The FISMA report is the official grading of information security for Federal Civilian agencies.  The 2019 report, recently out shows incidents are down by 8%. They are the only component in the world seeing a reduction in cyber activity. This episode explores how that is possible, and if we are asking the right questions.

Episode Table of Contents

• [02:02] The Federal Information Security Management Act
• [07:02] Cybersecurity Breaches Are Down by Eight Percent
• [13:25] Is It a Reporting Issue
• [19:19] Crossing the T’s and Dotting the I’s
• About Our Guest

The Federal Information Security Management Act

Carolyn: Welcome to To The Point Cybersecurity. I'm Carolyn Ford, joined by my co-host, EricTrexler. Today, we have Dr. Barry West. He’s the founder and CEO of West Wing Advisory Services, a cybersecurity cloud in IT consultancy. Prior to West Wing, Dr. West also served as the Senior Advisor and Senior Accountable Official for Risk Management for the US Department of Homeland Security.

Carolyn: He is a career technologist with over 30 years in the Information Technology field. Dr. West's experience includes being the CIO of five different government organizations. Thank you for joining us today, Dr. West.

Barry: Thank you, Carolyn and Eric for having me on this morning.

Carolyn: Today, we want to talk about the recent FISMA report. Will you give us a 30-second summary of what the FISMA report is?

Barry: A little history is needed here first. We can actually thank a local retired congressman by the name of Congressman Tom Davis, who many of you may remember. He was the chair of the Government Reform Committee prior to his stepping down from Congress. Tom happens to be a friend of mine as well. He was the father of FISMA, and this was driven by Congress back in the early 2000s.

Barry: FISMA, the Federal Information Security Management Act, came about in 2002. It’s when it was created. Basically, it was a requirement for federal agencies to develop, document, and implement an information security and protection program. From that came yearly reporting.

Barry: That was like, we've got all these great things about security. How are we going to report those to Congress to make sure that performance metrics are being met?

How FISMA Reporting Came About

Barry: That we are getting the proper oversight, the proper attention for all of our agencies, no matter how big it may be. Even the very small agencies of 10 people or less, way up to DOD, VA, Department of Homeland Security and so on. That's, in a nutshell, how this whole FISMA reporting came about.

Barry: It was Congress wanting to have something that they could provide oversight. They worked very closely with OMB. The report goes to OMB first, who then sends this to the appropriate channels in Congress. But OMB is providing the oversight office management budget for this yearly process.

Carolyn: Is it specific to cybersecurity?

Barry: It gets into some other areas such as privacy. You could group this all under information security because it's dealing not only with the internet but also with privacy. It's dealing with data protection, with availability, integrity, and confidentiality as well. So it's taking into account all of those factors around information security.

Carolyn: The report is 137 pages long. I didn't know it existed until we decided to do this podcast. The bulk of the report is the agency's report cards. What are they grading them on? What are the criteria?

Barry: They have certain measurements. I don't have those right here in front of me but they have certain areas that they're actually measured on. Dealing with everything from, have you done your risk assessment? For new systems that are brought on board that affect the perimeter of your network or your organization.

Barry: Have you done the necessary certifications and accreditations for those systems? Do you have proper training that's now in place to perform your yearly training? What percentage of people in your organization completed the training?

An Identity Theft Task Force for Cybersecurity Breaches

Barry: Also, that may be the yearly security training. Do new employees get the training? How is privacy being held, or how is privacy being accomplished? If you have a break-in, if you are compromised, do you have an identity theft task force that's in place to make decisions about credit monitoring? About providing credit monitoring services?

Barry: Shall we write a letter to all infected employees? These are really tough decisions. So they try to get what they can out of a yearly report to get a synopsis of all the things that have happened over the past year and use some of the criteria with these questions to try to really get a good feel.

Barry: Have you had a breach? Was the breach reported in the first hour that it occurred? Was any data, or anything taken? It gets into some of those. I don't have those specific questions in front of me right now, to give you a better feel.

Carolyn: Is it government agencies only, and every government agency has to do this?

