The next generation of knowledge and expertise

Similar documents
Information Systems Security Requirements for Federal GIS Initiatives

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Streamlined FISMA Compliance For Hosted Information Systems

David Missouri VP- Governance ISACA

Varonis and FISMA Compliance

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

INFORMATION ASSURANCE DIRECTORATE

GAO INFORMATION SECURITY. Comments on the Proposed Federal Information Security Management Act of Testimony

GAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

SECURITY & PRIVACY DOCUMENTATION

Fiscal Year 2013 Federal Information Security Management Act Report

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Agency Guide for FedRAMP Authorizations

IT-CNP, Inc. Capability Statement

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Security Standards for Electric Market Participants

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Information Security Continuous Monitoring (ISCM) Program Evaluation

Ensuring System Protection throughout the Operational Lifecycle

The Common Controls Framework BY ADOBE

Security and Privacy Governance Program Guidelines

Security Management Models And Practices Feb 5, 2008

The Honest Advantage

Assured Compliance through Information Security Continuous Monitoring

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

National Policy and Guiding Principles

Appendix 12 Risk Assessment Plan

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Views on the Framework for Improving Critical Infrastructure Cybersecurity

OFFICE OF INSPECTOR GENERAL

Information Security Program

Information Technology Branch Organization of Cyber Security Technical Standard

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

IMPROVING NETWORK SECURITY

NIST Security Certification and Accreditation Project

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

FISMAand the Risk Management Framework

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

FedRAMP Security Assessment Framework. Version 2.0

TEL2813/IS2820 Security Management

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Good morning, Chairman Harman, Ranking Member Reichert, and Members of

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

SAC PA Security Frameworks - FISMA and NIST

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3

NATIONAL INSTITUTE OF FORENSIC SCIENCE

HIPAA Federal Security Rule H I P A A

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Developing a National Emergency Telecommunications Plan. The Samoan Experience November 2012

Exhibit A1-1. Risk Management Framework

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

EVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Advisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

FedRAMP Security Assessment Framework. Version 2.1

Certification Exam Outline Effective Date: September 2013

Appendix 12 Risk Assessment Plan

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

ITG. Information Security Management System Manual

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Total Protection for Compliance: Unified IT Policy Auditing

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

Member of the County or municipal emergency management organization

MIS Week 9 Host Hardening

ITG. Information Security Management System Manual

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Department of Management Services REQUEST FOR INFORMATION

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Agenda. Bibliography

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

MNsure Privacy Program Strategic Plan FY

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Data Recovery Policy

Section One of the Order: The Cybersecurity of Federal Networks.

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Compliance with NIST

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Vulnerability Assessments and Penetration Testing

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

FISMA Cybersecurity Performance Metrics and Scoring

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

CCISO Blueprint v1. EC-Council

Transcription:

The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404 (fax), www.hta-inc.com

