Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:
When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.
— Q&A: Federal info security isn't just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007
Sounds like they haven't implemented numerous simple security measures that were known before FISMA, they don't have processes to do so, and they don't adequately report what they're doing, even with FISMA. What to do?
The report notes how extensive the problem is:
For example, agencies did not consistently identify and authenticate users to prevent unauthorized access, apply encryption to protect sensitive data on networks and portable devices, and restrict physical access to information assets. In addition, agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, such as patching key servers and workstations in a timely manner; assign incompatible duties to different individuals or groups so that one individual does not control all aspects of a process or transaction; and maintain or test continuity of operations plans for key information systems. An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs. Nevertheless, federal agencies have continued to report steady progress in implementing certain information security requirements. However, IGs at several agencies sometimes disagreed with the agency's reported information and identified weaknesses in the processes used to implement these and other security program activities. Further, opportunities exist to enhance reporting under FISMA and the independent evaluations completed by IGs.
SANS interprets this as a call to better measurement. I agree, as one next step. Eventually, U.S. federal agencies will get serious about security, probably after multiple major breaches cost them billions of dollars, and several Senators and Congress members lose elections over those breaches, and then measurement will happen.
After that, maybe they can move on to risk management for things that can't be completely measured. Plus, as we've seen with SOX, checklists and measurements are no good without better processes, such as those recommended by Basel II. Good agency processes could help establish a culture of security consciousness that could be effective.
None of this is to say that FISMA is necessarily bad; it's at least given the GAO a yardstick to say agencies aren't secure, similarly to how even SOX can be useful in filtering which companies have Initial Public Offerings.
However, not all processes are good:
Another initiative that the OMB is now requiring agencies to undertake, which I think is a very positive step, is the use of common security configurations [on all agency systems]. It is based on an initiative started by the Air Force in which they worked with Microsoft to ship what they called "secure configurations" on each issue of Microsoft Windows that was shipped to the Air Force. Now they are trying to do that on a governmentwide basis. I think that's a very positive thing.
Gregory Wilshusen is saying monoculture is a good thing. Not surprisingly, I disagree, and I predict that government-wide monoculture will be the prime enabler of the big bucks breakins that will finally cause security culture change.