FISMA 2010: What It Means for IT Security Professionals 

 
Download Article Article in Digital Form

New threats related to cybersecurity are causing a shift in focus from compliance to risk-based protection, resulting in new requirements for system security and contingency plans, a greater push for continuous monitoring, and a stronger emphasis on configuration management and incident response.

Are You Ready?

The US Federal Information Security Management Act (FISMA), originally enacted in 2002 and currently undergoing considerable revision, establishes clear criteria to improve US federal agencies’ cybersecurity programs. But, even as federal agencies struggle to implement their existing information security programs, cybersecurity breaches have become increasingly common, with a 200 percent hike in such breaches over the past three years, according to numbers from a recently released Government Accountability Office (GAO) report in which the number of cybersecurity breach-related incidents reported by US federal agencies has risen from 5,503 in fiscal year 2006 to 16,843 in 2008.1

This article looks at how FISMA and its family of key National Institute of Standards and Technology (NIST) Special Publications (SPs) are changing to meet the challenges posed by increasingly elusive hackers who are using better and more sophisticated tools and techniques to attack increasingly lucrative targets. Complacency is definitely not an option. The only option is to stay one step ahead of the game.

Background

“It is no secret that terrorists could use our computer networks to deal us a crippling blow,” then-US Senator Barack Obama said in July 2008. A report2 issued by the GAO states that “federal agencies are facing a set of emerging cybersecurity threats that are the result of changing sources of attack, increasingly sophisticated social engineering techniques designed to trick the unsuspecting user into divulging sensitive information, new modes of covert compromise, and the blending of once distinct attacks into more complex and damaging exploits.” Such damaging exploits include increasingly sophisticated malware such as worms and viruses and the increased attack capabilities of blended threats and bots.

FISMA is the centerpiece of all of the US laws that have been enacted and implemented over the years to improve the US federal government’s ability to thwart cybersecurity attacks. At its core, FISMA requires federal agencies to implement a comprehensive agencywide, risk-based approach to protecting the confidentiality, integrity and availability (CIA) of federal information systems and to protecting information against cyberattacks. To this end, FISMA establishes clear criteria to improve federal agencies’ cybersecurity programs including:

  • Periodic risk assessments and risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system
  • Comprehensive plans for providing adequate information security for networks, facilities, and systems or groups of information systems
  • Security awareness training for agency personnel, including contractors and other users of information systems who support the operations and assets of the agency
  • Regular periodic testing and evaluation of the effectiveness of information security policies, procedures and practices
  • A process for planning, implementing, evaluating and documenting remedial plans of actions and milestones (POA&Ms)3 to address any deficiencies in the information security policies, procedures and practices of the agency
  • Procedures for detecting, reporting and responding to security incidents
  • Plans and procedures to ensure continuity of operations (COOP) for information systems that support the operations and assets of the agency
  • Annual reports to the US Office of Management and Budget (OMB), selected congressional committees, and the Comptroller General on the adequacy of information security policies, procedures and practices and on compliance with FISMA’s requirements

FISMA is supported by Federal Information Processing Standards (FIPS) 199 and 200 and several NIST SPs (SP 800 series), most of which are evolving to counter the latest cybersecurity threats and to thwart others.

A Sea of Change in Overall Cybersecurity

Effectively dealing with cyberthreats requires looking at and evolving the FISMA “family” both strategically as well as tactically. Strategically, it requires building a consistent, uniform information security framework for the federal government and supporting contractors, which is the overall strategic vision for FISMA, and includes:

  • Integrating information security and privacy requirements into enterprise architecture
  • Applying systems engineering techniques/approaches to develop more secure information systems

Figure 1 shows the convergence of US federal, civilian, defense and intelligence security approaches into a unified FISMA strategic framework.

Figure 1

Tactically, such unification requires adjusting the FISMA “family” of standards based on cutting-edge best practices and lessons learned.

Tactical actions for cybersecurity readiness include:
  • Revising the FISMA legislation to address the latest cybersecurity threats
  • Updating the security controls catalog and baselines (NIST SP 800-53 revision 3)
  • Updating the certification and accreditation (C&A) process (NIST SP 800-37 revision 1)
  • Developing enterprisewide risk management guidance (NIST SP 800-39)
  • Providing better guidance on risk assessments (NIST SP 800-30 revision 1)

FISMA Is Changing

Most security pundits agree that the current implementation of FISMA is inadequate to meet the new challenges posed by cyberthreats. As an example, under current FISMA regulations, agencies must show how they comply with the processes determined to secure IT systems. However, to counteract continuously evolving cyberthreats, FISMA would have to rely less on compliance and more on ways to establish in real time whether systems and networks are truly secure.

Key upcoming FISMA changes include:
  • Requiring federal chief information security officers (CISOs) to meet program management, training, governance, oversight, and independent verification and validation (IV&V) challenges
  • Modernizing the FISMA platform using CyberScope, which is the new interactive data collection tool, and unlocking the value of reported data by publishing it on a cybersecurity dashboard
  • Continuous monitoring of management, operational and technical controls
  • Requiring attack-based and outcome-focused metrics, making agencies demonstrate that their systems are effectively protected against known vulnerabilities, attacks and exploitations
  • Focusing on situational awareness to move toward real-time security

All of these changes are aimed at recognizing the interconnected nature of the Internet and agency networks; improving the situational awareness of government cyberspace; enhancing information security of the US federal government; unifying policies, procedures and guidelines for securing information systems and national security systems; and establishing security standards for government-purchased products and services.

The bottom line is that the focus of cybersecurity is shifting from compliance to risk-based protection.

New Security Control Guidance With NIST 800-53 Revision 3

Recommended Security Controls for Federal Information Systems and Organizations, also known as NIST SP 800- 53, provides guidelines for selecting and specifying security controls for information systems that support the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines in this special publication are applicable to all federal information systems except those systems designated as national security systems. Revision 3 introduces many changes to its predecessor, including:

  • Lessons learned from the Interagency Assessment case project. Its goal was to provide a multiagency recommendation for the specific actions an assessor may perform in applying the assessment procedures in NIST SP 800-53A.
  • Security controls for civilian, defense and intelligence systems
  • Best practices in information security from the US Department of Defense, the intelligence community and civil agencies
  • Material from the Committee on National Security Systems (CNSS) instruction 12534 (as part of the unification)
  • New security controls to address cyberthreats
  • Plans for incorporating a threat appendix for cyberpreparedness

A new concept of priority codes has been introduced to assist in making sequencing decisions for control implementation. Additionally, a new management and common control concept is outlined with the introduction of the organizationwide information security program plan. Another exciting addition is the strategy for harmonizing FISMA security standards and guidelines with the international information security management standard ISO/IEC 27001, Information technology—Security techniques— Information security management systems—Requirements.

It would be naive to assume that so many changes would not have a noticeable impact on the application of the publication in practice. Major modifications will be required to existing system security documentation to incorporate the baseline control variances. For example, existing system security plans, contingency plans and documentation templates will have to incorporate new security controls and enhancements.

New C&A Guidelines With NIST 800-37 Revision 1

Guide for Applying the Risk Management Framework to Federal Information Systems:  A Security Life Cycle Approach, NIST SP 800-37, provides guidelines for the security authorization of federal information systems. This publication has also undergone considerable revision with four key goals in mind:

  1. Develop a common security authorization process for federal information systems (currently known as the C&A process).
  2. Make the risk management framework and accreditation process an integral part of the system development life cycle (SDLC).
  3. Provide a well-defined and comprehensive security authorization process that ensures responsibility and accountability for managing information system-related security risks.
  4. Incorporate a risk executive function into the security authorization process to ensure that decisions are based on an “enterprise” view of risk and that they consider all factors, including mission, IT, budget and security.

There is a special emphasis on continuous monitoring via automated support tools and ongoing security authorizations.