Background The Government Information Security Act of 2000 (GISRA) combined existing IT security requirements in previous legislation; the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Information Technology Reform Act of 1996 (Clinger- Cohen). After GISRA expired in November 2002, The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government (E-Government) Act of 2002. FISMA includes new requirements targeted at further strengthening information and system security. Because FISMA applies to information and information systems used by the agency, contractors, and other organizations, it has a wider applicability than previous security laws. It applies to all organizations which possess or use Federal information, or which operate, use, or have access to Federal information systems, on behalf of a Federal agency, including contractors, state and local governments, and industry partners. It requires that agencies utilize a risk-based, cost-effective approach to secure their information and systems, identify and resolve current IT security weaknesses and risks, as well as protect against future vulnerabilities and threats 1 FISMA s scope includes periodic risk assessments; use of controls and techniques to comply with information security standards; training requirements; periodic testing and evaluation; reporting; and plans for remedial action, security incident response, and continuity of operations. FISMA also requires annual independent evaluation of federal agency information security programs and practices. Agency information security activities are guided by Office of Management and Budget (OMB) policy and the development of information security standards by the National Institute of Standards and Technology (NIST) that will include mandatory requirements by risk level. Status of Federal Agencies Today In 2003, federal information security programs received poor FISMA marks. Although federal agencies showed progress in some areas of compliance with FISMA in 2004, they must still make significant improvements. Efforts led by Representative Adam Putnam and the House Government Reform Subcommittee on Technology have drawn attention to FISMA and compliance. Most federal agencies have hundreds, if not thousands, of systems that compromise the IT/IS infrastructure that must be protected. These numbers intensify the compliance reporting requirements and ultimately lead to FISMA compliance failure. Additionally, federal agencies are struggling with FISMA compliance due to lack of funding; misinterpretation of the requirements; lack of existing policy and process; and time constraints. FISMA is critical to ensuring the integrity and security of federal systems, but it has added significant reporting responsibilities to the federal workforce buried under a mountain of multiple mandates. Federal agencies face significant challenges in addressing FISMA s broad set of requirements and are looking to the private sector for help in meeting those challenges with solutions that will help in assessment, implementation, and reporting. HTA Technology Security Consulting is 1 Memo from OMB August 6, 2003, http://www.whitehouse.gov/omb/memoranda/m03-19.pdf 2

designed to help organizations achieve compliancy by providing a complete Best Practices approach to supporting the FISMA initiative. In 2005 federal agencies which scored poorly on their annual security report cards in 2004, will encounter even tougher grading standards this year. Expect Chairman of the House Government Reform Committee Representative Tom Davis to become a major figure in the information technology community. According to Davis, FISMA is not receiving the attention it deserves, and it should be something that every committee in Congress is concerned about. Davis said his committee will lobby for more awareness and funding for FISMA in 2005 to ease the costly and time-consuming FISMA burden. He hopes the new information policy, information technology, and information security challenges that have arisen since FISMA will be addressed. Reporting Requirements Federal agencies must submit their reports to OMB by October 6, 2004. OMB uses the reports to help evaluate the government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and provide input to the E-Gov Scorecard under the President s Management Agenda. The report shall summarize the results of annual IT security reviews of systems and programs, agency progress on correcting weaknesses reflected in Plan of Action and Milestones (POA&M), and the results of IG independent evaluations. Verifying compliance for every IT system within the organization requires comprehensive validation testing and remediation planning with coordinated reporting and the information flow to allow the Agency head to accurately report on their current FISMA compliance status. To ensure that security remains a top management priority, FISMA requires that annual security reports and documented plans of action to correct security weaknesses be cross-referenced to budget materials sent to OMB. This increases the ability of OMB to directly monitor agency spending and overall security program progress, with ramifications if the two don t correlate. Key FISMA Areas FISMA requires each agency, including agencies with national security systems, to develop, document, and implement agency-wide information security programs. Specifically, this program is to include the following key areas: Security Policies and Procedures Periodic Risk Assessments Subordinate plans for providing adequate information security Annual Testing and Evaluation of security controls Corrective Action Process (Plan of Actions and Milestones (POA&M)) Continuity of operations (Contingency Plans) Incident Detection and Handling Security Incident Reporting Security Awareness Training Configuration Management 3

