Federal Information Security Management Act of 2002: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
No edit summary
imported>Howard C. Berkowitz
No edit summary
Line 3: Line 3:
Enacted in 2002, the '''Federal Information Security Management Act''' (FISMA), was passed to support the [[E-Government Act of 2002]]. Without [[information security]], it is impossible for government to deliver reliable services through electronic means. The advent of [[Internet]] delivery and [[cloud computing]] immensely complicates the security problem.
Enacted in 2002, the '''Federal Information Security Management Act''' (FISMA), was passed to support the [[E-Government Act of 2002]]. Without [[information security]], it is impossible for government to deliver reliable services through electronic means. The advent of [[Internet]] delivery and [[cloud computing]] immensely complicates the security problem.


Nevertheless, there may well be solutions for these new environments, if proper perspective is kept. In any security context, there is acceptance of responsibility, as well as acceptance of risk. An approach to security purely in the network has long been endpoint security, leaving the network encrypted. When the servers are outsourced, it may be that endpoint encryption will remain under control of the owning agency, but audit is the main tool for checking on the server operator.  Microsoft, for example, is proposing the "locking down" of desktops as one side of the security architecture. <ref name=MS-WL>{{citation
Nevertheless, there may well be solutions for these new environments, if proper perspective is kept. In any security context, there is acceptance of responsibility, as well as acceptance of risk. An approach to security purely in the network has long been endpoint security, leaving the network encrypted. When the servers are outsourced, it may be that endpoint encryption will remain under control of the owning agency, but audit is the main tool for checking on the server operator.  Microsoft, for example, is proposing the "locking down" of desktops as one side of the security architecture; <ref name=MS-WL>{{citation
  | title = Running A Controlled Windows Endpoint Environment
  | title = Running A Controlled Windows Endpoint Environment
  | author = Brien M. Posey
  | author = Brien M. Posey
  | date = June 2009
  | date = June 2009
  | publisher = Microsoft Corporation
  | publisher = Microsoft Corporation
  | url = http://www.infoworld.com/t/endpoint-security/wp/whitelisting-your-way-fisma-compliance-368}}</ref>
  | url = http://www.infoworld.com/t/endpoint-security/wp/whitelisting-your-way-fisma-compliance-368}}</ref> the other extreme was an uncontrolled desktop coming through active defenses, in the [[#Department of Transportation|U.S. Department of Transportation response to Conficker]]


There must always be an owner for every function, but the granularity of ownership can legitimately vary for different security functions, and for different missions within a common computing utility.
There must always be an owner for every function, but the granularity of ownership can legitimately vary for different security functions, and for different missions within a common computing utility.
Line 154: Line 154:
| Management
| Management
|}
|}
==Criticism== 