Barry: Yes.

Carolyn: No supply chain?

Eric: I don't think it includes the IC or DOD.

Barry: I'm not sure because they do have some different criteria in the DOD. They're using the NICE Act in some of the other various guidelines. I'm not quite sure if DOD has been brought in under the umbrella. They weren't early on, but I know all 100, maybe 200 by now, federal agencies.

Barry: I don't know how many. They may be looking for 140. But it's big and small. It's your small agencies that may only be a handful of people clear up to all your major CFO Act agencies.

Cybersecurity Breaches Are Down by Eight Percent

Carolyn: This report says that the cybersecurity breaches are down by eight percent. That surprised me because I thought cybersecurity breaches are up. Now, it's important to note that this report came out pre-COVID. But even pre-COVID, I didn't think cybersecurity breaches were down anywhere. What do you think about that?

Barry: When I first saw it, it was like, how can that be? We keep bringing on more and more devices. The bad guys and bad people that are out there doing these intrusions into our systems, compromising our systems, they're getting smarter. The number of devices keeps increasing.

Barry: I found it very interesting that we're showing eight percent down. When all other things are showing that we keep getting compromised more and more. It's not about if you're going to be compromised, but it's when. So I found it very striking to see that it was down by eight percent. If anything, I thought it would have been up.

Eric: Like the rest of the industry, like the rest of everybody else. I mean, everything's pretty much up. You may see different categories that go up and down.

Carolyn: They said phishing attacks were down, which that's across the board, phishing attacks are up, or cybersecurity breaches.

Eric: Look at the Verizon data breach report, just one authoritative source. Social phishing attacks are number two on their list of top threat actions in 2020. It's the 2020 report. The government's the exact opposite. You've got to think they're missing something.

Carolyn: Are they asking the right questions?

Barry: That could very well be, Carolyn. If the phishing is down, is it down because we're doing better training? Are we doing less checking on phishing attempts?

How Much Auditing Is Being Done to Verify the Data Coming Out

Barry: That maybe somebody does something and we don't know that it's happened? Are we asking all the right questions? Are we getting into the level of detail that's really needed to say that we're down? That's where the rubber meets the road. Are we really asking the right number of questions?

Barry: Are we getting all of the detailed data in a typical system, and how subjective is this? When you're going through and you're filling this FISMA report out, are you just checking the box? How much auditing is done to come back and actually look? Is GAO getting involved?

Barry: Is the IG for that agency checking to make sure they may be signing off on this as well? I think when the report does go up, they actually do a review, the inspector general. How thorough is that review, and how much time are they taking to really verify a lot of this?

Eric: When you look at the report, there's a figure one. Top five risk and vulnerability assessment findings in 2019; spear-phishing weakness, patch management, admin password reuse, insecure default configuration. Weak password policies are all in there. They do correlate pretty tightly with the Verizon data breach report on the major areas of risk that have increased.

Eric: From '18 to '19, misconfiguration alone, according to Verizon, went from 20 percent to over 40, 45 percent. So there is a correlation there, but I agree with you. How is the civilian government the only vertical in the world, if we want to call it a vertical, that's actually seeing a decrease and a pretty significant one. Eight percent, that's a pretty significant decrease.

The Person in Charge of Cybersecurity Breaches

Carolyn: Is it a self-reported report?

Eric: It is.

Carolyn: So there's no auditing from FISMA?

Barry: You got to remember, OMB is a small organization, they do not have the staff to be out monitoring this. They are a bare-bones staff of people, but they do rely a lot on the IG. But again, I don't know how much the inspector general for each specific agency, how deeply engaged they've been in verifying these numbers.

Carolyn: What do you think is the danger of this false report?

Barry: If I'm an agency head and I see this, ultimately the agency head is responsible. You go back to the current Trump administration's Cybersecurity Executive Order, EO 13800 that came out in 2017. It specifically calls out the agency head as that person being in charge of cyber for each agency.

