The White House plans to release the results of its cybersecurity review within days — and federal chief information officers, many of whom contributed to the report, say it will likely recommend a major overhaul of the 2002 Federal Information Security Management Act, or FISMA.

FISMA requires agencies to adhere to standards created by the National Institute of Standards and Technology. But CIOs say they're increasingly frustrated with the FISMA guidance, which they criticize as outdated and poorly focused on the threats that many agencies face.

Several CIOs interviewed last week said they want to monitor Internet traffic on a real-time basis and conduct forensic audits after cyberattacks, and then use their findings to patch holes in their security systems.

Instead, they say, they're forced to spend time meeting FISMA requirements that often don't improve security.

And a number of CIOs are optimistic that the White House's review will call for a more threat-based approach to cybersecurity guidance.

"It's very onerous. … The metrics aren't associated with things that are meaningful," said Robert Carey, the Navy's CIO. "The intent of FISMA was to raise overall security; it did raise security awareness, but it didn't necessarily raise overall security."

The 60-day review, which concluded April 17, was led by Melissa Hathaway, a senior adviser to the director of national intelligence.

The White House has been tight-lipped about its conclusions; Hathaway said her findings will be made public after the president has a chance to review them.

Hathaway worked closely with the CIO Council's information security group, according to Van Hitch, the group's co-chairman and the Justice Department's CIO.

He said FISMA "has not been useful" to CIOs in recent years.

"Personally, I believe that FISMA was a very good thing, in its day, because it really gave us a forum, it gave us a focal point, it kind of set a minimum kind of standard," Hitch said. "But once you've gotten to a certain point, it doesn't do the job it needs to do."

Hitch, who said the council had a lot of influence on the 60-day review, pointed to a "disconnect" between the cyber threats he faces at Justice and the FISMA requirements he has to follow.

"There are threats that we know are real, that are particular areas of vulnerability, and they're not part of FISMA," he said.

The complaints from CIOs echoed those of experts like John Gilligan, a former Air Force CIO, and Alan Paller, the director of the Maryland-based SANS Institute. They worked with a team of government officials and industry experts to review data about cyberattacks on federal systems, and they produced a list of 20 security guidelines that they say will prevent the most common kinds of attacks.

CIOs also say that simpler cybersecurity guidance will ease the strain on their budgets; several described FISMA as an "unfunded mandate."

"There seem to be different views on how FISMA is scored, and all of these have different criteria," said Sonny Bhagowalia, the Interior Department's CIO. "We cannot possibly get all the FISMA requirements [implemented] with the funding that we have."

NIST declined to comment on the review, beyond saying it would work with the White House to implement its recommendations.

"We will review it carefully and work to address any recommendations made for strengthening NIST efforts in this area," said Cita Furlani, director of NIST's information technology laboratory.

In an interview last month, Ron Ross, the agency's FISMA implementation project leader, said NIST constantly updates its guidance to reflect new threats. The most recent set of guidance came out earlier this year.

Who's in charge?

Hathaway's report is also expected to clear up the confusion about who runs federal cybersecurity. She confirmed last week that the report calls for the White House to take a central role in directing cybersecurity policy.

"No single agency has a broad enough perspective to match the sweep of the challenges," Hathaway said last week at the RSA security conference in San Francisco. "It requires leading from the top, from the White House."

But it's unclear who will oversee the implementation of that policy. The Homeland Security Department and the National Security Agency currently share that responsibility; both agencies monitor and respond to threats to federal systems.

That has been a controversial topic in recent weeks. Last month, Dennis Blair, the director of national intelligence, told the House intelligence committee that NSA should take charge of cybersecurity. And Rod Beckstrom, former director of the National Cybersecurity Center at DHS, resigned last month in protest over what he called the NSA's "dominant" role in cybersecurity.

But NSA's director, Lt. Gen. Keith Alexander, downplayed the rumor that the NSA is looking to usurp DHS' cybersecurity role.

"We do not want to run cybersecurity for the United States government," Alexander said last week. "That's a big job. It's going to take a team to do it." Alexander said he does expect NSA to play a major role in securing the Defense Department and the intelligence community. The agency will probably collaborate with the new "cyber command" that the Pentagon plans to establish.

"It's not NSA or DHS," Alexander said. "We need partnership with others. DHS has a big role."

Tell us what you think. E-mail GREGG CARLSTROM.