In April 2009, Senator [[Thomas Carper]] ([[U.S. Democratic Party|D-]][[Delaware]]) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.<ref name=FCW2009-08-28>{{citation
| url = http://www.fcw.com/Articles/2009/04/28/Senate-FISMA-reform.aspx
| title = Carper introduces bills to reform IT procurement, FISMA
| author = Ben Bain
| date = 28 April 2009
| journal = Federal Computer Week}}</ref>
==Status==
==Status==
On May 19, 2009, the House took testimony at the required 60-day reporting interval after start of FISMA implementation.<ref name=SCGMOP-2009-05-09>{{citation
On May 19, 2009, the House took testimony at the required 60-day reporting interval after start of FISMA implementation.<ref name=SCGMOP-2009-05-09>{{citation
Line 193: Line 200:
}}</ref> Chun described the deficiencies his organization has encountered in implementing FISMA:
}}</ref> Chun described the deficiencies his organization has encountered in implementing FISMA:
*"There is too much emphasis on the generation of paper reports for compliance, certification and accreditation, and auditing."
*"There is too much emphasis on the generation of paper reports for compliance, certification and accreditation, and auditing."
*The correlation between compliance and operating performance is unclear. We’ve observed that some of the most well defended agencies consistently receive poor report cards. In addition, a single grade assigned to a large and diverse agency with many components only generalizes the picture and may not, in fact, provide proper warning of a material vulnerability to mission performance to the agency’s mission owners. A more granular approach to reporting that highlights operating performance -- in addition to compliance -- will likely provide more clarity.
*The correlation between compliance and operating performance is unclear. We’ve observed that some of the most well defended agencies consistently receive poor report cards. In addition, a single grade assigned to a large and diverse agency with many components only generalizes the picture and may not, in fact, provide proper warning of a material vulnerability to mission performance to the agency’s mission owners. A more granular approach to reporting that highlights operating performance -- in addition to compliance -- will likely provide more clarity. ([[#Granularity|OMB guidance on granularity]])
*Accountability for good and poor compliance is unclear...it is not transparent how that "report cards" are used for the purposes of budgeting, rewards, and assigning accountability. "For system integrators, however, there is a clear process for receiving and maintaining the authority to operate through the certification and accreditation process that impact us directly. There should be equally transparent accountability for poor performance. We reiterate our support for the appointment of a new cyber official who can address these concerns."
*Accountability for good and poor compliance is unclear...it is not transparent how that "report cards" are used for the purposes of budgeting, rewards, and assigning accountability. "For system integrators, however, there is a clear process for receiving and maintaining the authority to operate through the certification and accreditation process that impact us directly. There should be equally transparent accountability for poor performance. We reiterate our support for the appointment of a new cyber official who can address these concerns."
*"Compliance to FISMA measures how well an agency has accounted for, and applied risk and security management standards, processes, and plans for, information systems. The inference is that as long as the standards, processes and plans are sound, the operational security of an agency is thereby effective." He believes that direct mesures may be superior to the indirect measures. Direct measures, would be more rigorous, such as:
*"Compliance to FISMA measures how well an agency has accounted for, and applied risk and security management standards, processes, and plans for, information systems. The inference is that as long as the standards, processes and plans are sound, the operational security of an agency is thereby effective." He believes that direct mesures may be superior to the indirect measures. Direct measures, would be more rigorous, such as:
Line 201: Line 208:
::percent of applications tested would provide more
::percent of applications tested would provide more
*Rapidly emerging threats may be outpacing compliance efforts; EDS recommends  US-CERT and the NSA rather than NIST
*Rapidly emerging threats may be outpacing compliance efforts; EDS recommends  US-CERT and the NSA rather than NIST
 
===Department of Transportation===
There is also experience from the [[U.S. Department of Transportation]]. They do not, for example, "scan personal computers used for
telework at a detailed level, [they] ensure that minimum security requirements are met...[[Conficker]] was managed by connecting "through the DOT secure remote access (SRA) and virtual
private network (VPN) systems had active local firewalls installed, and an active
antivirus solution."<ref name=DOT>
{{citation
| author = Jacquelyn Pattillo, Acting Chief Information Officer, [[U.S. Department of Transportation]]
| title = The State of Federal Information Security
| publisher = [[Subcommittee on Government Management, Organization and Procurement]],  [[U.S. House Committee on Oversight and Government Reform]]
| date = May 19, 2009
| url = http://governmentmanagement.oversight.house.gov/documents/20090519082953.pdf
}}</ref>
==Reporting and reporting tools==
In apparent agreement with the concern about paper reporting, OMB will require an automated reporting tool. <ref name=>{{citation
In apparent agreement with the concern about paper reporting, OMB will require an automated reporting tool. <ref name=>{{citation
  | date = August 20, 2009
  | date = August 20, 2009
Line 208: Line 227:
| title = FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
| title = FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
| publisher = [[Office of Management and Budget]]
| publisher = [[Office of Management and Budget]]
| url = http://www.whitehouse.gov/omb/assets/memoranda_fy2009/m09-29.pdf}}</ref>
| url = http://www.whitehouse.gov/omb/assets/memoranda_fy2009/m09-29.pdf}}</ref> The memorandum dictating the tool also gives guidance on reporting.
==Criticism==  
===Paper dependence===
FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.<ref name=FCW2009-07-01>{{citation
FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.<ref name=FCW2009-07-01>{{citation
  | title = GAO urges improvements to FISMA: An auditor recommends steps to improve information security at agencies
  | title = GAO urges improvements to FISMA: An auditor recommends steps to improve information security at agencies
  | author = Ben Bain
  | author = Ben Bain
  | date = 1 July 2009 | journal = Federal Computer Week
  | date = 1 July 2009 | journal = Federal Computer Week
  | url = http://fcw.com/articles/2009/07/01/gao-gives-advice-on-fisma-improvements.aspx}}</ref>
  | url = http://fcw.com/articles/2009/07/01/gao-gives-advice-on-fisma-improvements.aspx}}</ref>  
 
