Do You Know What FISMA Is?

Posted June 11th, 2007 by

This is all over the blogosphere by now. SecureInfo conducted a survey that said 65% of government workers did not know what FISMA is.

I even started to comment on this in various places, but posts about this survey pop up faster than I can dispel them. All I can say is that SecureInfo needs to pay their publicist a huge bonus for the mileage they got out of the press release.

When it comes to the topic of government workers knowing about FISMA, I’ve already said my piece: unless you’re working in security, senior management, or IT, you don’t need to know what FISMA is. And then there’s SecureInfo which sells among other things… wait for it… security awareness and training solutions.

However, I also have a corollary for you: most of the security practitioners inside the government do not know what FISMA really is. We have books and websites that use such phrases as “FISMA compliance” and “FISMA C&A”. It’s one of “those things that make you say ‘huh?'”

Once again, for the record:

  • FISMA is a law. The core components are in this slide (ack for the .ppt, sorry if it offends you. =) ) This isn’t my original work, it’s part of a deck that my friends and I use when we teach for Potomac Forum. Also it doesn’t mention the tasks to specific agencies like NIST. Whatever you do, don’t use this slide in a presentation you are going to give to me later, I’ll walk out of the meeting. =)
  • FISMA compliance is easy. It’s very easy to meet the core requirements of FISMA. The question is more one of quality.
  • Contractors cannot be FISMA-compliant no matter how hard they try. They do not report to OMB, GAO, or have an IG. They do, however, support government agencies that do.
  • The primary goal of FISMA is to tie security into the mission budget and to make the “business owners” (mission owners?) responsible for security instead of the CISO.
  • In discussing the details of FISMA, it is very easy to confuse the implementation details/guidance with the actual law.

Makes you want to go read the law, doesn’t it? Here’s the text on the NIST CSRC website.

When you look around at the FISMA critics and compare what they say to the law itself, you come to some interesting conclusions:

  • The overwhelming majority of contractors selling solutions around FISMA do not understand what FISMA really is.
  • We are teaching each other the wrong way to approach security by thinking that FISMA compliance means “write a bunch of documents”, “make a scorecard”, or even “do C&A”.
  • Some people have a conflict of interest with understanding FISMA because they are selling their own “competing” methodology. (one NPO in particular, rhymes with “CANS”)
  • There are many charlatans getting rich off everyone else’s ignorance selling both software and services. It is in their best interest to keep you ignorant of what the law is because it helps them sow the seeds of Fear, Uncertainty, and Doubt. I think the only thing saving humanity is the fact that CISOs are skeptical by nature. =)
  • Poor little FISMA has been abused by everybody, even those who think they are doing the right thing and quoting the magic phrase of “won’t somebody think of the taxpayers?”

Where do we go from here? Just like I’ve said a bazillion times, the DC security community needs more heretic prophets to show them the way out of the wilderness through a campaign of public awareness and education.

Similar Posts:

Posted in FISMA, NIST, Rants | 10 Comments »

10 Responses

  1.  Ricardo Says:

    Incredible, I just moved to the public sector after 6 years in SOX compliance and this article is really helping me learn about FISMA.

  2.  rybolov Says:

    Hi Ricardo

    The key to remember is that FISMA is a holistic IT security governance model, not an internal controls model. It’s more along the lines of BS7799.

    The government comparison to SOX Section 404 is OMB Circular A-123: it’s all about internal controls.

  3.  The Guerilla CISO » Blog Archive » The End is Near–FISMA to cost $29B! Says:

    […] all different sides of the same coin:  does anybody really know what FISMA means? Bookmark […]

  4.  Mike Nelson Says:

    > “Contractors cannot be FISMA-compliant no
    > matter how hard they try. They do not report to
    > OMB, GAO, or have an IG. They do, however,
    > support government agencies that do.”

    With the caveat no organization, firm, agency person, product, etc. can be FISMA compliant (we certify and accredit SYSTEMS), I disagree with this statement.

