1© Material

United States Department of the

Interior

United States Department of the

Interior

Federal Information Security Management

Act (FISMA)

April 2008

Larry Ruffin &

Joe Seger

Agenda

FISMA - It’s about enabling mission success through the protection of our sensitive agency information.

Federal Legislation & Directives

BIG PICTURE

Roles and Responsibilities Mission Executives & Chief Information Officers

System Owners & Information System Security Managers

Certification & Accreditation Assessments, Audits, Evaluations and Testing

Plans of Actions and Milestones

Enabling Efficient Mission Delivery and Success Mission Efficiency through Business and Information Technology Integration

Integrating Risk Management into the Enterprise

Federal Legislation & Directives- Driving IT Security Improvements -

E-Government Act of 2002 - Public Law 107-347 Enhance management and promote e-Gov services/processes

Title III - FISMA Development and maintain minimum controls to protect Federal systems

Section 208 – Privacy Provisions Protect the privacy of personal information

OMB Circular A-130 (Office of Management and Budget) Policy for the management of Federal information resources.

Requires protection commensurate with risk and magnitude of harm

Requires security’s role be explicit in IT investments and capital programming

Appendix III - Security of Federal Automated Information Resources Minimum set of controls for Federal information security programs

Requires a security plan for information systems

Requires reviews of security controls

Big Picture

Federal Information Security Federal Information Security Management ActManagement Act

E-Government ActE-Government Act

Presidential Management Presidential Management AgendaAgenda

C&AC&A CIRTCIRT SATESATE PMPM

Assess-Assess-mentsments

CIPCIP EA (IS)EA (IS)

Capital Capital PlanningPlanning

Patch Patch MgmtMgmt

System & System & ProgramProgramPOA&MsPOA&Ms

Asset Asset InventoryInventory

Security Security ProgramProgram

E-Gov: • Enhance management and promote electronic Government services and processes• Establish a Federal CIO in OMB• Establish a framework of measures• Enhance citizen access to Government information and services

E-Gov: • Enhance management and promote electronic Government services and processes• Establish a Federal CIO in OMB• Establish a framework of measures• Enhance citizen access to Government information and services

FISMA (Title III of E-gov): • Comprehensive framework to ensure effectiveness of system controls• Recognize highly networked nature of Federal computing• Minimum controls required to protect Federal Information

FISMA (Title III of E-gov): • Comprehensive framework to ensure effectiveness of system controls• Recognize highly networked nature of Federal computing• Minimum controls required to protect Federal Information

PMA: • Strategic management of human capital• Budget and performance integration• Competitive sourcing• Electronic-Government • Improved financial management

PMA: • Strategic management of human capital• Budget and performance integration• Competitive sourcing• Electronic-Government • Improved financial management

FISMA – Programs that make a comprehensive security program.

Protecting our Critical Infrastructure, responding quickly to incidents, educating the community, assess ourselves, Planning for security from the start, and of course documenting proof of what we have done and performing risk analysis and management through C&A. These are just a few of the elements that FISMA mandates, but how do we know it’s effective?

E-Gov – It measures how well we are managing our e-business, and how well is our business serving the U.S. citizens. E-Govs mandates the reporting how well we are managing electronic services, but how do we know we are working toward the same goal as the rest of the Federal Government?

PMA – Managing human capital, budget and performance, competitive sourcing, and the financial services we provide is essential to carrying out an efficient, accurate, and effective mission, for which we are accountable. The electronic-Government mission is the common thread that runs through all missions. It supports them all, so it must be planned for, properly implemented, protected, and reviewed periodically, all in an efficient manner.

Integration is the key to making this all work together, and to optimize resources.

