Revision of IT security rules could cost feds $600M over four years

A proposed bill aimed at strengthening the provisions of the Federal Information Security Management Act would require the U.S. government to spend an additional $610 million on FISMA implementation costs over the next four years if it is passed, according to an estimate by the Congressional Budget Office.

The CBO said in a cost estimate released on Tuesday (download PDF) that the bill could also affect spending on security by agencies, such as the U.S. Postal Service, that don’t receive annual funding for compliance with the act. But any increase in costs at those agencies is likely to be relatively small and could be offset by increasing the fees they charge for their services, the CBO added.

FISMA was approved by Congress and signed into law in 2002, in the aftermath of the 9/11 terrorist attacks, with a goal of improving data security within the federal government. The law mandates a series of security measures that agencies have to comply with and be evaluated against on an annual basis. For instance, FISMA requires agencies to adopt standard system configurations, create security training programs and develop processes for testing their security controls and contingency plans.

Over the past few years, the annual FISMA reports issued by each agency’s inspector general have been widely used as an indicator of the security preparedness at individual agencies and within the government as a whole. Rep. Tom Davis (R-Va.), who authored FISMA, uses the reports to prepare an IT security report card each year. Many agencies, including the departments of Defense, State and Homeland Security, have typically fared poorly on the report cards, getting “D” or even “F” grades.

FISMA’s mandates have focused much-needed attention on the security of federal systems and IT infrastructures. Even so, over the past few years, there has been a growing concern that many agencies have begun treating the FISMA process as little more than a paperwork exercise, resulting in little in the way of actual security improvements.

The big problem, according to critics of the process, is that FISMA merely requires agencies to attest to the measures they have implemented for protecting their data and systems without actually requiring them to prove anything. The requirements have also been criticized for not being holistic enough and for being too focused on process issues, while not covering technology issues.

The so-called FISMA Act of 2008, which was introduced in the Senate on Sept. 11 and is officially known as S. 3474 (download PDF), is designed to address some of those concerns. For instance, the bill would require all agencies to create a chief information security officer’s position with specific duties and authority. It also calls for the creation of a CISO council that would set security guidelines and best practices.

In addition, the bill would require formal and standardized security audits at agencies, instead of mere “evaluations,” and impose new reporting requirements. And IT vendors that sell products to government agencies would need to comply with certain FISMA mandates.

According to the CBO, federal agencies spent about $6 billion meeting the FISMA requirements last year. Its projected cost increase of about $150 million per year if the proposed bill is approved represents a 2.5% hike in the current spending level.

But some security analysts think that the added-cost figure might be overblown. “I think the CBO estimate was just a wild stab,” said Gartner Inc. analyst¬†John Pescatore, adding that the size of the projected increase is “really hard” to envision, considering the relatively small extent of the changes being proposed to FISMA.

For instance, while agencies would have to designate CISOs, those positions wouldn’t necessarily have to be full-time positions, according to Pescatore. Instead, the CISO role could be handled by someone whose existing job primarily involves security responsibilities. “So this doesn’t really even mean any new hires for most agencies,” Pescatore said. Similarly, he added that while the creation of a CISO council will add some spending at the executive level, it is unlikely to be a big cost factor.

Alan Paller, director of research at theSANS Institute, a Bethesda, Md.-based security training and certification organization, said he thinks the FISMA revision would actually end up saving money. Paller said the new requirements would force agencies to “focus their spending” on measures that they could prove had improved security protections.

Revision of IT security rules could cost feds $600M over four years.