Tech Success: Making the grade
McAfee tool helps FAA meet FISMA specs
Even with a comprehensive IT security plan in place, one of the Federal Aviation Administration's first Federal Information Security Management Act compliance scores was a lowly D.
In just a year, that score rose to an A-, said Col. Michael Brown, director of information systems security at the FAA.
"FISMA really focused our effort on the information security issue," Brown said. "It has several mandates that have to be accomplished that really, if you have a sound information security program, you would do anyway. But this puts it into public law, so that in itself was a help to managing and promoting our program."
FISMA became law in 2002 and aims to improve computer and network security of federal agencies and uses yearly audits to measure agencies' progress.
One of the ways the FAA improved its score was working with systems integrator Lockheed Martin Corp. to implement McAfee Inc.'s Foundstone vulnerability management solutions, said Mike Carpenter, vice president of federal operations at Santa Clara, Calif.-based McAfee.
McAfee, working with the Justice Department and the Center for Internet Security's criteria for interpreting FISMA regulations, developed a template for its Foundstone Enterprise 4.2. The template can automatically evaluate a network and assess its compliance with FISMA vulnerability and configuration requirements.
"FISMA is a huge breadth of knowledge of information and vulnerabilities ? from physical to digital security ? that agencies have to be aware of," Carpenter said.
The biggest obstacle to FISMA compliance is the scope of the requirements of the act, which is a framework of information rather than a list of checks.
"Because you can't manage what you can't measure," Carpenter said, "the most difficult challenge organizations have is being able to interpret those rules and break it down to individual checks that they can measure."
For the FAA, as for other federal agencies, one of the biggest challenges in coming into compliance was dealing with a high volume of information. The agency also had to decipher which security concerns were false positives or false negatives, as well as determining which issues needed attention.
"Like a lot of other federal agencies, we're dealing in information management and how to deal with that high volume of data coming in and make any sense of it," Brown said. "We had a certain number of critical systems that we had to put through the certification and accreditation process, and that was a tremendous workload to be able to get all those systems done."
FAA officials determined they would have to secure more than 200 systems.
FISMA scores also derive in part from an evaluation of how well an agency maintains systems integrity. To address that concern, FAA officials used Foundstone to run vulnerability scans twice a week, fixing any detected vulnerabilities, Brown said
The agency has aggressively sought specialized training for its technicians, he said. "We've also done a great job of doing security training and raising security awareness for the general workforce," he said.
The training and regular vulnerability scans together give FAA officials an accurate, up-to-date picture of what the agency's assets look like and what vulnerabilities those assets may have.
The Center for Internet Security has identified about 350 FISMA requirements. Foundstone examines outward-facing systems such as the agency's public Web pages, as well as the agency's internal lines of business, to ensure that systems meet those requirements.
"It makes sure your systems are patched and up to date against vulnerabilities," McAfee's Carpenter said. "It looks for open ports across your system that could be vulnerable, and it makes sure you meet the requirements of different operating system levels and that they're up to date."
Foundstone's network scanner, installed behind the firewalls of an organization's digital environment, scans every asset such as switches, routers, printers and wireless devices.
After pinging those assets, Foundstone tools correlate the information and rank it, based on its risk of interrupting business continuity and sullying data integrity.
The tools are designed to work with agencies that, like the FAA are large ? the agency has nearly 50,000 employees ? as well as geographically diffuse, with different bandwidth and network configurations at each of its locations.
"To correlate an enterprisewide scheme, you need a product that takes into account bandwidth and the amount of systems to scan," Carpenter said.
FAA systems, for example, range from administrative systems to the complex, integrated systems necessary to manage the national air space.
Although the FAA has been successful in raising its score, the agency will continue to need tools to maintain system integrity as it brings new systems online.
"Also, the evaluation criteria have gotten stiffer as the Office of Management and Budget continues to raise the bar through the National Institute of Standards and Technology," Brown said. "[NIST] is continually publishing more standards to meet, and that raises the bar, which is a good thing."
If you have an innovative solution that you recently installed in a government agency, contact Staff Writer Doug Beizer at firstname.lastname@example.org.