378 FORDHAM LAW REVIEW [Vol. 79
Eleventh Circuit reversed the district court’s decision to grant summary
judgment to the defendants, and ultimately remanded the case, the decision
contains an insightful glimpse into a federal agency’s failed compliance
with FISMA.
65
The court noted that, after the security breach had occurred,
“[t]he Office of the Inspector General concluded that the VA’s [Veterans
Affair’s] security plan did not comply with the agency’s own rules for
securing data, and it improperly allowed the IT [Information Technology]
Specialist access to databases” beyond his security clearance.
66
Furthermore, the court found that it had “no reason to think that all of the
alleged violations have been remedied.”
67
Thus, the theft of valuable
information from the VA confirmed what a number of critics had already
believed: federal agencies struggle to properly implement FISMA.
68
Several theories have been promulgated to explain this struggle.
69
One theory holds that FISMA presents an unfunded mandate that
requires agencies to perform additional work within the constraints of a pre-
existing budget.
70
As one author explains, “[f]or bureaus that already
64. Id. The complaint also alleged violations of the Privacy Act, the E-Government Act
of 2002, the VA Claims Confidentiality Statute, the Trade Secrets Act, and the Veterans
Benefits, Health Care, and Information Technology Act of 2006. Id.
65. Id. at 871, 876–78.
66. Id. at 871.
67. Id. at 876. Nearly a year after the data theft, Robert T. Howard, the Assistant
Secretary for Information and Technology, spoke before a Senate subcommittee. Howard
stated that the day the hard drive was stolen was “a wake up call . . . . As a result of that
incident we began to improve our security posture and create the environment needed to
better protect the . . . sensitive information entrusted to us.” Agencies in Peril: Are We
Doing Enough to Protect Federal IT and Secure Sensitive Information?: Hearing Before the
S. Subcomm. on Fed. Fin. Mgmt., Gov’t, Info., Fed. Servs., and Int’l Sec., 110th Cong. 1
(2008) [hereinafter Agencies in Peril] (statement of Robert T. Howard, Assistant Secretary
for Information & Technology, Department of Veteran Affairs). Howard proceeded to
identify five areas of FISMA compliance the Department of Veteran Affairs is working to
improve. Id. at 4–6. Unfortunately, according to the 2008 OMB report to Congress, when
asked whether the agency applies common security configurations established by NIST to
application information systems, the Department of Veteran Affairs responded only
“[s]ometimes (51–70% of the time).” O
FFICE OF MGMT. & BUDGET, FISCAL YEAR 2008
REPORT TO CONGRESS ON IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY
MANAGEMENT ACT OF 2002 app. A-104 (2008) [hereinafter 2008 OMB REPORT].
68. See Robert Silvers, Note, Rethinking FISMA and Federal Information Security
Policy, 81 N.Y.U.
L. REV. 1844, 1849–63 (2006). Silvers’ discussion of Cobell v. Norton,
394 F. Supp. 2d 164 (D.D.C. 2005), is particularly enlightening. See Silvers, supra, at 1851–
53. In Cobell, Individual Indian Money Trust beneficiaries sought an injunction to
disconnect the Bureau of Indian Affairs (BIA) information technology networks from the
Internet. The plaintiffs alleged that the BIA lacked adequate information security, and
therefore was in breach of its fiduciary obligations to the plaintiffs. Cobell, 394 F. Supp. 2d
at 165–68. Ultimately, the court’s opinion exposed a federal agency whose FISMA
compliance had “lagged behind the expansion of the department’s Internet presence.” Id. at
223. For a further example of an agency’s struggle to implement FISMA, see Agencies in
Peril, supra note 67, at 4 (statement of Robert T. Howard, Assistant Secretary for
Information & Technology, Department of Veteran Affairs) (“While we have made progress,
there is still much to be done. With respect to FISMA, there are five problematic areas.”),
and see generally 2008
OMB REPORT, supra note 67 (demonstrating numerous areas of non-
compliance despite agencies having had over six years to enact FISMA-compliant policies).
69. See infra notes 70–83 and accompanying text.
70. See Silvers , supra note 68, at 1859.