FISMA Report Card News, Formulas, and 3 Myths

Posted May 27th, 2008 by

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

  • History of the marathon and Pheidippides
  • Discussion of the race length and how it was changes so that the Queen could watch the finish
  • World records and what our chances are for making one today
  • Graphics of the race course showing the key hills and the “sprint to the finish”
  • Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
  • Description of energy depletion and “The Wall”
  • Stats as the leaders hit the finsh line
  • Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

  • Paragraph about how agencies are failing to secure their data, the report card says so
  • History and trending of the report card
  • Discussion on changing FISMA
  • Quote from Karen Evans
  • Quote from Alan Paller about how FISMA is a failure and checklist-driven security
  • Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

  1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
  2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
  3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Myth: Cellular Phones Cause Gas Fires

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Similar Posts:

Posted in FISMA, NIST, What Doesn't Work, What Works | 9 Comments »

9 Responses

  1.  Dan Philpott Says:

    I sometimes think that most reporting on the FISMA report cards comes from Lake Woe-Be-Gone, where all the security is strong, all the consultants can do it better, and all the Agencies are above average (with profound apologies to A Prairie Home Companion.)

  2.  LonerVamp Says:

    Just like FISMA can provide soundbyte awareness to high-up mucky-mucks, it is chum to journalists who are unable to exhibit any further expertise than giving high-up mucky-muck-style responses.

    Neverending chum, I might add, because nothing will solve compliance or security, other than ongoing diligence. And that’s chum chum chum to media!

  3.  LonerVamp Says:


  4.  rybolov Says:

    Gotta chum up the water so the big sharks will arrive. =)

  5.  Richard Masoner Says:

    Interesting observations — I wrote security software (ye olde DoD orange book “Trusted Systems” stuff) in a previous life. Thanks for using my photograph to illustrate your post.

  6.  rybolov Says:

    Hi Richard

    Thanks for posting your picture on Flickr using a Creative Commons License, otherwise I never would have found it.

    Let’s all join in a rousing rendition of “The Free Software Song”. =)

  7.  fkenisky Says:

    Interesting article but I’m not sure where you stand on this issue.

    My first problem is with someone like Alan Pallar who criticizes these laws and regulations and only states that good security will prevail. ‘Rocky what me pull a rabbit out of my…’

    As a CISO and ISO over the past 8 years I believe that management believes that there is no security so to hell with it all. That nothing we do is going to save us or security is the firewall’s responsibility.

    As an ex IT auditor I can say that without adherence to anything you have exactly what you ad hear to. Nada. Nothing.

    So as an auditor you look for internal controls which is addressed in NIST. However if you don’t follow NIST because Alan Pallar said it’s worthless and you use that to justify not having Internal Controls then you agree to no accountability.

    You can’t have it both ways. You either follow a standard or you live in kaos and wing it. But then you also live with the consequences. If PCI standards state that you should have a type of tripwire installed on your systems to provide a measure of internal controls but you state because we trust each other that should be sufficient to justify no internal controls or accountability and PCI fines you $50,000 for each month you haven’t complied is that good business?

    But it doesn’t provide us with security? Having internal controls doesn’t provide you with security? (and believe me I’ve heard this one from a manager who is as dumb as a door frame)

    In my day you didn’t stand up a box till you had harden it. That meant you removed all unnecessary applications, services and other nefarious things. Today we do a default install of Enterprise Linux and we’re good to go, plug it in the network, install our database and off we go. According to management removing those unnecessary things doesn’t pertain to them. But it’s a requirement by PCI. But it won’t make me more secure.

    I’m off on a rant right now so bear with me.

    Security is everyone’s responsibility not just the ISO’s. Management that I’ve had the pleasure of dealing with thinks that the ISO is the boy who puts his finger in the dam to stop the leak. They don’t care about the infrastructure of the dam they only care about stopping the leak.

    Their feeling is, ‘if we get hacked we’re in big trouble’. In my opinion that’s too late. Sorry I took so much space.

  8.  rybolov Says:

    Nice Rant.

    I’m on the side of common sense if that’s a side to be on.

    Opinion: Without the scorecard, nobody would care enough to do anything.

    Opinion: Everybody always misinterprets the results.

    Opinion: FISMA isn’t failing, it’s a workforce management issue, both for security staff and for federal employees at large.

  9.  fkenisky Says:

    I agree with the third opinion.

    Also didn’t know if you noticed but my rant does pick at Alan Palard; who happens just in case any other googlers happen upon this page wonder who we may be talking about, the chair of an IT Computer Security think tank.

    With that out of the way if you read my rant you will know that Alan considers FISMA and this Federal measurement as meaningless and by trying to comply does not make you secure.

    However recent news I have discovered what I thought all along. Alan was positioning himself to become the Guru of FISMA. Now SANS has come up with ICE which I’ve seen in coordination with FISMA.

    Why is this important? Because part of the measure of this security will certainly become weather enough Federal Employees are GLIC certified by SANS.

    No wonder FISMA doesn’t work, yet.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: