Tarak Modi, CISA, CISSP, PMP
New threats related to cybersecurity are causing a shift in focus from compliance to risk-based protection, resulting in new requirements for system security and contingency plans, a greater push for continuous monitoring, and a stronger emphasis on configuration management and incident response.
The US Federal Information Security Management Act (FISMA), originally enacted in 2002 and currently undergoing considerable revision, establishes clear criteria to improve US federal agencies’ cybersecurity programs. But, even as federal agencies struggle to implement their existing information security programs, cybersecurity breaches have become increasingly common, with a 200 percent hike in such breaches over the past three years, according to numbers from a recently released Government Accountability Office (GAO) report in which the number of cybersecurity breach-related incidents reported by US federal agencies has risen from 5,503 in fiscal year 2006 to 16,843 in 2008.1
This article looks at how FISMA and its family of key National Institute of Standards and Technology (NIST) Special Publications (SPs) are changing to meet the challenges posed by increasingly elusive hackers who are using better and more sophisticated tools and techniques to attack increasingly lucrative targets. Complacency is definitely not an option. The only option is to stay one step ahead of the game.
“It is no secret that terrorists could use our computer networks to deal us a crippling blow,” then-US Senator Barack Obama said in July 2008. A report2 issued by the GAO states that “federal agencies are facing a set of emerging cybersecurity threats that are the result of changing sources of attack, increasingly sophisticated social engineering techniques designed to trick the unsuspecting user into divulging sensitive information, new modes of covert compromise, and the blending of once distinct attacks into more complex and damaging exploits.” Such damaging exploits include increasingly sophisticated malware such as worms and viruses and the increased attack capabilities of blended threats and bots.
FISMA is the centerpiece of all of the US laws that have been enacted and implemented over the years to improve the US federal government’s ability to thwart cybersecurity attacks. At its core, FISMA requires federal agencies to implement a comprehensive agencywide, risk-based approach to protecting the confidentiality, integrity and availability (CIA) of federal information systems and to protecting information against cyberattacks. To this end, FISMA establishes clear criteria to improve federal agencies’ cybersecurity programs including:
FISMA is supported by Federal Information Processing Standards (FIPS) 199 and 200 and several NIST SPs (SP 800 series), most of which are evolving to counter the latest cybersecurity threats and to thwart others.
Effectively dealing with cyberthreats requires looking at and evolving the FISMA “family” both strategically as well as tactically. Strategically, it requires building a consistent, uniform information security framework for the federal government and supporting contractors, which is the overall strategic vision for FISMA, and includes:
Figure 1 shows the convergence of US federal, civilian, defense and intelligence security approaches into a unified FISMA strategic framework.
Tactically, such unification requires adjusting the FISMA “family” of standards based on cutting-edge best practices and lessons learned.
Most security pundits agree that the current implementation of FISMA is inadequate to meet the new challenges posed by cyberthreats. As an example, under current FISMA regulations, agencies must show how they comply with the processes determined to secure IT systems. However, to counteract continuously evolving cyberthreats, FISMA would have to rely less on compliance and more on ways to establish in real time whether systems and networks are truly secure.
All of these changes are aimed at recognizing the interconnected nature of the Internet and agency networks; improving the situational awareness of government cyberspace; enhancing information security of the US federal government; unifying policies, procedures and guidelines for securing information systems and national security systems; and establishing security standards for government-purchased products and services.
The bottom line is that the focus of cybersecurity is shifting from compliance to risk-based protection.
Recommended Security Controls for Federal Information Systems and Organizations, also known as NIST SP 800- 53, provides guidelines for selecting and specifying security controls for information systems that support the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines in this special publication are applicable to all federal information systems except those systems designated as national security systems. Revision 3 introduces many changes to its predecessor, including:
A new concept of priority codes has been introduced to assist in making sequencing decisions for control implementation. Additionally, a new management and common control concept is outlined with the introduction of the organizationwide information security program plan. Another exciting addition is the strategy for harmonizing FISMA security standards and guidelines with the international information security management standard ISO/IEC 27001, Information technology—Security techniques— Information security management systems—Requirements.
