What standard for information security includes specific requirements that apply to federal agencies in the United States?

FISMA compliance tools

FISMA compliance has created a new market for security compliance tools. As federal departments and agencies try to buff up their internal security processes, interest in understanding how to automate these processes and track them online has started to increase. Tools that claim to decrease the amount of time that it takes to put together required FISMA compliance documents have become more popular. However, these compliance tools have not really automated the compliance process. They are survey-driven tools that generally use an online content management system of sorts to collect information that you could alternatively put in a document. These survey-based content management compliance tools don’t really make it any easier to comply with FISMA—they simply organize FISMA compliance information in an online repository where it can be more easily shared. It’s often the case that these tools take quite a bit of time to set up and configure.

FISMA compliance tools don’t do the work for you. But they can make it easier for agencies to manage FISMA compliance projects on an enterprise level. These tools organize your compliance documents and send alerts when artifacts are past due. Many of these tools enable agencies to authorize different staff members to respond to different security controls in parallel.

Compliance management tools should not be confused with automated continuous monitoring tools, which, today, are still evolving.

Office of Management and Budget [OMB]

FISMA gives the Director of OMB responsibility for overseeing the implementation of the law’s provisions in federal civilian agencies, monitoring agency progress and compliance with the law, and reporting to Congress on government-wide results from FISMA implementation. OMB prepares and approves information technology sections of the president’s budget and performs budgetary oversight of agency investments, including those related to information security. OMB issues annual FISMA reporting instructions to agencies, and coordinates the submission of information security and privacy metrics and other FISMA report information through the online CyberScope tool, available to agencies through OMB’s MAX Portal. CyberScope, first launched in 2009 and mandated for agency use beginning in November 2010 [70], is intended to streamline the agency FISMA reporting process by enabling automated data feeds directly from agency security management systems to OMB and offering online forms and document upload capabilities to replace some of the manual document-based submission processes agencies used in the past. OMB also guides agency implementation and compliance with legislative requirements through official circulars and issues memoranda to announce recommended or mandatory actions or provide additional guidance to agencies on satisfying regulatory or policy obligations.

Compliance and Reporting

Providing effective security protection for information systems and other assets is a high priority for most organizations due to the important enabling role of information security in the execution of mission functions and business processes. Where private sector organizations generally have broad latitude to make their own determinations about the level of security and privacy protection to employ, even with respect to safeguarding personally identifiable information and other sensitive data [18], federal government organizations are subject to a wide range of legislative and regulatory requirements regarding security and privacy. For requirements specified in FISMA, agency compliance is mandatory, with the task of ensuring compliance falling within the scope of the agency information security program and ultimate responsibility assigned to the head of each agency [19]. These requirements make compliance—and the collection, management, and submission of agency-wide security information reported to demonstrate compliance—an important part of agency information security program operations. Establishing consistent, repeatable, and reliable compliance and reporting processes supports information security risk management across the entire organization.

FISMA Progress to Date

FISMA requires federal agencies to provide annual reports to Congress summarizing their compliance with the law’s requirements, and to provide information about their information security programs to OMB to support OMB’s oversight of agency information security programs [5]. Annual FISMA reports to Congress provide aggregate and agency-level performance data on different aspects of information security management, with the specific metrics varying from year to year as federal information security priorities and focus areas change. For the first eight years [through fiscal year 2009] following FISMA’s enactment, published security metrics emphasized agency compliance in terms of the proportion of systems in agency FISMA inventories with successful certification and accreditation, implemented and tested contingency plans, and implemented and tested security controls, with compliance scores that peaked in 2008 when all three metrics were over 90% [17]. Beginning after the passage of the Government Information Security Reform Act in 2000 and running through 2007, the House Committee on Government Reform also issued annual “report cards” on computer security in federal government agencies. Between 2003 and 2007, when those report cards were based on FISMA requirements, the government-wide average rose from a “D” in 2003 to a “C” in 2007, suggesting that FISMA produced an improvement in overall government performance on information security. More recent FISMA reports note continued high rates of compliance with the law and emphasize results from new security metrics, introduced in fiscal year 2010, including implementation rates for identity management activities, automated configuration management, and vulnerability monitoring capabilities, encryption on portable computing devices, incident response, and security and awareness training [18]. This apparent general trend of continuous improvement in agency information security programs coincides with a dramatic rise in the number of security incidents reported by federal agencies, which increased more than 750% from 2006 to 2010 [19]. Although some of the reported increase in incidents may be attributed to improved monitoring and awareness efforts, the increasing incidence of security events observed by government agencies and the rise and pervasiveness of cyber attacks and other threats to government networks, systems, and infrastructure drive ongoing efforts in Congress to revise FISMA or enact new legislation to enhance information security for government organizations, particularly through the increased use of continuous monitoring of information systems and automated security reporting [20].

