FISMA Insecurity Part 1

"Why are agencies forced to pay twice to C&A systems?" said the exasperated and cash-strapped Federal IT exec. "If agency A wants to use a system from agency B - a system that has already been C&A'd - then agency A needs to pay for a completely new C&A. If we're spending more than 20 percent of our cyber security budget on C&A - and the average C&A costs $167,643 - shouldn't we look for efficiencies?" An observation over lunch was quickly validated by other Feds - IT execs battling with the double-headed budget and security dragon. Curious stuff. The FISMA C&A reciprocity riddle set me on a fool's errand to put a dollar figure on the cost of C&A redundancy. That said, it opened a new window on OMB's lack of transparency - quite astonishing in this era of open government. Take a look at OMB's 2009 report to Congress on FISMA implementation - and you should. Here's the run down:
  • "Economic prosperity of our nation, blah, CyberScope, blah, training, blah"
  • Some nice charts and graphs
  • Alarming stats that make the case for cyber security automation. The report states that there are 60,000 cyber security Feds at an average cost of $159,000 per annum - confusing as OPM says that there are 70,000 IT pros in the Federal government; wonder what the other 10,000 do? Back to cyber security - so Uncle Sam's spending $10 billion+ each year on cyber folks. The report tells us that the agency cyber FTE budget is more than 150 percent of the total cyber security budget. Oh, and on top of that, agencies hired more than 30,000 cyber security contractors in 2009... pause to scratch head
But, back to the fool's errand. Disappointing to find there's no list of agency C&As in the report that would allow us to quantify the cost of redundant C&As. But, now the report gets really interesting. Take a gander at the charts on pages 14 and 15 of the report. The titles sound good - "C&A Cost by Agency" and "Testing Cost per Agency System." The Y axes show hard cost in dollars. However, the X axes are anathema to the principles of open government - "each dot represents an agency." OMB knows the agencies' identities, so why not attribute the dots on the graphs and show comparative costs? Why not map expenditure per system against FISMA grades to show taxpayers the value we're getting for every dollar? Okay, the FISMA C&A redundancy quantification quest did not pay off yet, but it did lead to some other interesting data - and a series of more questions. I'll leave you with these three - and if you've got the answers, I'm all ears:
  1. Do Feds have too many people in cyber security - and could automation serve us better?
  2. Why is OMB talking transparency but hiding actionable information on cyber security performance and RoI?
  3. What's the cost of C&A redundancy and why is it necessary?
This blog has been re-posted from Steve O’Keeffe and MeriTalk with permission.