It would be naive to assume that so many changes would not have a noticeable impact on the application of the publication in practice. Major modifications will be required to existing system security documentation to incorporate the baseline control variances. For example, existing system security plans, contingency plans and documentation templates will have to incorporate new security controls and enhancements.
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST SP 800-37, provides guidelines for the security authorization of federal information systems. This publication has also undergone considerable revision with four key goals in mind:
There is a special emphasis on continuous monitoring via automated support tools and ongoing security authorizations.
Risk management is a central theme in all of the revisions that this article has covered thus far. To that end, the entire risk management framework is being reworked to shift focus from managing risk at the information systems level to the enterprise level. The development of SP 800-39 is the first step in this two-step redesign process. Step two is revising the current NIST recommendation on risk management, NIST SP 800-30, to focus exclusively on risk assessment as it applies to the various steps in the Risk Management Framework (RMF) described in SP 800-39. Truly, SP 800-39 stands out as a flagship document in the series of FISMA-related publications by providing a risk management framework that allows a structured yet flexible approach for managing the risk resulting from using information systems.
The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks. Managing risk with an enterprise perspective requires looking at risk in a “tiered” manner, as shown in figure 2. Figure 2 also shows where SPs 800-37 and 800-39 fit with respect to risk management. Managing organizational risk (level 1) is beyond the scope of current NIST SPs.
Risk management is a six-step process, as illustrated in figure 3. These six steps are paramount to effective organizationwide management of risk resulting from the operation and use of information systems:
SP 800-39 introduces the concept of a risk executive function with the overall goal of ensuring that information security considerations and authorization decisions for individual information systems are viewed from an organizationwide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its mission/business processes. Figure 4 depicts this process.
SP 800-39 also reemphasizes the importance of continuous monitoring of risk by stating that:
…Conducting thorough point-in-time assessments of security controls in organizational information systems and supporting infrastructure is a necessary but not a sufficient condition to demonstrate security due diligence and to manage risk. Effective information security program should also include comprehensive continuous monitoring programs to maintain on-going, up-to-date knowledge by senior leaders of the organization’s security state and risk posture and to initiate appropriate responses as needed when changes occur.5
Continuous monitoring programs are an important step toward ensuring that the implemented security controls continue to be effective over time as changes within the system or the operating environment occur. Continuous monitoring also ensures that when existing controls are deemed to be ineffective at satisfying the security requirements, the necessary steps of the RMF are engaged to systematically address adjustments in the controls. Thus, a well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides near real-time security status information to the appropriate agency officials.
FISMA and the supporting NIST publications are changing to incorporate lessons learned, to counter new and evolving cyberthreats, and to manage enterprise risk using an integrated SDLC approach. These changes are aimed at preventing exploitation of security vulnerabilities, unauthorized access, and loss of sensitive data or personally identifiable information (PII) and, ultimately, at obtaining funding for current and future projects. With so much at stake, is it any wonder that the only option is getting ahead of the game?
1 GAO, Agencies Continue to Report Progress, But Need to Mitigate Persistent Weaknesses, GAO Report to Congress, USA, July 2009, www.gao.gov/new.items/d09546.pdf2 GAO, Emerging Cybersecurity Issues Threaten Federal Information Systems, GAO Report to Congress, USA, May 2005, www.au.af.mil/au/awc/awcgate/gao/d05231.pdf3 Per the “Memorandum for the Heads of Executive Departments and Agencies” issued by the White House, a POA&M is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task and scheduled completion dates for the milestones. The purpose of this POA&M is to assist federal agencies in identifying, assessing, prioritizing and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. USA, 2001, www.whitehouse.gov/omb/memoranda_m02-01/4 CNSS Instruction No. 1253, USA, October 2009, http://www.cnss.gov/Assets/pdf/CNSSI-1253.pdf5 NIST, DRAFT Managing Risk From Information Systems: An Organizational Perspective, SP 800-39, USA, 2008, http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
Tarak Modi, CISA, CISSP, PMPprincipal architect at G&B Solutions, is a seasoned business leader, skilled enterprise architect and published author with more than 15 years of experience solving business problems by aligning business and IT. He has coauthored Professional Java Web Services and written more than 80 articles related to IT management and transformation. Modi currently leads the cloud computing and security certification and accreditation (C&A) practices within G&B.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.