Federal Information Security Management Act

FISMA, enacted in the United States as part of the E-Government Act of 2002, requires federal executive branch agencies to implement, maintain, and continuously monitor controls sufficient to provide security protection commensurate with the risk to agencies from the loss of confidentiality, integrity, or availability of information. The law mandates compliance with federal information processing standards and associated guidance issued by the National Institute of Standards and Technology [NIST], including selecting security controls from an extensive framework defined in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations[20]. Government agencies must provide detailed documentation of the security measures taken to protect their information systems and provide regular reports on security practices to the Office of Management and Budget and Department of Homeland Security. Among other provisions, FISMA requires agencies to undergo annual independent evaluations of their information security programs, where such evaluations are conducted by agency Inspectors General or, for agencies without that position, by an external auditor [21]. Agency information systems are also subject to audit, alone or as part of a broader performance or financial audit, by the Government Accountability Office, which uses a standard audit methodology documented in the Federal Information System Controls Audit Manual[22]. Although compliance with FISMA is mandatory for federal agencies and contractors that operate IT systems or infrastructure on their behalf, there are no civil or criminal penalties for violating the law’s provisions. The consequences for failing to comply with FISMA or for weaknesses or deficiency findings in audit reports may include greater scrutiny of an agency’s IT or information security management practices or conditioning approval of budget requests on adequate remediation of noncompliant controls or practices.

The Federal Information Security Management Act

The Federal Information Security Management Act [FISMA] was enacted in 2002 as part of the E-Government Act, designed to modernize the inner workings of the US Federal government. Before FISMA came along, information security was largely neglected in the government, particularly by the civilian agencies. The situation was clear; there was little motivation or budget allocated to cyber security, so Congress intervened in an attempt to make implementing security controls a mandatory responsibility of government IT shops.

FISMA requires that any information system used or operated by a US Federal agency, including those run by contractors and others on behalf of the government, follow a set of prescribed security processes. These processes are not defined within the FISMA regulations, but rather FISMA makes reference to other pertinent standards and legislation, including Federal Information Processing Standards [FIPS] documents, National Institute of Standard and Technology [NIST] special publications, HIPAA, and the Privacy Act of 1974.

FISMA mandates that all Federal information systems be reviewed to determine the types of data contained within the system, and then categorized based on the damage that could be caused if the system’s confidentiality, integrity, or availability were to become compromised. There is significant debate as to the effectiveness of FISMA; however, few will argue the fact that FISMA and its web of related standards is extremely complex. Minimum security requirements for Federal agencies are outlined in FIPS 200, which refers to security controls described in NIST SP 800-53 [Recommended Security Controls for Federal Information Systems]. NIST 800-53 is further broken down into categories for various types of information systems, and describes both operations and technical safeguards that must be implemented for each. It should be no surprise that NIST has created documents in the 800-53 series that directly address databases and database security.

Compliance with FISMA is generally evaluated on a departmental level by the Office of the Inspector General [OIG].This process is referred to as certification and accreditation [C&A] and includes a review of the controls and processes in place, and then signoff that the controls and processes meet Federal standards. Typically, each system must pass the C&A process at least once every three years or whenever a major change is made to the system, whichever comes first.

4. Data is Like Water

As most anyone who has had a water leak in dwelling knows, water will find a way out of where it is supposed to go. Pipes are meant to direct the proper flow of water both in and out. If a leak happens, the occupant will eventually find a damp spot, a watermark, or a real drip. It might take minutes or days to notice the leak and might take just as long to find the source of the leak.

Much like the water analogy, employees are given data “pipes” to do their jobs with enabling technology provided by the IT organization. Instead of water flowing through, data can ingress/egress the organization in multiple methods.

Corporate email is a powerful efficient time saving tool that speeds communication. A user can attach a 10 megabyte file, personal pictures, a recipe for chili and next quarter’s marketing plan or an acquisition target. Chat and IM is the quickest growing form of electronic communication and a great enabler of efficient workflow. Files can be sent as well over these protocols or “pipes.” Web mail is usually the “weapon of choice” by users who like to conduct personal business at work. Web mail allows users to attach files of any type.

