Federal Information Security Management Act of 2002
Enacted in 2002, the Federal Information Security Management Act (FISMA), was passed to support the E-Government Act of 2002. Without information security, it is impossible for government to deliver reliable services through electronic means. The advent of Internet delivery and cloud computing immensely complicates the security problem.
Nevertheless, there may well be solutions for these new environments, if proper perspective is kept. In any security context, there is acceptance of responsibility, as well as acceptance of risk. An approach to security purely in the network has long been endpoint security, leaving the network encrypted. When the servers are outsourced, it may be that endpoint encryption will remain under control of the owning agency, but audit is the main tool for checking on the server operator.
Guidance for implementing FISMA comes from the Computer Security Resource Center, Computer Systems Division, National Institute of Standards and Technology. [1] There are two phases in the startup, the first of which is complete:
- Phase I: Standards and Guidelines Development (2003-2008)
- Phase II: Organizational Credentialing Program (2007-2010)
In the second phase are the activities:
- Training Initiative: This initiative will include development of training courses, NIST publication Quick Start Guides (QSG’s), and Frequently Asked Questions (FAQ’s) to establish a common understanding of the NIST standards and guidelines supporting the NIST Risk Management Framework.
- Product and Services Assurance Assessment Initiative: This initiative will include defining criteria and guidelines for evaluating products and services used in the implementation of SP 800-53-based security controls.
- Support Tools Initiative: This initiative will include identifying or developing common protocols, programs, reference materials, checklists, and technical guides supporting implementation and assessment of SP 800-53-based security controls in information systems.
- Harmonization Initiative: Important for minimizing duplication of effort for organizations that must demonstrate compliance to both FISMA and ISO requirements, this initiative will include identifying common relationships and the mappings of FISMA standards, guidelines and requirements with:
- ISO 27000 series information security management standards
- ISO 9000 and 17000 series quality management, and laboratory testing and accreditation standards.
Framework
Technical definitions and framework are in Federal Information Processing Standard (FIPS) FIPS PUB 199, "Standards for the Security Categorization of Federal Information and Information Systems".[2] While the detailed guidance is in additional guidance, FIPS 199 interprets FISMA as having three dimensions of security categorization:
and matrixes these against potential impact characterized as low, medium and high:
Factor | |||
---|---|---|---|
Low | Medium | High | |
Confidentiality | row 1, cell 2 | row 1, cell 3 | |
Integrity | row 2, cell 2 | row 2, cell 3 | |
Availability | row 2, cell 2 | row 2, cell 3 |
Solution architecture
For designing FISMA implementations, the primary reference is NIST Special Publication 800-53, Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations". This document identifies a number of security controls that may or may not be applicable to a particular information system. [3]
Those of the Management class involve initial and continuing policy decisions. The Operational class addresses procedures and validation for daily operations, while the Technical class deals with tool selection and implementation.
IDENTIFIER | FAMILY | CLASS |
---|---|---|
AC | Access control | Technical |
AT | Awareness and Training | Operational |
AU | Audit and accountability | Technical |
CA | Security assessment and authorization | Management |
CM | Configuration management | Operational |
CP | Contingency Planning | Operational |
IA | Identification and authentication | Technical |
IR | Incident response | Operational |
MA | Maintenance | Operational |
MP | Information systems media protection | Operational |
PE | Information facility physical and environmental protection | Operational |
PL | Planning | Management |
PS | Personnel security | Operational |
RA | Risk assessment | Management |
SA | System and Services Acquisition | Management |
SC | System and communications protection | Technical |
SI | System and information integrity | Operational |
PM | Program Management | Management |
Status
On May 19, 2009, the House took testimony at the required 60-day reporting interval after start of FISMA implementation.[4] Vivek Kundra, the Federal Chief Information Officer, summarized the overall status: "recent successful breaches at the Federal Aviation Administration and at the vendor that hosts USAjobs.gov demonstrate that the current state of information security at Federal agencies is not what the American people have the right to expect. The Federal Information Security Management Act (FISMA) has been in place for 7 years. It has raised the level of awareness in the agencies and in the country at large, but we are not where we need to be." OMB identified the following key issues:[5]
- The performance information currently collected under FISMA does not fully reflect the security posture of Federal agencies;
- The processes used to collect the information are cumbersome, labor‐intensive, and take time away from meaningful analysis, and;
- The Federal community is focused on compliance, not outcomes
At the same hearing, Margaret Graves, CIO of the U.S Department of Homeland Security, spoke more specifically about implementation in a real agency.[6] The major initiatives began with OneNet. DHS is both a user and a provider of FISMA-regulated cloud computing.