===Granularity===
In April 2009, Senator [[Thomas Carper]] ([[U.S. Democratic Party|D-]][[Delaware]]) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.<ref name=FCW2009-08-28>{{citation
FAQ #6 addresses granularity of reporting: "Agencies must provide an overall agency view of their security and privacy program but most of the topic areas also require specific responses for each of the major components (e.g., bureaus or operating divisions). Thus, the agencies’ and OMB’s report can distinguish good performing components from poor performers and more accurately reflect the overall agency performance.
| url = http://www.fcw.com/Articles/2009/04/28/Senate-FISMA-reform.aspx
| title = Carper introduces bills to reform IT procurement, FISMA
| author = Ben Bain
| date = 28 April 2009
| journal = Federal Computer Week}}</ref>


==References==
==References==
{{reflist|2}}
{{reflist|2}}

Revision as of 18:51, 14 September 2009

This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
Catalogs [?]
 
This editable Main Article is under development and subject to a disclaimer.

Enacted in 2002, the Federal Information Security Management Act (FISMA), was passed to support the E-Government Act of 2002. Without information security, it is impossible for government to deliver reliable services through electronic means. The advent of Internet delivery and cloud computing immensely complicates the security problem.

Nevertheless, there may well be solutions for these new environments, if proper perspective is kept. In any security context, there is acceptance of responsibility, as well as acceptance of risk. An approach to security purely in the network has long been endpoint security, leaving the network encrypted. When the servers are outsourced, it may be that endpoint encryption will remain under control of the owning agency, but audit is the main tool for checking on the server operator. Microsoft, for example, is proposing the "locking down" of desktops as one side of the security architecture; [1] the other extreme was an uncontrolled desktop coming through active defenses, in the U.S. Department of Transportation response to Conficker

There must always be an owner for every function, but the granularity of ownership can legitimately vary for different security functions, and for different missions within a common computing utility.

Guidance for implementing FISMA comes from the Computer Security Resource Center, Computer Systems Division, National Institute of Standards and Technology. [2] There are two phases in the startup, the first of which is complete:

  1. Phase I: Standards and Guidelines Development (2003-2008)
  2. Phase II: Organizational Credentialing Program (2007-2010)

In the second phase are the activities:

  1. Training Initiative: This initiative will include development of training courses, NIST publication Quick Start Guides (QSG’s), and Frequently Asked Questions (FAQ’s) to establish a common understanding of the NIST standards and guidelines supporting the NIST Risk Management Framework.
  2. Product and Services Assurance Assessment Initiative: This initiative will include defining criteria and guidelines for evaluating products and services used in the implementation of SP 800-53-based security controls.
  3. Support Tools Initiative: This initiative will include identifying or developing common protocols, programs, reference materials, checklists, and technical guides supporting implementation and assessment of SP 800-53-based security controls in information systems.
  4. Harmonization Initiative: Important for minimizing duplication of effort for organizations that must demonstrate compliance to both FISMA and ISO requirements, this initiative will include identifying common relationships and the mappings of FISMA standards, guidelines and requirements with:
    • ISO 27000 series information security management standards
    • ISO 9000 and 17000 series quality management, and laboratory testing and accreditation standards.