Thus, the IT network “plumbing” needs to be monitored, maintained, and evaluated on an ongoing basis. The U.S. government has published a complete and well-rounded standard that organizations can use as a good first step to compare where they are strong and where they can use improvement.

The U.S. Government Federal Information Security Management Act of 2002 [FISMA] offers reasonable guidelines that most organizations could benefit by adopting. Even though FISMA is mandated for government agencies and contractors, it can be applied to the corporate world as well.

FISMA sets forth a comprehensive framework for ensuring the effectiveness of security controls over information resources that support federal operations and assets. FISMA’s framework creates a cycle of risk management activities necessary for an effective security program, and these activities are similar to the principles noted in our study of the risk management activities of leading private sector organizations—assessing risk, establishing a central management focal point, implementing appropriate policies and procedures, promoting awareness, and monitoring and evaluating policy and control effectiveness. More specifically, FISMA requires the head of each agency to provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems used or operated by the agency or on behalf of the agency. In this regard, FISMA requires that agencies implement information security programs that, among other things, include:

Periodic assessments of the risk

Risk-based policies and procedures

Subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate

Security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency

Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually

A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies

Procedures for detecting, reporting, and responding to security incidents

Plans and procedures to ensure continuity of operations

In addition, agencies must develop and maintain an inventory of major information systems that is updated at least annually and report annually to the Director of OMB and several Congressional Committees on the adequacy and effectiveness of their information security policies, procedures, and practices and compliance with the requirements of the act. An internal risk assessment of what types of “communication,” both manual and electronic, that are allowed within the organization can give the DLP evaluator a baseline of the type of transmission that are probably taking place.

Some types of communications that should be evaluated are not always obvious but could be just as damaging as electronic methods. The following list encompasses some of those obvious and not so obvious methods:

Pencil and paper

Photocopier

Fax

Voicemail

Digital camera

Jump drive

MP3/iPod

DVD/CD-ROM/3½ in. floppy

Magnetic tape

SATA drives

IM/chat

FTP/FTPS

SMTP/POP3/IMAP

HTTP post/response

HTTPS

Telnet

SCP

P2P

Rogue ports

GoToMyPC

Web conferencing systems

Introduction

The Federal Information Security Management Act [FISMA] is the most important cyber security law affecting U.S. federal agencies. No other cyber security law creates as much oversight, audit, and scrutiny as FISMA—at least as far as federal departments and agencies are concerned.

FISMA, also known as Title III of the E-Government Act [Public Law 107-347], requires that all systems and applications that reside on U.S. government networks undergo a formal security assessment before being put into production. System authorization is the ultimate output of a FISMA compliance project, and a system or application cannot be authorized unless it meets specific security control requirements. However, keep in mind that no system can be completely secure—unless it is powered off and locked in a vault. Of course, then it is not very usable. Determining the security controls for the system is a balancing act between making the system usable and making the system secure. These two endeavors are often at odds with each other. In order to find the balance, security experts analyze the probability and impact of vulnerabilities being exploited [or not] and then make risk-based decisions based on the analysis. Clearly, the goal of FISMA is to force federal agencies to put into production secure systems and applications and then to analyze risk periodically, all for the purpose of making risk-based decisions.

Before FISMA came along, implementing security controls on U.S. government networks was optional. Some agencies did a good job and others didn’t. Today, implementing security controls, looking for vulnerabilities, and performing security assessments are no longer an option. All federal agencies and departments work on FISMA compliance projects for all of their systems as a routine part of their information security agenda.

New applications and systems require a security assessment and authorization before they can be put into production, and existing applications and systems require a new assessment and authorization every 3 years. Systems that have already been authorized to operate must be reassessed every 3 years.

An additional requirement of FISMA is that federal departments and agencies develop and implement an agency-wide Information Security Program. The agency Information Security Program should be described in a document known as an Information Security Program Plan. I’ll talk more about what goes into an Information Security Program Plan in Chapter 5.

