The next generation of knowledge and expertise

Transcription

1 The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, (voice), (fax),

2 Background The Government Information Security Act of 2000 (GISRA) combined existing IT security requirements in previous legislation; the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Information Technology Reform Act of 1996 (Clinger- Cohen). After GISRA expired in November 2002, The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government (E-Government) Act of FISMA includes new requirements targeted at further strengthening information and system security. Because FISMA applies to information and information systems used by the agency, contractors, and other organizations, it has a wider applicability than previous security laws. It applies to all organizations which possess or use Federal information, or which operate, use, or have access to Federal information systems, on behalf of a Federal agency, including contractors, state and local governments, and industry partners. It requires that agencies utilize a risk-based, cost-effective approach to secure their information and systems, identify and resolve current IT security weaknesses and risks, as well as protect against future vulnerabilities and threats 1 FISMA s scope includes periodic risk assessments; use of controls and techniques to comply with information security standards; training requirements; periodic testing and evaluation; reporting; and plans for remedial action, security incident response, and continuity of operations. FISMA also requires annual independent evaluation of federal agency information security programs and practices. Agency information security activities are guided by Office of Management and Budget (OMB) policy and the development of information security standards by the National Institute of Standards and Technology (NIST) that will include mandatory requirements by risk level. Status of Federal Agencies Today In 2003, federal information security programs received poor FISMA marks. Although federal agencies showed progress in some areas of compliance with FISMA in 2004, they must still make significant improvements. Efforts led by Representative Adam Putnam and the House Government Reform Subcommittee on Technology have drawn attention to FISMA and compliance. Most federal agencies have hundreds, if not thousands, of systems that compromise the IT/IS infrastructure that must be protected. These numbers intensify the compliance reporting requirements and ultimately lead to FISMA compliance failure. Additionally, federal agencies are struggling with FISMA compliance due to lack of funding; misinterpretation of the requirements; lack of existing policy and process; and time constraints. FISMA is critical to ensuring the integrity and security of federal systems, but it has added significant reporting responsibilities to the federal workforce buried under a mountain of multiple mandates. Federal agencies face significant challenges in addressing FISMA s broad set of requirements and are looking to the private sector for help in meeting those challenges with solutions that will help in assessment, implementation, and reporting. HTA Technology Security Consulting is 1 Memo from OMB August 6, 2003, 2

3 designed to help organizations achieve compliancy by providing a complete Best Practices approach to supporting the FISMA initiative. In 2005 federal agencies which scored poorly on their annual security report cards in 2004, will encounter even tougher grading standards this year. Expect Chairman of the House Government Reform Committee Representative Tom Davis to become a major figure in the information technology community. According to Davis, FISMA is not receiving the attention it deserves, and it should be something that every committee in Congress is concerned about. Davis said his committee will lobby for more awareness and funding for FISMA in 2005 to ease the costly and time-consuming FISMA burden. He hopes the new information policy, information technology, and information security challenges that have arisen since FISMA will be addressed. Reporting Requirements Federal agencies must submit their reports to OMB by October 6, OMB uses the reports to help evaluate the government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and provide input to the E-Gov Scorecard under the President s Management Agenda. The report shall summarize the results of annual IT security reviews of systems and programs, agency progress on correcting weaknesses reflected in Plan of Action and Milestones (POA&M), and the results of IG independent evaluations. Verifying compliance for every IT system within the organization requires comprehensive validation testing and remediation planning with coordinated reporting and the information flow to allow the Agency head to accurately report on their current FISMA compliance status. To ensure that security remains a top management priority, FISMA requires that annual security reports and documented plans of action to correct security weaknesses be cross-referenced to budget materials sent to OMB. This increases the ability of OMB to directly monitor agency spending and overall security program progress, with ramifications if the two don t correlate. Key FISMA Areas FISMA requires each agency, including agencies with national security systems, to develop, document, and implement agency-wide information security programs. Specifically, this program is to include the following key areas: Security Policies and Procedures Periodic Risk Assessments Subordinate plans for providing adequate information security Annual Testing and Evaluation of security controls Corrective Action Process (Plan of Actions and Milestones (POA&M)) Continuity of operations (Contingency Plans) Incident Detection and Handling Security Incident Reporting Security Awareness Training Configuration Management 3

