Another View: Wake up before FISMA kicks you out of bed
- By Rick Tracy
- Oct 21, 2003
Agencies guilty of snoozing through the Federal Information Security Management Act requirements will get a rude, if predictable, awakening when the compliance alarm sounds this Dec. 17. Federal agencies must by that date develop, document and implement FISMA programs to secure information and systems that support their operations.
No easy undertaking, FISMA compliance requires agencies to demonstrate their security management policies, procedures, accountability and progress.
Most agencies are far behind completing mandated FISMA certification and accreditation. Challenged with finite resources, they must trade off between implementing real security projects and wrestling the paper tiger of FISMA reporting.
Many have made tangible security projects a higher priority than FISMA compliance. They risk the wrath of the Office of Management and Budget bean counters.
But it is possible to tackle both issues at once. Here are eight steps that meet both FISMA and security requirements:
1. Identify and classify applications and systems. Use Federal Information Processing Standard 199, which categorizes the risk level of information and systems to map the major applications and infrastructure, and assign levels of concern.
2. Develop a playbook for FISMA guidance in your agency. This baseline documentation will provide consistency across bureaus and ensure the overall responsiveness of the department's submissions.
3. Determine initial security exposures. Use commercial tools to identify technical system vulnerabilities. Such tools help you to determine if the appropriate technical controls are in place.
4. Ensure management commitment and make sure managers give team members responsibility for executing security programs.
5. Complete the National Institute of Standards and Technology's 800-26 Self-Assessment questionnaire for both major applications and general support systems. Using the Security Assessment Framework proficiency standard, assign each item identified on the checklist a grade on a scale of 1 to 5. OMB expects agencies to show progress by moving up the scale year after year.
6. Perform system-by-system certification testing, which is more formal and structured than the NIST self-test. Go beyond the technical controls of a vulnerability assessment to include assessing managerial and operational controls.
7. Analyze test results, and adjust strategy. Actions taken in steps 5 and 6 complete the testing. Now you must analyze the results to determine the potential impact of your systems' weaknesses or gaps. Create or update the system security plan, a formal document based on NIST 800-18 or the System Security Authorization Agreement as specified in the Defense Department IT Security Certification and Accreditation Process or the National Information Assurance Certification and Accreditation Process.
8. Prepare plan of action and milestones. Include plan to rectify all the unacceptable risks identified as a result of the analysis.
Agencies need not choose between security projects and security reporting. With the right plan of action, they can have both. Rick Tracy, senior vice president of Xacta Corp. of Ashburn, Va., holds several software patents.