This is not to be confused with FISMA Phase II, which had to do with NIST credentials for FISMA assessors. The new FISMA II proposal is said to bring an emphasis on security and not just compliance.

While FISMA originally may have been a good idea to introduce some standards across the federal government as they look at how they secure their networks and how they secure their information, it turned into a lot of more paperwork-compliance exercise than really addressing the core issues of securing networks and securing data, said Michael Markulec, chief operating officer at Lumeta, a network mapping and discovery company.

“While initially a very positive step in terms of standardizing practices across the federal government, I think it has gotten a little bit out of control,” Markulec said. “My hope is for FISMA II and some of these streamline reporting is that some of the dollars that are being spent on the reporting compliance side can go back to really supporting securing the network and securing the underlying data to make sure that our critical infrastructure is protected.”

This is a common problem with compliance initiatives. A giant list of action items is created. No one in security will want to take the job of running through hundreds of hours of spreadsheets. Instead a project manager is assigned as the lead. This project manager, depending on their desire for executive status, often hires a huge number of staff to help collect and file papers on compliance as they too are unhappy just writing and filing reports — spread the pain around. Soon enough the project becomes an exercise in just collecting artifacts and checking boxes on a list. A giant gap is created between technical staff who can verify a control and the non-technical staff who file the evidence of a control. The project management office for compliance then will start to claim ownership of all things security related and the actual security staff will fade into this shadow.

The FISMA II proposal and discussion, found in testimony of Alan Pallar, suggests a shift to “real time” monitoring will bring balance back to more technical security staff.

Here is a problem I see with this proposal. I remember how GM proved, to the loss of billions, that automation will fail unless management of technology can be improved prior to automation. I think Paller misses this crucial step. He first lays out a critique of FISMA:

Continuous monitoring enables government agencies to respond quickly and effectively to common and new attack vectors. The Department of State has demonstrated the effectiveness of this security innovation. Most major corporations use it. This model is the future of federal cyber security. As our response to attacks becomes faster and more automated, we will take the first steps toward turning the tide in cyberspace, and protecting our sensitive information. The original FISMA did just the opposite — it slowed down every process and took key resources away from projects that would allow agencies to act and react more quickly.

Why did it slow down monitoring? What caused the failure? Paller says the answer is that FISMA itself created a non-technical group of auditors whose job is just to collect information:

GISRA and FISMA rewarded ineffective behaviors and created a cadre of people who call themselves security professionals but who proudly admit they cannot implement security settings on systems and network devices or find a programming
flaw. Most of these paper?warriors have no depth of understanding of current threats, cannot do an effective risk assessment, nor select the right controls to
protect systems against the increasingly sophisticated attacks.

I would not be so certain that FISMA rewarded ineffective behavior. My sense is that management was already thinking this way, FISMA just brought it to our attention. More to the point:

The head of security at a major southern power company told me last Friday, “I had to hire a writer rather than a security person because writing compliance reports is seen by management as more important than actually securing the systems.”

I wrote about about a giant gaping hole between those who collect evidence of controls and those who test controls. This example by Paller is actually a worse scenario. He shows that some companies (utilities) actually think they have to choose between testing security and documenting security.

They need both; can’t pick just one. That is the failure of management I am talking about. It existed before FISMA. That is what needs to change.

Paller also makes note of the fact that “paper-warriors” are said to get paid 50-80% more than “people who actually secure systems and networks and applications.”

While his argument here might be that technical expertise is undervalued, this is not a situation that should be seen as isolated to the security industry. The lesson from the data might actually be that security professionals should learn essential writing and reporting skills if they wish to boost their income by 50-80%. I often see that advice in other professions. The entire problem with FISMA might therefore boil down to the fact that security professionals who actually secure things need to develop broader skills. Another explanation could be that staff able to perform an assessment should not be passed over in favor of staff who can only report second-hand information albeit in a smoother package.

Back to my reference about GM and the failure of automation, Paller concludes:

What we need instead is a process that directs agencies to focus their cyber security resources on monitoring their information systems and networks in real time so that they can prevent, detect and/or mitigate damage from attacks as they occur. And oversight must be focused on the effectiveness of the agencies’ real-time defenses. The bill that you have introduced, Madam Chair, does exactly that. Anything less continues o waste scarce resources and leaves us unacceptably vulnerable.

I know “real time” technology might be appealing as a means to force more technical staff into the limelight, but that has not been my experience. It instead will fall right back into the “paper warrior” camp for one simple reason: professionals who actually secure things still face a need to turn large sets of data into meaningful reports. The need for the ability to write does not go away. Security professionals will still be called upon for analysis and synthesis, writing, presentation, and so forth. Paller does not explain how a smooth-talking “paper warrior” will be any less able to steal the show. A new danger could emerge instead as some might say there is no need for security professionals given the investment in a “real time” monitoring system that does all the “real work.”

I agree wholeheartedly with Paller’s emphasis, but I think his analysis and solutions are attacking symptoms instead of providing a cure. That is why I keep bringing up GM. They had “Robot Mania” under CEO Roger Smith, as explained by Case Study: GM and the Great Automation Solution.

“Automation came along just in time to save us.” — Roger Smith, 1980

The car company could have bought Toyota for the $45 billion it wasted trying to implement robotics to compete with them. The need for better management was not fixed by new technology or tools. The data was lost on groups unable to interpret and respond correctly.

Serious organizational change is what Paller is really calling for, which includes training, to increase productivity. A compliance manager who is lacks the skill to assess a control should be no more welcome than a financial audit manager unable to perform arithmetic.

However, given his argument that FISMA slowed down security by over-emphasizing writing and reporting, how does adding more data and more reporting with real-time technology feeds make things better? The question thus should not be about refocusing on security (one view) versus compliance (shared view requiring agreement). Compliance is still required. The question is who is trained and qualified today to manage security in a manner that is compliant. How many security professionals, in other words, are not only technically savvy but ready and able to manage compliance reporting for a large enterprise?