    NIST wrote the framework required to comply with FISMA to be used by government and private sector entities. I’m working with some private sector firms now who have systematic interactions with various federal systems and their federal system counterparts have made it clear that they expect to see evidence of FISMA compliance (an ATO signed by an AO… a senior organizational official, with all the supporting SP800-53A documentation behind it).

  5.  rybolov Says:

    Hi Mike

    It’s an agency task, but the contractors sometimes have more of a role than the government because they design, build, and maintain the system. However, the chain of responsibility isn’t there.

    If I’m the DAA for a particular system that is government-owned, contractor-operated (ie, outsourced) and give it an ATO, do you really feel that it’s ethical for the contractor to bill themselves now as being “FISMA-compliant”? Any vendor who bills themselves as such starts off on the wrong foot and does themselves and the government a disservice.

    At best, what you’ve done is account for the common controls that apply to all systems that the contractor is responsible for. Yes, you want to share the results because that’s how you save time, effort, and money, but you need to understand that maybe the ATO system is low-criticality and doesn’t suffice for a classified system.

  6.  Vlad the Impaler Says:

    Just to echo and expand some on rybolov’s comments, the term “FISMA compliance” cannot be directed at a single system… It’s much, much more than that.

    FISMA lays out (at a very high level)the holistic processes, checks and balances that should be present in any healthy security program. It’s not magic, it doesn’t require a special alphabetic certacronym — it’s (looking around for anyone watching) best practices. It’s stuff we all know TO do, but maybe our companies/agencies/organizations don’t have the time, money, personnel or visionaries in IT to do them well. We all do the best we can.

    Personally “compliance” is a bogus goal… I’d love for it to be removed from our secuity lexicon. Why? One can only measure compliance as a snapshot. Therefore the picture developed from the snapshot is only valid at a single point in time, like when the IG shows up, and says nothing about what happens in the 364 or so days until their next visit. (Like that one visit says anything about all the root passwords being changed back to a group password shared between router admins when the auditor leaves…)

    FISMA “complince,” therefore, talks to a continuum of processes, that fall into the category of “best practices” that existed before and since the law was written. At the foundation lie education and awareness.

    I would even go so far to say that any “compliance” framework, be it FISMA, SARB-Ox, BS7799, GLB, CoBiT, or ISO blip-dee-dipp is only a codification of best practices. Further, any organization that follows best practices could, on any given day, be found “compliant” with the Framework De Jour.

    So… the best question to ask yourself is… Does your organization follow conform to/practice Best Practices in IT Security? Do you live it every day, and not just when the auditors with thier crisp checklists show up?

    Use one of the frameworks to gauge your performance, but you’ll never > be “compliant!”

    You’re probably saying, “Vlad, that’s a circular argument!” or, “But I’m still being measured against FISMA!!!”


    You have to socialize the “right way of doing business” (i.e., best practices) with everyone who has a security or administrative function (and those pesky users). That sounds like education… but it requires a healthy expenditure of shoe leather (or rubber if you wear sneaks.) Visit, attend meetings, prod your management, write policy, and measure the effectiveness of your policies.

  7.  Benjamin Wright Says:

    A key tool for following FISMA would be an audit and accountability policy. It addresses such issues as responsibilities, management commitment and so on. –Ben

  8.  FISMA Report Card News, Formulas, and 3 Myths | The Guerilla CISO Says:

    […] FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is. […]

  9.  No, FISMA Doesn’t Require That, Silly Product Pushers | The Guerilla CISO Says:

    […] especially if you’re a government employee. Thanks for visiting and happy hacking!Post #9678291 on why people don’t understand what FISMA really is:  Secure64 DNSSEC Press […]

  10.  On Why I Blog… FUD is the Reason for the Writin’ | The Guerilla CISO Says:

    […] again, we’re confusing FISMA the law with the implementation thereof.  […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: