November 23, 2010 – Eric Chabrow, Executive Editor,

The Department of Transportation’s chief information officer has questioned the effectiveness of Federal Information Security Management Act audits in securing government IT systems.

“Prior administrations attempted to address FISMA performance through short-term redirection, or by addressing immediate audit findings, without addressing the systematic issue limiting and impacting agency program performance,” DOT CIO Nitin Pradhan, in a memo prepared by CISO Andrew Orndorff, wrote in response to a DOT inspector general report critical of the department’s compliance with FISMA during fiscal year 2010.

“Unfortunately,” Pradhan said, “while these types of patchwork actions are intended to improve FISMA metric scores, simple adherence to improving FISMA metrics has been insufficient, in itself, for significant improvement to he department’s cybersecurity posture.”

Typically, in responding to a government audits – whether from an agency inspector general or the Government Accountability Office, CIOs address specific vulnerabilities the auditors point out. But Pradhan questioned the effectiveness of the audits without taking into account other actions the department employs to secure IT systems. Pradhan isn’t alone. Former departments of Air Force and Energy CIO John Gilligan says he doesn’t think inspector general audits of agencies’ IT security should be treated as gospel. The flaws they identity may be factual, Gilligan said in an interview, but they’re not always put in the perspective of the agencies’ overall approach to cybersecurity.

In the fiscal year 2010 Transportation Department FISMA compliance audit issued this month, DOT IG Calvin Scovel III took the agency to task for addressing only two of 27 recommendations made a year earlier to bring the department to compliance with FISMA. “DOT must immediately address its persistent cybersecurity weaknesses with strong leadership, greater influence and oversight by DOT OCIO (Office of the CIO), and management commitments from OA (operating administration – the various DOT agencies) administrators,” Scovel wrote. “Until this happens, DOT will continue to remain vulnerable to predators.”

Among the IG’s criticisms, failure to:

• Develop the required procedural guidance to augment the high-level security policy issued in 2009 in order for departmental operating units to manage information security effectively.

• Sufficiently progress in implementing enterprise-level controls, such as the inability to track how many contractors it has on board;

• Effectively identify, track or prioritize IT security weakness in its plans of action and milestones; and

• Establish adequate controls to protect its systems in the event of a disruption.
Pradhan said DOT would need to triple its IT security workforce to comply fully with FISMA certification and accreditation requirements. “While compliance requirements like FISMA are an important part of the overall cybersecurity program, the department considers all aspects of cybersecurity when determining how to distribute its limited resources,” Pradhan said. “The department must prioritize its efforts to focus on actions which offer the greatest potential cybersecurity benefit.”

DOT’s CIO said the department is working with its various agencies, Department of Homeland Security, the National Security Agency and major industry and academic partners to implement a next-generation approach to secure its IT. Predhan said the new approach would be more agile, proactive and predictive.

Scovel did not respond to Pradhan’s views about its approach to cybersecurity, but government auditors and those who have drafted volumes of guidance such as computer scientists at the National Institute of Standards and Technology have long maintained that adhering to FISMA requirements will make IT systems more secure. Still, there’s general recognition that the check-box, paper-compliance approach to FISMA fails to determine whether government IT systems are truly secure, thus a push by the Office of Management and Budget and Congress toward requiring agencies to continuously monitor the security posture of their IT systems.