WASHINGTON, May 22 (UPI) -- The Federal Information Security Management Act has so far failed to boost U.S. cybersecurity, an expert said.
The law, known as FISMA, isn't old enough for its most effective provisions to prompt great cybersecurity improvements, an Office of Management and Budget official said Thursday.
FISMA took effect in 2002. It called for agencies, over a period as long as two years, to identify and categorize their information technology systems according to the level of risk that a compromise would pose. The second phase is the implementation of security controls based on those risks, a process that's been going on for only 18 to 24 months, said Glenn Schlarman, OMB branch chief for information policy and technology. He spoke Thursday on a breakfast panel sponsored by Government Executive, GovExec.com reported.
The controls phase "is new, and that has never been done anywhere by anyone," Schlarman said. The federal government has "some very strong pockets of security, and some really weak pockets of security," he added.
FISMA has lately been criticized as a paper-based exercise divorced from the real needs of cybersecurity. The law "measures the wrong things, and it measures the wrong things the wrong way," said Bruce Brody, also a panelist at the breakfast. He is a former federal cybersecurity chief and recently became a vice president at INPUT, a Reston, Va.-based government market analysis firm.
The federal government is making little headway in tackling cybersecurity problems, said Alan Paller, the third breakfast panelist and director of research at the SANS Institute, a nonprofit cybersecurity research organization. "In order to make progress, you actually (have) to reduce the problem a little bit, (but) the problem is being made harder," he said, according to the GovExec.com report.