The following sections emphasize some of major areas of FISMA. Agency-wide Security Policies and Procedures FISMA requires that each agency develops and implements information security policies, procedures, and security controls in accordance with risk and magnitude of potential harm. Effective agency-wide security programs ensure information integrity by mandating the confidentiality, privacy, availability, controlled access, monitoring and reporting of federal information. Agencies that are required to meet FISMA compliance standards will need to develop such security programs. Sound practices include agencywide information security policies and enforced implementation of these policies for personnel at all levels. Additionally, security awareness training is required to inform all personnel, including contractors and other users of information systems that support the operations and assets of the agency, of risks and responsibilities in accordance with their activities. Risk Assessment and Security Plans The assessment of risk and development of security plans are two important activities in an agency s information security program that directly supports the accreditation process and are required under FISMA. Risk assessments, whether done formally or informally, influence the development of the security requirements and the security controls for information systems and generate much of the information needed for the security plans. It is essential to ensure that controls are fully commensurate with the risks to which the agency is exposed. Security plans document the security requirements and security controls for information systems and provide essential information for security accreditations. System Inventory Before any organization can assess its security risk, it needs to have a full inventory of critical IT assets and infrastructure components. FISMA requires that each federal agency develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of the agency. A complete inventory of major information systems is a key element of managing the agency s IT resources, including security of those resources. Additionally, monitoring, testing, and evaluation of information security controls must also be included as part of the inventory record. Federal agencies have not made much progress in this area. Lack of a complete inventory of federal agencies was one of the main points made by Chairman Putnam s committee and by OMB in their review of the agencies FY 2003 FISMA reports. They reported that only five federal agencies have completed reliable inventories of their critical IT assets leaving 19 without reliable inventories. Testing and Evaluation of Security Controls FISMA requires testing and evaluation of security controls, to be performed at least annually. The evaluation includes testing of management, operational, and technical controls. It determines the extent to which the security controls are implemented 4

correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Continuous risk assessment and monitoring of security controls must be performed to ensure that security controls maintain risk at an acceptable level. The necessary depth and breadth of an annual FISMA review depends on several factors such as acceptable level of risk, extent to which patch management is employed, scope of most recent reviews, and date of most recent in-depth testing and evaluation as part of system C&A. Plan of Actions and Milestones (POA&M) Process FISMA requires agencies to implement a POA&M process that tracks system weaknesses individually and in aggregate. The POA&M document, one of the three key documents in the security accreditation package, describes actions taken or planned by the information system owner to correct deficiencies in security controls and to address remaining vulnerabilities in the information system (reduce, eliminate, or accept the vulnerabilities). The POA&M identifies the tasks to be accomplished, the resources required to accomplish the elements of the plan, any milestones in meeting those tasks, and scheduled completion dates for the milestones. FISMA directs agency program officials to develop, implement, and manage POA&Ms for all programs and systems they operate and control for which security weaknesses have been identified. System Configuration Management FISMA requires that each agency develop its own specific configuration management requirements and ensure each system is compliant with those requirements. Documenting information system changes and assessing the potential impact on the security posture of the system is an ongoing process and is an essential aspect of maintaining security accreditation. System configuration management includes both establishment and maintenance of standard system security settings as well as patch management process. A robust patch management system will use risk as a determining factor in prioritizing patch management actions, to assure that the most critical vulnerable systems are addressed first. Continuity of Operations FISMA requires that each system security plan include the provision for continuity of operations for information systems that support the operations and assets of the agency, to include any information or information systems provided or managed by another agency, contractor, or other source. It is important for these plans to be clearly documented, communicated to potentially affected personnel and updated to reflect current operations. Contingency plans provide specific instructions for restoring critical systems, including such elements as arrangements for alternative processing facilities in case the usual facilities are significantly damaged or cannot be accessed due to unexpected events such as power failures, accidental loss of files, or a major disaster. Additionally, testing of contingency plans is essential to determining whether the plans will function as intended in an emergency situation. FISMA requires agencies to report the number of systems that have a contingency plan and the number that have contingency plans that have been tested. 5

Summary FISMA codifies specific responsibilities of federal agency officials, addresses protection of agency information resources, calls for agency officials to manage risk to an appropriate level, and requires agencies to incorporate security into the life cycle of information systems. Federal agencies are spending a large portion of their time on administrative activities related to FISMA compliance. Although agencies generally reported increases in their compliance with information security requirements in 2004 as compared to 2003, analysis of key measures revealed areas where agencies face challenges. Implementing an effective information security program requires a well designed strategy based on sound principles, a solid framework, and robust monitoring and reporting functionality. HTA is committed to helping agencies by defining the methodology which can be applied to address security requirements and identify high-priority corrective actions necessary to achieve and maintain compliance with FISMA. In 2005, expect to hear more about FISMA and the challenges and changes in attitude toward IT security within the federal government. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback