1. The FISMA Secret October 29, 2009

2. 2 Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA Certification and Accreditation (C&A) paperwork. *OMB’s Fiscal Year 2008 Report to Congress on Implementation of the Federal Information Security Management Act of 2002: http://www.whitehouse.gov/omb/assets/reports/fy2008_fisma.pdf http://www.whitehouse.gov/omb/assets/reports/fy2008_fisma.pdf **Average across the three FISMA system categories’ C&A costs applied to the population of “not categorized” systems to monetize the dangling element. FISMA System Category Population of FISMA Systems Cost Associated with Executing FISMA C&A Total FISMA C&A Cost High1,143x$193,205=$220,833,315 Moderate3,924x$167,643=$657,831,132 Low4,507x$74,057=$333,774,899 Not Categorized683x$144,968**=$99,013,144 TOTAL:10,257$1,311,452,490

3. Is the cost of FISMA in line with its value? “There is no correlation between money spent to meet FISMA compliance and improvements in an agency’s security posture.” “While FISMA has provided us great insight into system vulnerabilities, there is little money left over to actually fix anything.” CISOs Say: 27% 73% * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs

4. Could we reinvest these funds in a proactive versus paper approach to better secure America? CISOs Say: “Yes. Using a risk management approach, which means assessing risk and applying the majority of funding to mitigate against those risks that can ‘hurt’ the most.” “Many of the same vulnerabilities appear in multiple systems/applications. A more proactive approach would be to reinvest these funds in enterprise-wide solutions as opposed to a system-by-system approach.” 91% 9% * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs

5. Federal CISOs: What do you recommend? “Take a more risk-based approach that looks at what the actual vulnerabilities/threats are that exist and use the money to address these specifically rather than produce volumes of documentation of test results that don’t necessarily help us improve our security. FISMA should spend more time making sure the activities in question are actually being performed, as opposed to just confirming that the paperwork exists.” “We need to move away from paperwork and toward actual demonstration of security. We always joke that FISMA compliance is nothing but a stack of paperwork.” “We need to figure out a better way to relate investment to security, which we’re not currently doing. We’re analyzing compliance, not risk, which is not the right path.” “Use a risk management approach to security – investing in innovation and technologies that mitigate what we know about future attack vectors.”

6. Thank You Steve O’Keeffe (703) 883-9000 ext. 111 sokeeffe@meritalk.com