NIST 800-39:  Managing Risk at an Enterprise Level

Risk management is a central theme in all of the revisions that this article has covered thus far. To that end, the entire risk management framework is being reworked to shift focus from managing risk at the information systems level to the enterprise level. The development of SP 800-39 is the first step in this two-step redesign process. Step two is revising the current NIST recommendation on risk management, NIST SP 800-30, to focus exclusively on risk assessment as it applies to the various steps in the Risk Management Framework (RMF) described in SP 800-39. Truly, SP 800-39 stands out as a flagship document in the series of FISMA-related publications by providing a risk management framework that allows a structured yet flexible approach for managing the risk resulting from using information systems.

The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks. Managing risk with an enterprise perspective requires looking at risk in a “tiered” manner, as shown in figure 2. Figure 2 also shows where SPs 800-37 and 800-39 fit with respect to risk management. Managing organizational risk (level 1) is beyond the scope of current NIST SPs.

Figure 2

Risk management is a six-step process, as illustrated in figure 3. These six steps are paramount to effective organizationwide management of risk resulting from the operation and use of information systems:

  1. Categorize the information and systems (impact/criticality/ sensitivity).
  2. Select and tailor the security controls. This includes tailoring and supplementing the security controls based on the risk assessment.
  3. Implement and document the security controls in the information system.
  4. Assess the security controls for effectiveness.
  5. Decide the enterprise/agency-level risk and risk acceptability, and authorize information systems operation.
  6. Monitor security controls on a continuous basis.

Figure 3

SP 800-39 introduces the concept of a risk executive function with the overall goal of ensuring that information security considerations and authorization decisions for individual information systems are viewed from an organizationwide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its mission/business processes. Figure 4 depicts this process.

Figure 4

SP 800-39 also reemphasizes the importance of continuous monitoring of risk by stating that:

…Conducting thorough point-in-time assessments of security controls in organizational information systems and supporting infrastructure is a necessary but not a sufficient condition to demonstrate security due diligence and to manage risk. Effective information security program should also include comprehensive continuous monitoring programs to maintain on-going, up-to-date knowledge by senior leaders of the organization’s security state and risk posture and to initiate appropriate responses as needed when changes occur.5

Continuous monitoring programs are an important step toward ensuring that the implemented security controls continue to be effective over time as changes within the system or the operating environment occur. Continuous monitoring also ensures that when existing controls are deemed to be ineffective at satisfying the security requirements, the necessary steps of the RMF are engaged to systematically address adjustments in the controls. Thus, a well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides near real-time security status information to the appropriate agency officials.

Conclusion

FISMA and the supporting NIST publications are changing to incorporate lessons learned, to counter new and evolving cyberthreats, and to manage enterprise risk using an integrated SDLC approach. These changes are aimed at preventing exploitation of security vulnerabilities, unauthorized access, and loss of sensitive data or personally identifiable information (PII) and, ultimately, at obtaining funding for current and future projects. With so much at stake, is it any wonder that the only option is getting ahead of the game?

References

Endnotes

1 GAO, Agencies Continue to Report Progress, But Need to Mitigate Persistent Weaknesses, GAO Report to Congress, USA, July 2009, www.gao.gov/new.items/d09546.pdf
2 GAO, Emerging Cybersecurity Issues Threaten Federal Information Systems, GAO Report to Congress, USA, May 2005, www.au.af.mil/au/awc/awcgate/gao/d05231.pdf
3 Per the “Memorandum for the Heads of Executive Departments and Agencies” issued by the White House, a POA&M is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task and scheduled completion dates for the milestones. The purpose of this POA&M is to assist federal agencies in identifying, assessing, prioritizing and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. USA, 2001, www.whitehouse.gov/omb/memoranda_m02-01/
4 CNSS Instruction No. 1253, USA, October 2009, http://www.cnss.gov/Assets/pdf/CNSSI-1253.pdf
5 NIST, DRAFT Managing Risk From Information Systems: An Organizational Perspective, SP 800-39, USA, 2008, http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf

Tarak Modi, CISA, CISSP, PMP
principal architect at G&B Solutions, is a seasoned business leader, skilled enterprise architect and published author with more than 15 years of experience solving business problems by aligning business and IT. He has coauthored Professional Java Web Services and written more than 80 articles related to IT management and transformation. Modi currently leads the cloud computing and security certification and accreditation (C&A) practices within G&B.


Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.