Federal Information Security Management Act FISMA

1
Federal Information Security Management
Act(FISMA)
A FISMA Reference Model

• Timothy C. Fitzgerald
• U.S. Department of State
• February 2004

2
Agenda

• History Statutes and Guidelines
• Assumptions
• FISMA Overview
• The Agency Program
• Supporting the Processes
• Plan of Actions and Milestones
• Audit and Inspection Areas
• Timeline
• Report Building
• Next Steps

3
Assumptions

• Definitions
• IT Inventory
• Accountability

4
History and Statutes

• 1929 Federal Records Act
• 1942 Federal Reports Act
• 1947 Hoover Commission
• 1949 Federal Property and Administrative
  Services Act
• 1952 Still-classified Executive Order
  establishing NSA
• 1965 Brooks Automatic Data Processing Act
  (Brooks Act)
• 1974 Privacy Act
• 1978 Inspectors General Act
• 1984 NSDD-145 National Policy for the Security
  of National Security Telecommunications and
  Information Systems
• 1988 Warner Amendment to Brooks Act
• 1987 Computer Security Act of 1987
• 1990 NSD-42 National Policy for the Security of
  National Security Telecommunications and
  Information Systems
• 1990 Chief Financial Officers Act
• 1993 Government Performance and Results Act
  (GPRA)
• 1995 Paperwork Reduction Act of 1995 OMB
  Circular A-130, App. III, Security of Federal
  Automated Information

• Executive Order 13010, Critical Infrastructure
  Protection
• Executive Order 13011, Federal Information
  Technology
• 1996 Information Technology Management Reform
  Act (renamed Clinger-Cohen Act of 1996)
• Health Insurance Portability and Accountability
  Act (HIPPA) (updating Privacy Act)
• 1997 Presidents Commission on Critical
  Infrastructure Protection releases report
• 1998 PDD-63, Protecting Americas Critical
  Infrastructures
• Government Paperwork Elimination Act (GPEA)
• 2000 Government Information Security Reform Act
  (GISRA) (formerly Thompson-Liebermann Act)
• 2001 USA Patriot Act
• 2002 Homeland Security Act (Title X
  Information Security) replaced by E-Government
  Act - Federal Information Security Management Act
  (FISMA)
• 2003 Homeland Security Presidential
  Directive/Hspd-7

5
Guidelines

• OMB Circular and Memoranda
• National Institute of Standards and Technology
  (NIST) FIPS and SP
• Committee for National Security Systems (formerly
  National Telecommunications and Information
  Systems Security Committee(NTISSC))
• Federal Information Systems Control Audit Manual
  (FISCAM)

6

This Reference Model
Senior Agency Information Systems Security Officer
7

Agency Mission
Office of Management and Budget (OMB)
Memoranda Circulars
11331 Title 40
FIPS and Special Publications
8
This Reference Model
Senior Agency Information Security Officer
Agency-wide Security Program 3544(b)
Senior Agency Officials
9

Agency-wide Security Program
Senior Agency Information Security Officer
Information Assurance Program
Office of Management and Budget (OMB)
10

Agency-wide Security Program
Security Policy Architecture Access
Controls Network Monitoring Personnel
Security Mainframe Security Education, Training
and Awareness Physical and Environmental Security

Systems Evaluations Continuity of
Services Technical Security Technical Security
Countermeasures Enterprise Network
Management Lifecycle Management Virus Program
Computer Emergency Response Capability Cryptograp
hic Services
11

Agency Information System and Programs
Mission Program Plans Information
Management Modernization Plans
Senior Agency Officials
12

Capital Investment Planning
Office of Management and Budget (OMB)
Capital Investment Process
13

Certification and Accreditation
Risk Management
Certification and Accreditation
Information Requirements
Technology Modernization Projects
Balance of Requirements and Technology vs. Vulner
abilities, Threats and Risk
14

This Reference Model
Senior Agency Information Security Officer
15
Plans of Action and Milestones

• IT Audit Findings
• IT Inspections Findings
• CA Residual Findings
• IATO
• Denials
• CIP Assessments
• Self-Assessments (NIST SP800-26)
• GAO Audits

16

Plans of Action and Milestones
Agency Head
CIO
PoAMs
Capital Investment Planning CCA
Risk Management Prioritize IT Spending Fixing
The Important Weakness first
17
Audit

• Asset Management
• Enterprise Architecture
• Technology Capital Investment Planning
• Certification and Accreditation
• Information Assurance Programs
• Agency Information System Programs

18
Inspection

• Management Controls
• Roles And Responsibility Implementation
• Policy And Procedures Implementation
• Operational Controls
• Executed Logs, Checklist, Procedural Documents
• Technical Controls
• Validation Assessments

19
FISMA Timeline
OMB FISMA Report to Congress
4th Quarter PoAMS
1st Quarter PoAMS
3rd Quarter PoAMS
2nd Quarter PoAMS
Agency Corrective Action Plans
Oct Nov Dec Jan Feb Mar
Apr May Jun Jul Aug Sep
Agency FISMA Report
20
Building the Report

• Clearly Defined Roles And Responsibilities
• An Approved Agency-wide Security Plan
• An IT Asset And Logistic Process
• Realistic Certification And Accreditation Process
  And Schedule
• Integration Of The POAM Reporting Into The
  Management Process
• Cross Statute Issues
• Rollup Of Inspections And Audit Findings

21
Next Steps

• Modify Audit And Inspection Guidelines
• Plan Security Program Reviews
• Fiscal Timeline For Reporting
• Rollup Results To FISMA Report

22
A FISMA Model

• Questions
• Timothy C. Fitzgerald
• U.S. Department of State
• Fitzgeraldtc_at_state.gov
• 703-284-2650