Roles & Responsibilities

Mission Executives (Business Process Owners) Responsible to ensure security controls commensurate with risk

(control the budget and the requirements)

Missions require the deployment of systems before relevant IT security disciplines are defined, integrated, and standardized

Chief Information Officers Ensure compliance with security requirements while enabling the

mission

Provide assurance of security effectiveness

Roles & Responsibilities

System owner Procures, implements, and integrates information systems

Represents mission priorities and security requirements to the Designated Approving Authority (DAA) supporting risk-based decisions

Makes judgments on independent advise of reasonable risk

Information System Security Manager Ensures systems are Certified and Accredited

Implements agency policies and standards

Coordinates with system owners and business process owners

Balances mission risk in consideration of IT Security Risks

Certification and Accreditation

Accountability for:

Adequate safeguards and countermeasures are employed within information systems.

Information system safeguards and countermeasures are effective in their application.

Risk to organizational operations, assets, individuals, other organizations, and the Nation is explicitly understood and accepted by leaders at all levels.

Certification and Accreditation

Federal Information Systems

An information system used or operated by an executive agency (of the federal government), by a contractor of an executive agency, or by another organization on behalf of an executive agency.

Federal information systems process, store, and/or transmit federal information.

Authorization decisions for federal information systems are an inherently federal responsibility and cannot be delegated to other than federal officials.

Certification and Accreditation

Accreditation Boundary

All components of an organizational information system to be accredited by an authorizing official; excludes separately accredited systems, to which the information system is connected.

Defines the scope of protection for the organizational information system (i.e., what the organization agrees to protect under its direct control).

Includes the people, processes, and technologies that are part of the information system supporting enterprise missions and business processes.

Certification and Accreditation

Four Phase C&A Process

Initiation Phase Certification Phase Accreditation Phase Continuous Monitoring Phase

Expressed within the context of the NIST Risk Management Framework as follows…

C&A Risk Management Framework

ASSESSSecurity Controls

MONITORSecurity Controls

DOCUMENT Security Controls

AUTHORIZE Information System

SUPPLEMENT Security Controls

SELECT Security Controls

IMPLEMENT Security Controls

CATEGORIZE Information System

Starting Point

Management Controls

Security Planning

Risk Assessment

System and Services Acquisition

Certification, Accreditation, and Security Assessments

Operational Controls

Security Awareness and Training

Configuration Management

Contingency Planning

Media Protection

Physical and Environmental Protection

System and Information Integrity

Incident Response

System Maintenance

Personnel Security

Technical Controls

Access Control

Auditing and Accountability

Identification and Authentication

System and Communications Protection

Types of Controls

Assessments, Audits, Evaluations and Testing Part of IT Security Program

Plans of Actions and Milestones

Audit or Assessment Findings:Identified vulnerabilities and weaknessesDocumented on program- or system-level POA&MsCorrective/mitigating action plans tracked to resolution

I found a weakness!

IT System Lifecycle

Plan Design Build Test Deploy Operate Dispose

MissionCustomers

Suppliers Partners

Employees

IT Security Lifecycle

Plan Design Build Test Deploy Operate

Identify Risks

Implement Controls

Inspect ControlsCapital Planning

& Investment Resolve Weaknesses

Dispose

Monitor & Respond

Enabling Efficient Mission Delivery and Success

“Baking-in” IT Security & Privacy Protections

Information security requirements must be considered first order requirements and are critical to mission and business success.

An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.

Enabling Mission Efficiency through Information Technology

Mission – Provide what’s needed to get the job done

Challenge – Meet mission and security needs and remain effective

Critical assets are frequently updated and customized

Business solutions require interconnections to internal and external systems

Security of interconnections relies on cooperation and integration

MissionCustomers

Suppliers Partners

Employees

NIST Computer Security Division & OMB Sites

Computer Security Resource Center (CSRC) library

http://csrc.nist.gov/index.html

Federal Information Processing Standard (FIPS) publications

FIPS 199 and 200

http://csrc.nist.gov/publications/fips

Special Publications (SP) 800 Series (primarily 800-18, 34, 37, 47, 53, 53A and 60)

http://csrc.nist.gov/publications/nistpubs/index.html

OMB Memoranda Memoranda M07-19, 06-19, 05-15, 04-25 and 03-19

http://www.whitehouse.gov/omb/memoranda/index.html