Cyber security assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002. The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity posture of US government agencies. NIST’s flagship methodology, Risk Management Framework (RMF), or DIARMF in the DoD, is comprehensive and fundamentally sound.

However, years of experience have exposed flaws in the RMF.  Some stem from lack of proper adoption and execution, some from unintended consequences and others arise from the relentless pace of innovation in technology.

Here are some of the problems I have witnessed in my years of running cybersecurity programs for the Federal government.

1. Conflicts of interest

Government agencies typically pay a systems integrator to assess the security posture of the agency. This arrangement can put a contractor in a difficult position; they must discover and document weaknesses in systems or business processes that might embarrass the agency paying them. As a result, there can be pressure to minimize or ignore security problems.

2. Plan of Action and Milestone (POA&M) abuse

Security assessor’s document deficiencies in a set of Plans of Action and Milestone, or POA&Ms. A POA&M includes a description of the problem and estimates of the cost and schedule required to remediate the problem. When the deadlines pass, there is typically no action: an administrator simply edits the due date to keep pushing it back, and problems remain without solutions for very long periods. In one case, I insisted on rectifying an issue that had been open for over seven years but took only 24 hours to address.

3. Excessive emphasis on compliance and burdensome documentation

To (Read more...)