Though U.S. federal departments and agencies have no choice but to comply with FISMA, private sector organizations can optionally take advantage of FISMA compliance methodologies to help mitigate risks on their own information systems and networks. About 90% of the nation’s critical infrastructure is on private networks that are not part of any U.S. federal department or agency. The nation’s critical infrastructure includes those information technology systems that run electrical systems, chemical systems, nuclear power plants, transportation systems, telecommunication systems, banking and financial systems, and agricultural, food and water supply systems—to name only a few. The FISMA compliance methodologies described in this book can be adopted and used by not just federal agencies but by the private sector as well. Though federal departments and agencies seem to get repeated criticisms belittling their security initiatives, it’s my experience and belief that the criticisms are somewhat exaggerated and that their security conscientiousness far exceeds that of private industry. Any enterprise organization can adopt the FISMA compliance methodologies explained in this book. A special license is not required, and no special tools are required to make use of the model—it is simply a way of doing things related to information security.

The FISMA compliance process culminates with a very comprehensive and standardized security assessment. Essentially, the security assessment is an audit. Having worked in both private industry and on government networks, my experience shows that contrary to what you read in the news, most private and public companies do not put nearly as much time, effort, and resources into implementing security controls as government agencies do. Except for security incidents involving personally identifiable information, there are few federal laws that require companies to disclose security incidents. The percentage of those security incidents that are disclosed is very small. Many organizations purposefully do not report incidents to avoid bad press.

To demonstrate FISMA compliance, descriptions of security control implementations, policies, procedures, and risks are explained formally in a collection of documents known as a Security Package. The Security Package includes details of a review and analysis of all the hardware and software components of the system, as well as the data center, or location where the system resides. In some cases, a system may span multiple geographic locations and may consists of numerous connections from one or multiple data centers to other data centers that are either part of the system or are owned by other entities. A system’s Security Package demonstrates that due-diligence in mitigating risks and maintaining appropriate security controls has occurred.

Purpose

FISMA was built upon several existing federal laws designed to ensure the security of federal information and information systems. These federal laws include the Computer Security Act of 1987 [Public Law 100-35],2 Paperwork Reduction Act of 1995 [Public Law 104-13],3 and Information Technology Management Reform Act of 1996 [i.e., Clinger-Cohen Act, Public Law 104-106, Division E].4 The purpose of FISMA, as outlined in Section 3541,5 is covered in six major objectives. In this chapter, the focus will be on 1–4:

Establishment of a framework for ensuring the effectiveness of security controls;

Development of mechanisms for effective government-wide management and oversight of security-related risks;

Development and maintenance of a minimum set of required security controls;

Improvement of oversight of information security programs;

Utilization of commercially developed information security products for protecting critical information infrastructures; and

Selection of commercially developed information security solutions should be left to individual federal agencies.

E-Government Act of 2002, Federal Information Security Management Act [FISMA]

FISMA provides federal agencies with a recommended set of security control requirements21 necessary to protect information contained within an information system.22 In addition, federal agencies are required to identify and assess the risk to their PII, and to ensure security controls are implemented to enable adequate security. Therefore, CSPs that collect, store, or process PII on behalf of the federal government may have a responsibility to meet specific security requirements. These security requirements are based on the confidentiality,23 integrity, and available objectives for the information identified as a result of a security categorization conducted by the CSP or the federal agency.

NIST was given the responsibility for developing standards and guidelines for information systems. These standards and guidelines include providing federal agencies with guidance24 on categorizing PII. The Privacy Act requires federal agencies to establish administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenient or unfairness on whom information is obtained [9]. Harm is the adverse effects that would be experienced by an individual whose PII was the subject of a loss of confidentiality, as well as any adverse effects experienced by the organization that maintains the PII [14]. Therefore, the loss [or breach] of confidentiality would likely need to be evaluated against the unauthorized disclosure of the PII and the “effect on the organizational operations, organizational assets, or individual” [15] against the different confidentiality impact levels [see Table 4.3].

Table 4.3. FIPS 199 Impact Level—Confidentiality [15]

FISMA also required federal agencies to establish procedures for the detection, reporting, and response of security incidents. In addition, OMB requires federal agencies to report incidents involving PII to the US Department of Homeland Security [DHS], US Computer Emergency Readiness Team [US-CERT].25 Incidents that involve breaches to PII are categorized by the US-CERT as a Category 1 and require reporting within one hour of the discovery/detection. The CSPs’ incident response plan26 will need to reflect any new requirements for notification and reporting by ensuring service agreements address the requirements and responsibility for notification, reporting, and any costs associated with an incident involving the compromise of PII.