Framework

Technical definitions and framework are in Federal Information Processing Standard (FIPS) FIPS PUB 199, "Standards for the Security Categorization of Federal Information and Information Systems".[3] While the detailed guidance is in additional guidance, FIPS 199 interprets FISMA as having three dimensions of security categorization:

and matrixes these against potential impact characterized as low, medium and high:

Factor
Low Medium High
Confidentiality row 1, cell 2 row 1, cell 3
Integrity row 2, cell 2 row 2, cell 3
Availability row 2, cell 2 row 2, cell 3

Solution architecture

For designing FISMA implementations, the primary reference is NIST Special Publication 800-53, Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations". This document identifies a number of security controls that may or may not be applicable to a particular information system. [4]

Those of the Management class involve initial and continuing policy decisions. The Operational class addresses procedures and validation for daily operations, while the Technical class deals with tool selection and implementation.

IDENTIFIER FAMILY CLASS
AC Access control Technical
AT Awareness and Training Operational
AU Audit and accountability Technical
CA Security assessment and authorization Management
CM Configuration management Operational
CP Contingency Planning Operational
IA Identification and authentication Technical
IR Incident response Operational
MA Maintenance Operational
MP Information systems media protection Operational
PE Information facility physical and environmental protection Operational
PL Planning Management
PS Personnel security Operational
RA Risk assessment Management
SA System and Services Acquisition Management
SC System and communications protection Technical
SI System and information integrity Operational
PM Program Management Management

Criticism

In April 2009, Senator Thomas Carper (D-Delaware) introduced two pieces of legislation to force more actual compliance and less paper reporting of hypothetical compliance.[5]

Status

On May 19, 2009, the House took testimony at the required 60-day reporting interval after start of FISMA implementation.[6] Vivek Kundra, the Federal Chief Information Officer, summarized the overall status: "recent successful breaches at the Federal Aviation Administration and at the vendor that hosts USAjobs.gov demonstrate that the current state of information security at Federal agencies is not what the American people have the right to expect. The Federal Information Security Management Act (FISMA) has been in place for 7 years. It has raised the level of awareness in the agencies and in the country at large, but we are not where we need to be." OMB identified the following key issues:[7]

  • The performance information currently collected under FISMA does not fully reflect the security posture of Federal agencies;
  • The processes used to collect the information are cumbersome, labor‐intensive, and take time away from meaningful analysis, and;
  • The Federal community is focused on compliance, not outcomes

Department of Homeland Security

At the same hearing, Margaret Graves, CIO of the U.S. Department of Homeland Security, spoke more specifically about implementation in a real agency.[8] DHS is both a user and a provider of FISMA-regulated cloud computing.

It provides the services through "OneNet", which not only collapsed a set of wide area networks into one, but needed to reconcile policy differences among the legacy network owners, without either limiting information sharing or dropping to the lowest common level of security. To do this, within the transmission infrastructure are mission-unique Trust Zones through the implementation of a series of Policy Enforcement Points (PEPs).

PEPs are comprised of hardware and software packages positioned throughout the network, as well as appropriate management functions at the SOC. Specifically, each PEP will include an enterprise-managed firewall to resolve policy differences, and sophisticated monitoring capabilities that will allow the operations center to track threats.

The major threat is phishing. "Security controls for email must be strengthened, and we are adding some email specific features to the Trusted Internet Connections that will allow us to further improve our ability to detect and respond to malicious emails."

  • Additionally, each data center now houses one of the two Trusted Internet Connections that have been designed with sophisticated threats in mind. Further, the Department’s new data centers deliver utility computing and Infrastructure as a Service, allowing DHS to realize the benefits of cloud computing while also providing the security so necessary for the threats we face today.

Systems integrator perspective

Also testifying was Samuel Chun, director of the cyber security practice of EDS' Public Sector, now a division of Hewlett-Packard.[9] Chun described the deficiencies his organization has encountered in implementing FISMA:

