Agencies get a tool for measuring their security
Reporting metrics assess automation, real-time monitoring
The Homeland Security Department has issued metrics for reporting agency cybersecurity status that focus on the ability to automate system monitoring and security controls.
The fiscal 2011 Federal Information Security Management Act reporting metrics for CIOs, released June 1, reflects an evolving emphasis in FISMA compliance on real-time understanding and risk management. The questions are not limited to checklist compliance.
“The intent is to gather information on best practices and agency implementation status beyond minimal requirements,” the document states.
Cyber bill's FISMA mandate could be a step backward
NIST document 'brings it all together' on FISMA
FISMA, enacted in 2002, provides the regulatory framework for IT security in civilian agencies and has been criticized almost from its inception as an expensive paperwork exercise that has not measurably improved security. Although the law itself has not been significantly revised, reporting requirements have shifted to put a greater emphasis on meaningful, real-time assessments.
The National Institute of Standards and Technology, which is charged with providing standards for FISMA security controls and guidelines for compliance, has defined a risk management framework as part of this effort.
“The [framework] provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle,” according to the NIST Computer Security Division’s annual report for 2010.
The framework also is part of a broader collaboration by NIST, the intelligence community and the Defense Department. This effort will provide a unified information security framework for the federal government by harmonizing IT security requirements between the civilian agencies, which are covered by FISMA, with military and national security IT systems.
NIST called the release in 2010 of its revision of Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," a historic point in that effort. It provides a “a completely new approach for federal agencies to take to information security.”
The Computer Security Division last year also issued 15 new special publications and released eight drafts, covering subjects from WiMax and Bluetooth to secure Domain Name System deployment and cryptography.
Security standards development is the first phase of NIST’s FISMA implementation efforts. Phase II is building common understanding and reference guides for organizations applying the Risk Management Framework. The Computer Security Division has made available two databases for users to access the security controls specified in SP 800-53. As part of Phase II, updates will be completed in fiscal 2011 for:
- SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View.
- SP 800-30, Risk Management Guide for Information Technology Systems.
- SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.
The CIO reporting requirements call for agencies to report the number of agency- and contractor-operated systems categorized at high-, moderate- or low-impact levels for a security breach, along with the level at which they have been authorized to operate, and the number of systems using a public cloud.
Individual assets to be reported include laptops and personal mobile devices as well as routers in the network, and include information on their ability to use the Security Content Automation Protocols to produce data about them. In assessing data protection, agencies must enumerate laptops, netbooks and tablet PCs, BlackBerrys, smart phones, USB devices and other devices accessing networks, and their ability to encrypt data.
Agencies also are to report on their ability to remotely detect and block unauthorized software on the network, including their capability to use the Common Vulnerabilities and Exposures database.
Information also is requested on remote access controls, the deployment of DNS Security Extension Protocols, and the level of continuous monitoring for network systems.