarding those who sufficiently document IT security management,” said Alan Paller, director of research at the SANS Institute.
The government’s security policies should reward agencies that demonstrate their defenses are solid or that their responses to attacks are effective, Paller said. “While the government has many reports and policies,” he added, “it doesn’t necessarily have good IT security.”
OMB’s performance measures are primarily quantitative rather than qualitative, Wilshusen said. “While agencies are reporting increased implementation of control activities, which is a good thing, it doesn’t reflect how effectively they are implementing them,” he added.
GAO will be looking at the effectiveness of those measures and whether they should be revised, Wilshusen said. He would not say what new performance measures GAO is contemplating. However, he hinted that the recommendations would draw from work the investigative agency completed two years ago. A 2005 GAO report emphasized the advantages of a risk-based approach to government information security.
Such an approach could be useful in improving agency information security, said Mark Day, chief technology officer at McDonald Bradley and former CTO at the Environmental Protection Agency. “It goes back to a cost/benefit analysis,” he said. “You can spend less on controls on systems that contain information of lesser value.”
But Paller warned that poorly implemented risk-based controls could be catastrophic. “Often, when people who have never secured systems employ the term ‘risk’ in planning and testing security, they end up misallocating resources and opening major holes into federal systems,” he said. Leaving low-risk systems vulnerable allows hackers to penetrate higher-risk systems because all the computers are networked, he added.
Buxbaum is a freelance writer based in Bethesda, Md.