- “OneNet” is a major Department initiative for collapsing legacy wide-area networks (WAN) into one enterprise WAN. Each major component necessarily requires a unique set of IT security policies in support of their diverse missions, and these policies must be resolved separately in order to facilitate information sharing across a single, shared, enterprise wide-area network. Without the ability to effectively resolve these policy differences at the enterprise-level, either (1) information sharing will be severely limited, or, (2) the enterprise will naturally devolve to the least common denominator at the expense of protecting sensitive mission data.
- For these reasons, the Department is transitioning all Components into mission-unique Trust Zones through the implementation of a series of Policy Enforcement Points (PEPs) beginning in 2010. PEPs are comprised of hardware and software packages positioned throughout the network, as well as appropriate management functions at the SOC. Specifically, each PEP will include an enterprise-managed firewall to resolve policy differences, and sophisticated monitoring capabilities that will provide the SOC with enhanced visibility across the entire enterprise. This enhancement will provide the ability to track and respond to sophisticated threat actors that now regularly target the Department.
- Phishing is the major attack. "Security controls for email must be strengthened, and we are adding some email specific features to the Trusted Internet Connections that will allow us to further improve our ability to detect and respond to malicious emails."
- The Department’s Data Center Consolidation Program has now delivered two world-class enterprise data centers, each with a number of enhanced security controls to ensure high-confidentiality, high-integrity and high-availability for applications residing in the data centers. Additionally, each data center now houses one of the two Trusted Internet Connections that have been designed with sophisticated threats in mind. Further, the Department’s new data centers deliver utility computing and Infrastructure as a Service, allowing DHS to realize the benefits of cloud computing while also providing the security so necessary for the threats we face today.
Criticism
FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.[7]
In April 2009, Senator Thomas Carper (D-Delaware) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.[8] Hearings also were held in May by Subcommittee on Government Management, Organization and Procurement of the U.S. House Committee on Oversight and Government Reform.
References
- ↑ Detailed Overview, Computer Security Resource Center, Computer Systems Division, National Institute of Standards and Technology
- ↑ Standards for the Security Categorization of Federal Information and Information Systems, Computer Security Division, Information Technology Laboratory, National Institute for Standards and Technology, February 2004, FIPS PUB 199
- ↑ Recommended Security Controls for Federal Information Systems and Organizations (Revision 3 ed.), National Institute of Standards and Technology, August 2009, NIST Special Publication 800-53, p. II-6
- ↑ Hearing Testimony and Witness list for the Subcommittee Hearing on: "The State of Federal Information Security.", Subcommittee on Government Management, Organization and Procurement, U.S. House Committee on Oversight and Government Reform, 19 May 2009
- ↑ Vivek Kundra, Federal Chief Information Officer, Office of Management and Budget (May 19, 2009), The State of Federal Information Security, Subcommittee on Government Management, Organization and Procurement, U.S. House Committee on Oversight and Government Reform
- ↑ Margaret H. Graves. Acting Chief Information Officer, U.S. Department of Homeland Security (May 19, 2009), The State of Federal Information Security, Subcommittee on Government Management, Organization and Procurement, U.S. House Commitee on Oversight and Government Reform
- ↑ Ben Bain (1 July 2009), "GAO urges improvements to FISMA: An auditor recommends steps to improve information security at agencies", Federal Computer Week
- ↑ Ben Bain (28 April 2009), "Carper introduces bills to reform IT procurement, FISMA", Federal Computer Week