OPM Hack: The Role FISMA Played
Former Gov't CISO Detects Flaws in Law Governing IT SecurityThe Office of Personnel Management data breach is merely a symptom of a much larger problem across all federal government executive branch agencies, and it's not going away anytime soon.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs
That's because the Federal Information Security Management Act, in all of its various forms over the past 14 years, has created a veritable disarray of legislative mandates, ostentatious oversight, ambiguous policy frameworks, ineffective guidelines, disjointed funding and deficient accountability. Even more significant, FISMA botched cybersecurity leadership and governance across the entire executive branch.
Among its myriad flaws, and for whatever inexcusable reasons, FISMA has deemed it appropriate for the chief information security officers to report to the chief information officers. Such an organizational construct reduces cybersecurity to a mere IT security problem, ignoring the growing importance of cybersecurity's reach across all of the personnel, physical and cultural strata of an agency's makeup, not to mention its grander organizational privacy, risk management and compliance obligations.
Congress seems to believe that the often politically appointed CIO with myriad budget-cutting and help desk headaches is the appropriate senior official under whom to subordinate the critically important and growingly complex cybersecurity portfolio. One by one, the Fortune 1000 is jettisoning this organizational paradigm, as security and privacy are skyrocketing in importance in the boardroom, while IT management is losing footprint to mobility and the cloud.
Terminating the Unfortunate Scapegoat
That's not to exonerate the Fortune 1000, by any means. There are too many of them who don't even have a CISO. But at least when those companies experience their inevitable breach, and after the unfortunate scapegoats have been terminated, they then put resourced and empowered security programs in place to implement appropriate processes, capabilities and tools.
FISMA has also created a "cyber-industrial complex" that feeds at the trough of federal cybersecurity spending and has become so entrenched and powerful that it rules federal cybersecurity with a profitability rather than a best-practice metric. Compounding this problem are agencies that have failed to adapt archaic acquisition strategies and contracting practices to deal with the dynamic realities of cybersecurity trends and developments.
Many agencies are using "lowest price, technically acceptable" contractors to protect some of our nation's most important and sensitive data. For these agencies, disaster either has occurred or is imminent.
The stark reality is that no agency in the executive branch prioritizes cybersecurity as a core business enabler. Federal agencies treat cybersecurity as an IT annoyance, buried as it is under their CIO. Federal agencies practice crisis-to-crisis cybersecurity management, and not proactive infrastructure resilience. Congress abets this approach by enacting authorization language that instructs each agency to deliver specific entitlements or services to the taxpayer, and appropriation language that funds the associated authorization, neither of which elevates cybersecurity to anything near an agency priority.
Seeking Nonconformist Solution
If there's a solution to this mess, it must be nonconformist. Voluntary cross-agency programs that leverage all of the government's buying power have been few, and have not worked. Nor have voluntary Department of Homeland Security programs that agencies have balked at adopting for fear of exposing their deficiencies to another agency.
Perhaps a maverick agency head will emerge, thumb his or her nose at FISMA and Congress, elevate the CISO role to a direct-report to the agency head (and then find a good one), re-assign the business-as-usual security staff and discharge its contractor masters. He or she will then empower the CISO and provide resources to migrate agency IT operations to a properly architected and security-first infrastructure. This maverick agency head also will lead the adoption of a security-aware culture across the entire agency, hold accountable all system and business process owners who do not place cybersecurity at the top of their daily list of priorities and provide resources for the continuous management and maintenance of the IT infrastructure with relentless diligence.
Agency-wide risk management and proactive resilience is not a lowest price, technically acceptable solution. It's also not a subordinate IT problem. Cybersecurity is a leadership and governance issue, and as a result, the recent OPM data breach is not surprising. Breaches will happen again, many times in many agencies, with no end in sight.
Brody, a former CISO of the departments of Veterans Affairs and Energy, is CISO for Cubic Global Defense, a provider of mission-centered training systems and services for the U.S. and allied armed forces, and chief security strategist for its parent company, Cubic.