Barry: If I'm seeing this, I'm saying, "Wow, I've got all the funding I need. Everything seems to be going pretty good here. Our incidents are down, so now I need to maybe focus on other areas. I can take my eye off cyber for a little bit, if you will, because things are down. Things are good." That would be the impression I'm getting if I'm the agency head.

Eric: So if I'm looking at this, knowing what I know about the industry, I'm saying, "What else are we missing? What else is out there that we're missing if we're misreporting, or I suspect we're misreporting." Now I start digging in more.

Carolyn: Yes, but who starts digging in?

Eric: If I'm running an agency, I would go back and look for additional details around the report data.

Is It a Reporting Issue

Eric: I would ask the question, "How are we doing better than the entire industry as a whole? What are we doing to make ourselves so good? Is it a reporting issue or are we actually that much better off?" Now, I agree, the agencies as a whole with the different programs out there, they've made progress.

Eric: But as Bruce Schneier would say, "We're getting better, but we're getting worse faster." That applies to the whole industry. I don't see the civilian government, not across the board but in a large number here, being better than everybody.

Carolyn: I would hope that the SISO or whoever's in charge of this report would go back and ask, "Okay, why are our numbers better?" and start digging in. But I'm going to go with what Dr.West just said. Maybe there's this false sense of security, and they move on and shift budget to other things. Because they think, "Oh, we're doing great. We're just going to stay with the status quo."

Eric: The other thing I've noticed, or the trend, Dr. West, I don't think they work together necessarily as they're filling out the report. Energy's not working with NASA, with anyone else.

Barry: No, not at all.

Eric: How do a large number of government agencies all come up independently with, "We're doing better"? That's another data point you just want to tear into and look, is the test asking the wrong questions, as you were asking, Carolyn. Is something else going on? Are we doing better in the areas where the test is asking us?

Eight Percent Down on Attacks or Eight Percent Down on Cybersecurity Breaches

Barry: Basically, they get all these reports in and then OMB actually goes through and synopsizes what they have. I don't know what level they go to, or how they come up with percentages. Is this just a staffer that's typing in the percentages, in this case, eight percent down on attacks. Are they just going into that area of the report and comparing it to last year's?

Carolyn: Is it eight percent down on attacks or eight percent down on cybersecurity breaches?

Eric: The data point was cybersecurity incidents, which to me means a reporting issue. If you look at some of the articles that were put out, it appears that the attacks were up.

Eric: So now, is it a reporting, 28,581 incidents reported in fiscal '19. Just three were considered major, as they resulted in the mishandling of personally identifiable information. They all occurred within Department of Homeland Security.

Barry: That's the other thing. How are you differentiating between the major and the minor incidents? What criteria are you using? Is it just those that are being reported to the CERT at DHS? Agencies have one hour to report any major incidents, such as a PII vulnerability.

Barry: It’s where someone's personal identifiable information is taken to a major attack on a system. They are required to report those, but again, are we looking at the right things? Are we being fair across all agencies on how we're accumulating this data? And how we're defining incidents in trying to come up with this in the end?

We Got This One Leaked

Eric: There's the old saying in the industry, "There are the people who have been hacked and the people who don't know they've been hacked." The government's basically saying, "We got this one leaked" in my opinion. From what I've read, and I've read through the report and it just blows my mind. Where are the checks and balances? Somebody should be inspecting this.

Barry: That would typically be a GAO. The Government Accountability Office would be the ones that would actually come in to really take a hard look at this. Since right now, the agency head's already signed off on this. The CIO has signed off on it.

Barry: The IG typically has looked at this, you hope, in each agency before it was sent up. So really, it then comes down to either a GAO or OMB coming back. Saying, "Hey, we really want to look at these numbers a little closer to make sure that we're using the right metrics in doing this."

Carolyn: What do we need to be able to do that? Money?

Barry: You need somebody that feels there's a need. Somebody that's going to make that case known and put the resources that are needed to look at that. Otherwise, they got a lot of things going on right now in government, especially around COVID. There's a lot going on right now, so it's a matter of getting this at an elevated level where they feel it's important.