4 The following sections emphasize some of major areas of FISMA. Agency-wide Security Policies and Procedures FISMA requires that each agency develops and implements information security policies, procedures, and security controls in accordance with risk and magnitude of potential harm. Effective agency-wide security programs ensure information integrity by mandating the confidentiality, privacy, availability, controlled access, monitoring and reporting of federal information. Agencies that are required to meet FISMA compliance standards will need to develop such security programs. Sound practices include agencywide information security policies and enforced implementation of these policies for personnel at all levels. Additionally, security awareness training is required to inform all personnel, including contractors and other users of information systems that support the operations and assets of the agency, of risks and responsibilities in accordance with their activities. Risk Assessment and Security Plans The assessment of risk and development of security plans are two important activities in an agency s information security program that directly supports the accreditation process and are required under FISMA. Risk assessments, whether done formally or informally, influence the development of the security requirements and the security controls for information systems and generate much of the information needed for the security plans. It is essential to ensure that controls are fully commensurate with the risks to which the agency is exposed. Security plans document the security requirements and security controls for information systems and provide essential information for security accreditations. System Inventory Before any organization can assess its security risk, it needs to have a full inventory of critical IT assets and infrastructure components. FISMA requires that each federal agency develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of the agency. A complete inventory of major information systems is a key element of managing the agency s IT resources, including security of those resources. Additionally, monitoring, testing, and evaluation of information security controls must also be included as part of the inventory record. Federal agencies have not made much progress in this area. Lack of a complete inventory of federal agencies was one of the main points made by Chairman Putnam s committee and by OMB in their review of the agencies FY 2003 FISMA reports. They reported that only five federal agencies have completed reliable inventories of their critical IT assets leaving 19 without reliable inventories. Testing and Evaluation of Security Controls FISMA requires testing and evaluation of security controls, to be performed at least annually. The evaluation includes testing of management, operational, and technical controls. It determines the extent to which the security controls are implemented 4

5 correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Continuous risk assessment and monitoring of security controls must be performed to ensure that security controls maintain risk at an acceptable level. The necessary depth and breadth of an annual FISMA review depends on several factors such as acceptable level of risk, extent to which patch management is employed, scope of most recent reviews, and date of most recent in-depth testing and evaluation as part of system C&A. Plan of Actions and Milestones (POA&M) Process FISMA requires agencies to implement a POA&M process that tracks system weaknesses individually and in aggregate. The POA&M document, one of the three key documents in the security accreditation package, describes actions taken or planned by the information system owner to correct deficiencies in security controls and to address remaining vulnerabilities in the information system (reduce, eliminate, or accept the vulnerabilities). The POA&M identifies the tasks to be accomplished, the resources required to accomplish the elements of the plan, any milestones in meeting those tasks, and scheduled completion dates for the milestones. FISMA directs agency program officials to develop, implement, and manage POA&Ms for all programs and systems they operate and control for which security weaknesses have been identified. System Configuration Management FISMA requires that each agency develop its own specific configuration management requirements and ensure each system is compliant with those requirements. Documenting information system changes and assessing the potential impact on the security posture of the system is an ongoing process and is an essential aspect of maintaining security accreditation. System configuration management includes both establishment and maintenance of standard system security settings as well as patch management process. A robust patch management system will use risk as a determining factor in prioritizing patch management actions, to assure that the most critical vulnerable systems are addressed first. Continuity of Operations FISMA requires that each system security plan include the provision for continuity of operations for information systems that support the operations and assets of the agency, to include any information or information systems provided or managed by another agency, contractor, or other source. It is important for these plans to be clearly documented, communicated to potentially affected personnel and updated to reflect current operations. Contingency plans provide specific instructions for restoring critical systems, including such elements as arrangements for alternative processing facilities in case the usual facilities are significantly damaged or cannot be accessed due to unexpected events such as power failures, accidental loss of files, or a major disaster. Additionally, testing of contingency plans is essential to determining whether the plans will function as intended in an emergency situation. FISMA requires agencies to report the number of systems that have a contingency plan and the number that have contingency plans that have been tested. 5

6 Summary FISMA codifies specific responsibilities of federal agency officials, addresses protection of agency information resources, calls for agency officials to manage risk to an appropriate level, and requires agencies to incorporate security into the life cycle of information systems. Federal agencies are spending a large portion of their time on administrative activities related to FISMA compliance. Although agencies generally reported increases in their compliance with information security requirements in 2004 as compared to 2003, analysis of key measures revealed areas where agencies face challenges. Implementing an effective information security program requires a well designed strategy based on sound principles, a solid framework, and robust monitoring and reporting functionality. HTA is committed to helping agencies by defining the methodology which can be applied to address security requirements and identify high-priority corrective actions necessary to achieve and maintain compliance with FISMA. In 2005, expect to hear more about FISMA and the challenges and changes in attitude toward IT security within the federal government. 6