Technique | NASA gets a grip on FISMA reporting
Team at Marshall builds an app to standardize, track security data
- By Trudy Walsh
- Sep 21, 2007
NASA's Marshall Space Flight Center employees develop key space transportation technologies, including some used in projects that will send astronauts to the moon and, eventually, Mars.
But they couldn't get their Federal Information Security Management Act reporting off the ground.
Bob Keasling, a project manager at the Huntsville, Ala., center, described the agency's FISMA reporting as 'spreadsheet chaos.'
FISMA requires each agency to track metrics on different functional areas of information technology security. It requires agencies to:
- Develop an agencywide security program.
- Implement and adhere to security configuration standards developed by the National Institute of Standards and Technology.
- Identify and resolve risks.
- Perform ongoing assessment and testing.
- Conduct annual reviews on the effectiveness of the agency's information security and privacy programs and report the results to the Office of Management and Budget annually.
At Marshall, some people used databases, but others used spreadsheets and other documents to collect the required security data. But there was no standard method of data collection.
Keasling and a team at Marshall ' including David Black, Vernon Bates, Jim McCraw and Raul Mejia ' developed the Information Technology Security Center, an application to automate FISMA reporting. The application is designed to integrate the data and processes needed to manage an IT security program that complies with NIST security guidance as outlined by the FISMA framework.
When users log on to the Web browser-based ITSC, the first thing they see is the FISMA summary score card for their NASA center. For each functional area, the score card shows how many things need to be completed and how many are complete. Users can drill down to individual organizations within Marshall.
ITSC is based on a strong data foundation, Keasling said, where information is gathered from authoritative sources and integrated. Before ITSC, people had to find out who had the data and then ask for their piece of it, he said. Then they had to enter it into a document and try to merge it with other data.
Now, with ITSC, much of this data entry is automated, so users can focus on analysis. More time for analysis with better data means better security. 'Our centralized system with standardized processes has improved coordination and communication,' Keasling said. 'We are on the same page.'
ITSC maintains an inventory of systems and gives IT employees the ability to generate NIST-based certification and accreditation packages, one of the requirements of FISMA. The integration of personnel, equipment, network and application data; training records; certifications; configurations; vulnerabilities, and NIST-supplied security controls helps expedite the process of generating a C&A package.
The ITSC application also provides a change management feature that helps employees meet NIST's continuous-monitoring phase of C&A. Changes are documented against a C&A package and submitted to a NASA board for approval. ITSC then sends e-mail notifications to staff members involved in the change process.
ITSC provides for data inheritance that allows common controls to be shared at the agency, site and master-plan levels. NIST uses the term common control to describe security controls that cover more than one system, Keasling said. For example, a site's IT security training and awareness program may be the same for all systems. Instead of having each system owner document how they meet this control requirement, ITSC can define it once, and all systems at that site inherit that response.
Now, about 600 IT professionals use ITSC throughout NASA. 'We've had many favorable responses from our IT peers,' Keasling said. 'They see where we're headed and are optimistic and encouraging.'
The NASA staff is 'pretty good at figuring out how to use a new system,' Keasling said. NASA's risk management team has representatives assigned to each organization who offer hands-on individual training for each person who requests an account. The ITSC staff provides a certification and accreditation guide that illustrates how to use ITSC to get an IT system certified and accredited. NASA also offers classroom instruction and online training in which users can see the instructor's desktop.