Eric: Dr. West, you were a CIO of a number of agencies. How would you approach FISMA? It's been around, you said, since 2002, so that was during your timeframe. Is it a help?

Crossing the T’s and Dotting the I’s

Eric: Does it force your teams to do the right behaviors, and make sure that they're crossing the T's and dotting the I's? Or is it more of a, "Okay, check the box"? I'm not suggesting that anybody just wants to check the box and move on. But is it helpful or is it more of just paperwork?

Barry: It's both. If that makes sense. I did find it somewhat helpful. It showed me where I may have had some gaps in the various categories of how they grade the FISMA report. Again, I don't have the categories in front of me, but it's like eight or 10 different areas that they're really focusing on.

Barry: So from that perspective, it really made me look and come back to it. But in the end, I also felt like it was a big paperwork exercise that I had to dedicate each year to the staff. I had to go through this process of getting in front of the agency head, the secretary, who's very busy.

Barry: Now, I know things have changed, especially with the Cybersecurity Executive Order. Some of them didn't even care about cyber information security, but that I think has changed. It's changed quite a bit over the last five years.

Barry: But it was trying to grease the skids, get in front of them, walk them through the report of what they're actually signing. I just felt like it became more of a large paperwork exercise in the end. Where things like continuous monitoring and some of the other things that we've been working on now for what?

The Benefits of Einstein and the CDM Program

Barry: Five, six, seven years, you would think some of that would take this into consideration. That we could be doing some automated reporting through a lot of our continuous monitoring and diagnostics efforts, in my mind. Because of the amount of money that's gone into that program.

Eric: The report talks about some of the benefits of Einstein and the CDM program and everything else, so I agree with you. I'm more familiar with the CCRIs, the Cyber Capabilities Readiness Inspection.

Eric: I believe it is CCRI in the DOD side, which is definitely more granular. That's at the program or the application level. They're going through and looking at a checklist, essentially, but it does drive things like up-to-date patching. A little bit different, but it's an external auditor from DISA, might be Cyber Command now.

Eric: I think it's still DISA though. But I love the idea of the external auditor coming in. This just feels like nobody's necessarily digging into the details. The government's the biggest target out there. I can't imagine three incidences is really what we have.

Barry: Three major incidents.

Eric: Three majors, which weren't even that major. Like OPM a couple of years ago was a major incident. We breached a couple of million records to a contractor that never got further than that. Okay, maybe that's major, but I can think of worse.

Carolyn: I'm not going to lie. It just seems like a really big problem. I want a throat to choke, Eric, I want to know who's in charge.

Eric: Nobody's touching that one. There is no throat to choke.

Barry: It all starts at the top, Carolyn.

Figuring Out Where the Cybersecurity Breaches Have Occurred

Eric: Nobody's touching that one, but I think we do need to figure out where the cybersecurity breaches have occurred. We know there are cybersecurity breaches out there. I think we've got to look at that a little more honestly, in many cases. Sounds like we're making some progress, though. CDM, I do believe, will provide that automated reporting to some extent, if that helps you sleep better tonight.

Carolyn: Thank you very much, Dr. West, for joining us.

Barry: Absolutely. Very good topic. I love these types of discussions because I'm passionate about this. I've been involved in it for so many years. I appreciate you guys having me on.

About Our Guest

Barry West is the Founder and CEO of West Wing Advisory Services, a cybersecurity, cloud and IT consultancy in Reston, VA. Prior to starting West Wing, Dr. West was the President of MicroTech, a Service-Disabled Veteran-Owned Small Business (SDVOSB).

Prior to joining MicroTech, Dr. West was the Senior Advisor and Senior Accountable Official for Risk Management for the U.S. Department of Homeland Security. He is a career technologist with over 30 years in the information technology field.

Dr. West’s experience includes being the Chief Information Officer at five different government organizations – FDIC, PBGC, Commerce, FEMA and the National Weather Service. He also held a number of private sector executive positions to include S.E. Solutions Inc. and Tab Books Inc.