  • "There is too much emphasis on the generation of paper reports for compliance, certification and accreditation, and auditing."
  • The correlation between compliance and operating performance is unclear. We’ve observed that some of the most well defended agencies consistently receive poor report cards. In addition, a single grade assigned to a large and diverse agency with many components only generalizes the picture and may not, in fact, provide proper warning of a material vulnerability to mission performance to the agency’s mission owners. A more granular approach to reporting that highlights operating performance -- in addition to compliance -- will likely provide more clarity. (OMB guidance on granularity)
  • Accountability for good and poor compliance is unclear...it is not transparent how that "report cards" are used for the purposes of budgeting, rewards, and assigning accountability. "For system integrators, however, there is a clear process for receiving and maintaining the authority to operate through the certification and accreditation process that impact us directly. There should be equally transparent accountability for poor performance. We reiterate our support for the appointment of a new cyber official who can address these concerns."
  • "Compliance to FISMA measures how well an agency has accounted for, and applied risk and security management standards, processes, and plans for, information systems. The inference is that as long as the standards, processes and plans are sound, the operational security of an agency is thereby effective." He believes that direct mesures may be superior to the indirect measures. Direct measures, would be more rigorous, such as:
number of attacks defended against
the mean time to patch a vulnerability
number of incidents to which an agency has responded
percent of applications tested would provide more
  • Rapidly emerging threats may be outpacing compliance efforts; EDS recommends US-CERT and the NSA rather than NIST

Department of Transportation

There is also experience from the U.S. Department of Transportation. They do not, for example, "scan personal computers used for telework at a detailed level, [they] ensure that minimum security requirements are met...Conficker was managed by connecting "through the DOT secure remote access (SRA) and virtual private network (VPN) systems had active local firewalls installed, and an active antivirus solution."[10]

Reporting and reporting tools

In apparent agreement with the concern about paper reporting, OMB will require an automated reporting tool. [11] The memorandum dictating the tool also gives guidance on reporting.

Paper dependence

FISMA has been criticized, by legislators and legislative agencies, for being too dependent on manual paper procedures and not enough on specific enforcement technologies and procedures.[12]

Granularity

FAQ #6 addresses granularity of reporting: "Agencies must provide an overall agency view of their security and privacy program but most of the topic areas also require specific responses for each of the major components (e.g., bureaus or operating divisions). Thus, the agencies’ and OMB’s report can distinguish good performing components from poor performers and more accurately reflect the overall agency performance.

References

  1. Brien M. Posey (June 2009), Running A Controlled Windows Endpoint Environment, Microsoft Corporation
  2. Detailed Overview, Computer Security Resource Center, Computer Systems Division, National Institute of Standards and Technology
  3. Standards for the Security Categorization of Federal Information and Information Systems, Computer Security Division, Information Technology Laboratory, National Institute for Standards and Technology, February 2004, FIPS PUB 199
  4. Recommended Security Controls for Federal Information Systems and Organizations (Revision 3 ed.), National Institute of Standards and Technology, August 2009, NIST Special Publication 800-53, p. II-6
  5. Ben Bain (28 April 2009), "Carper introduces bills to reform IT procurement, FISMA", Federal Computer Week
  6. Hearing Testimony and Witness list for the Subcommittee Hearing on: "The State of Federal Information Security.", Subcommittee on Government Management, Organization and Procurement, U.S. House Committee on Oversight and Government Reform, 19 May 2009
  7. Vivek Kundra, Federal Chief Information Officer, Office of Management and Budget (May 19, 2009), The State of Federal Information Security, Subcommittee on Government Management, Organization and Procurement, U.S. House Committee on Oversight and Government Reform
  8. Margaret H. Graves. Acting Chief Information Officer, United States Department of Homeland Security (May 19, 2009), The State of Federal Information Security, Subcommittee on Government Management, Organization and Procurement, U.S. House Commitee on Oversight and Government Reform
  9. Samuel Chun, EDS Public Sector division of Hewlett-Packard (May 19, 2009), The State of Federal Information Security, Subcommittee on Government Management, Organization and Procurement, U.S. House Committee on Oversight and Government Reform
  10. Jacquelyn Pattillo, Acting Chief Information Officer, U.S. Department of Transportation (May 19, 2009), The State of Federal Information Security, Subcommittee on Government Management, Organization and Procurement, U.S. House Committee on Oversight and Government Reform
  11. Jeffrey D. Zients, Deputy Director for Management and Vivek Kundra. U.S. Chief Information Officer (August 20, 2009), FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, Office of Management and Budget, M-09-29
  12. Ben Bain (1 July 2009), "GAO urges improvements to FISMA: An auditor recommends steps to improve information security at agencies", Federal Computer Week