I've been watching the FISMA and cyber security space closely the past few months, which you probably know if you've seen some of my previous posts on the topic. There has been a fair amount of discussion more recently in the blogosphere regarding FISMA; particularly focused on the extension of government IT security regulations such as FISMA into private industry.
There are several factors driving this discussion. A number of proposed regulations have been floated recently that extend Federal power over cyber security and the Internet in general. Some of the proposals include a national coordinator for Cyber Strategy, aka the “Cyber Security Czar." Some regulations focused both on financial oversight and cyber security will extend their reach beyond the government to private industry in general. Based on a brief review of the conversation in the marketplace, there appears to be a fair amount of concern regarding the cost, effectiveness and scope of proposed changes to cyber regulations that apply to industry.
Posts on the Security and Architecture blog and Government Health IT discuss FISMA and the likelihood of the adoption of Federal security requirements for private industry in order to participate in the government health industry exchange. The scope of this plan, basically extending the provisions of FISMA to the entire healthcare industry, has generated a lot of concern. In addition to huge cost involved in the private sector to roll out new processes, tools, etc. to comply, there are concerns that FISMA-based determinations of compliance are largely subjective, and that there are no penalties identified in the current iterations of the FISMA guidance for any breaches or non-compliance. This last issue of course may change with the new cyber legislation being considered, but there has been widespread criticism of FISMA as a “paper exercise."
Andrew Jaquith recently posted a topic on “Will Obama's New Cyber-Security Plan Make a Difference? We Can Only Hope." In the post he talks about FISMA, and how it ultimately results in developing processes and managing compliance, not in providing insight into how secure the supposedly protected systems actually are. He also covers the results of the Government-wide policy review of cyberspace, including its recommendations. He expects private industry to see little immediate impact, but to expect further efforts around information sharing and incident response.
On this last point, much has been made of the presidential “Internet kill switch," as defined in the updated Cybersecurity Act of 2009 show. This is a new provision to allow the President to respond to a cyberattack by ordering the shutdown of private networks. The original proposal would give the President the authority to declare a “cyber emergency' and order the limitation or shutdown of various networks.
On his Backspin blog, Mark Gibbs tackles this topic – discussing if the kill switch is possible, and whether it's advisable for the government to have this level of control. It's a good read, giving us many things to think about in the coming months as new legislation is finalized.
Of course, much of this may be speculation. The Cybersecurity Act of 2009 is still under debate and actively being amended. In addition to the Internet kill switch, law makers are also considering a government credential for IT security professionals, and defining the authority of the as-yet-unfilled Government Cybersecurity czar. Once this position has been filled, this person's responsibilities will include defining cyber-strategy and driving government security mandates, both current and proposed.
Why is this important for GRC practitioners? If you're not paying attention to these issues and potential legislation, you should be. As security and compliance become more aligned in the enterprise, GRC experts will undoubtedly find themselves on the front lines of both Federal and private industry cybersecurity efforts.