Just for the sake of discussion…
I am thinking that the 2002 Federal Information Security Act may need to be updated in a big way.
With all the security initiatives now out there and the growing awareness of how vulnerable everyone is to attacks, I am not convinced that compliance by federal government departments with the current expectations under FISMA will result in the security posture we all desire.
Here’s the rub as I see it. Technology architectures, solutions and ownership seem to have outstripped the policy and procedural boundaries to which we have been accustomed. Examples:
Solutions in the government these days are likely to include components that are owned or managed by organizations outside the reporting structure (therefore authority) of the mission applications owner. Services Oriented Architectures, to the minimal extent they have been operationalized, assume extensible and reusable services; data centers, networks, information buses, which may be provided to the mission area developing an application. Data repositories are integrated, or shared; even some transactional functions in systems are now shared.
In other words, the IT solutions are no longer wholly owned by the mission spaces, which have for years been accountable for datacenter to desktop. When ownership was complete, accountability for the solutions was much easier to determine. FISMA responsibility was reasonably clear.
Who owns these amalgams we now create, and who can certify and accredit them?
And how do security architectures and approaches need to be refocused as the user communities focus less on integrating applications, and more on accessing data sources, wherever they are? With shared technology components, and networks, and the increased emphasis on untethered and mobile endpoint devices, where do you think our security focus will need to change? Perimeter-centric solutions migrate to what? And how do we manage the new more flexible technology environments as they continue to break through the ownership boundaries?
And so, how does FISMA react here? Thoughts anyone?
COMMENTS
At least Scott is talking about protecting the enterprise (instead of the FISMA/OMB/NIST focus on "systems" -- see my rants elsewhere on that). But the fundamental problem is that oversight organizations like OMB and the Congress have no ability to specify proper enterprise-protective behavior because there are no metrics on which they can rely; the only metric that really matters is: NOTHING BAD HAPPENED. And two qualifiers mus always follow that statement: SO FAR AS I KNOW and YET.
Andy Boots 05/21/08 07:30 am ET