Records agency automates its FISMA process

Functional areas

IA Manager is a software tool with three broad functions:

  • Continuous assessment, which continues to 'listen' to the system for changes after the initial baseline C&A process is completed and runs automated tests as needed. This was added in 2003.

  • Process Enforcer, a new module that integrates security management across the operation, automating much of the security remediation. NARA expects to test this function within the next year.

  • Certification and accreditation, and FISMA reporting.
  • The government's move toward electronic documents is producing unexpected benefits for the nation's chief record-keeper.

    'Information technology is shifting to become the core of our business and not just support,' said David Filbey, chief information security officer for the National Archives and Records Administration.

    This realignment has made it easier for NARA to bring resources to bear on information assurance and on compliance with the Federal Information Security Management Act. The agency invested heavily last year in certifying and accrediting its IT systems, and now is automating the C&A and FISMA reporting processes.

    'We reached 100 percent accreditation last year,' Filbey said. 'The goal this fiscal year is to be able to generate the majority of the FISMA data from the system.'

    The core of the system is IA Manager from Xacta Corp. of Ashburn, Va. The product uses data from operational security tools to evaluate an IT system's security posture.

    'That ties what's happening on a day-to-day basis to the vulnerability management system,' Filbey said.

    NARA pilot-tested the tool last year before rolling it out agencywide this year. The point of the program is not just FISMA compliance, but effective information assurance, Filbey said.

    'The goal is to implement an IA program with a process we can follow as part of our day-to-day operations, fully integrated in our IT management,' he said.

    NARA's reorganization and its relatively small size are helping it toward this goal.

    'We are the right size to move fairly quickly and be able to adjust accordingly,' Filbey said.

    Not that NARA is a small organization. Although the classical National Archives building on the Mall in Washington, where the Declaration of Independence and Bill of Rights are on display, is the most familiar facility, NARA headquarters and most of its 3,000 government employees are in College Park, Md. The agency also employs 2,000 contractors and administers regional archives around the country. It helps manage the nation's presidential libraries and provides records management for other agencies as a reimbursable service.

    Its holdings run into the billions of documents, recordings, photographs and other material.
    'At the moment, most of that is physical records in boxes,' Filbey said, and that is what the government is trying to get away from.

    NARA settled on IA Manager to help automate security management because it was designed to address the entire C&A process.

    'The market has developed since our initial evaluation two years ago,' Filbey said. 'But at that time we found this tool was the only one that started with the intent of meeting the full scope of C&A, with an embedded enterprise information management tool.'

    The tool was introduced in 2000 as Xacta C&A. It became IA Manager this April as more functionality was added. NARA helped in its expansion beyond a certification and accreditation tool, said Xacta chief security officer Richard P. Tracy.

    'They were instrumental in leading us down this path, in helping to design the FISMA reporting capabilities,' Tracy said.

    A typical Unix server takes 45 to 60 minutes to test and analyze manually, he said. IA Manager can do the test in less than two minutes. This doesn't completely eliminate the need for the human touch, however. Someone still needs to do an impact analysis of the findings and prioritize the results.

    There also is a limit to how much the remediation process can be automated. When installing security patches, for instance, someone must test and validate the patches before making them available to IA Manager, and policies must be established for making corrections or changes to a system.

    Although NARA's IT systems were fully certified and accredited last year, IA Manager has helped streamline by about 75 percent the C&A process for new systems being brought online.

    Filbey hopes this will help C&A 'move from being a project to a process, to help us achieve and maintain a reasonable level of risk.'

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above