And here we have it, a bill introduced by Senators Carper and Lieberman to increase security in the Government, known as FISMA 2008. I’m still waiting on the text to appear on the Thomas entry, but I’ll go through the major provisions from the congressional record.
Congressional Record of the Bill’s Introduction and text (Starts on CR 8388 and goes through CR 8391)
- Changes some definitions of “assessment”, “audit” and “evaluation”. OK, I had to do some research on this one. Thankfully, this is all online. Sidenote: it’s not Section 3545 as per the bill, it’s Section 3535. Basically this is just rewording and rescoping of annual audits to be written the way it should have been in the first place.
- Creates a CISO position at each agency. Hey, I thought this was already created by FISMA. What we need is not CISOs that work for the CIO, what we need are agency CSOs (I’ll even take an agency Chief Risk Officer) that have authority over all of security, not just IT geek concerns.
- Creates a CISO Council. Fantastic idea, how come I didn’t think of it?
- Qualifications for CISOs. Not a bad idea, but the bill doesn’t elaborate too much.
- Responsibilities for CISOs. This is an interesting section. Much of this is in guidance from NIST/DISA/CNSS already. I like most of these measures, but I’m not sure that they need to be codified into law except for the pieces that reside outside of the agencies, like the coordination with US-CERT. Putting the CISO’s responsibilities into law does give the CISO more teeth if they need it, but you have to wield the law carefully.
The Law photo by F.S.M.
From the NextGov article and the congressional record:
“Our bill empowers chief information security officers to deny access to the agency network if proper security policies are not being followed. If we are going to hold these hardworking individuals accountable in Congress for information security, then we should give them the authority to do so,” said Carper.
Um, yeah, we’ve given them the authority in this bill, but my problem is that it completely removes the DAA/AO/mission owners from the picture–the CISO is now responsible for the secure operations of IT systems and has disconnect authority.
I think that philosophically this bill is a step backwards. The more progressive thought is that security is the responsibility of the agency head and the mission owners and that the CISO just provides support as a subject matter expert. Under this bill, we’re back to a world where the CISO is the sole decision-maker when it comes to security. Wow, that’s so… 1990’s-ish.
However, we all know that the CISOs are the people getting the security job done from day to day, and this bill makes sense if you assume that the agency heads and DAAs/AOs have 0 interest or skills to assist in the security of their data. That might or might not be true, I’ll leave it up to you to decide.
Questions for today are these (and yes, I want to hear what you think):
- Are we willing to scrap the “business/system owner” concepts that our security management processes are modeled around?
- Are we willing to admit that the DAA/AO concept is a failure because of lack of understanding and capabilities on their part?
- Are the mission owners willing to take an outage on their supporting IT infrastructure because the CISO took the system offline because they didn’t secure the system properly in the first place?
- Can we rely on a management technique where the stakeholders are removed from the decisionmaking of a trained expert?