FISMA Reform Brings Changes to Agency Strategies

IT Security Buyer's Guide
FISMA Reform Brings Changes to Agency Security Strategies

By Teri Robinson

Federal agencies breathed a collective sigh of relief when OMB announced that significant changes would be made to FISMA and its tedious reporting guidelines. While many would agree that having to hold to FISMA has helped boost security, most abhor the periodic reporting process, which is time-consuming, costly…and static.

With FISMA reform underway and changes to the reporting structure, government organizations are quickly gearing up to accommodate the bevy of changes to FISMA and to report monthly online – a move that Jerry Davis, deputy chief information officer for IT security at NASA said would give agencies the opportunity to obtain a “near real-time understanding of risk posture, and not the production of paperwork.”

He noted that the old system of certification and accreditation was “largely ineffective” and did not “ensure a system’s security.” Davis said NASA would drop the traditional paper-based reporting structure in favor of the proposed online method.

And an amendment included in the National Defense Authorization Act currently making its way through Congress promises to add top-down support and accountability to FISMA, creating a National Office for Cybersecurity and a Federal Cybersecurity Practice Board that will guide agencies in meeting FISMA reporting requirements.

In addition, the Department of Homeland Security will assume “primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA,” according to a memo from OMB Director Peter Orszag and Cybersecurity Coordinator Howard Schmidt. And OMB will oversee DHS. shall be subject to general OMB oversight.”

“The cybersecurity coordinator will have visibility into DHS efforts to ensure federal agency compliance with FISMA and will serve as the principal White House official to coordinate interagency cooperation with DHS cybersecurity efforts.”

While “OMB will be responsible for the submission of the annual FISMA report to Congress”, among other duties, “the cybersecurity coordinator will have visibility into DHS efforts to ensure federal agency compliance with FISMA and will serve as the principal White House official to coordinate interagency cooperation with DHS cybersecurity efforts,” the memo said.

The shift toward online reporting frees agencies from the rigors of periodic reporting and is a more fluid alternative, but it requires continuous reporting, constant vigilance and continuous monitoring. That spells changes for agencies, which must ensure that the mechanisms are in place to facilitate continuous, online reporting, as well as ensure comprehensive security and FISMA compliance.

While it is impossible for agencies to completely eliminate IT risk, they can use FISMA compliance as an opportunity to assess and mitigate risk. And although missions and objectives vary from agency to agency, there are several guidelines that apply to all government organizations. In a white paper, Tripwire underscored seven practical steps that agencies need to take to ensure that they comply with FISMA.

Gain situational awareness. An agency must assess its IT and security resources, as well as its management structure.

Reduce and monitor privileged access. The more access users have to IT resources, the greater the likelihood that security features will be disabled along the way. Limit access to only what is necessary and monitor with vigilance.

Define and enforce configuration standards. Organizations like the Center for Internet Security, the SANS Institute and the National Institute of Science and Technology (NIST) offer guidelines to help groups define, implement and verify configurations and security settings.

Integrate and help enforce change management processes. All modifications to security and other processes bring change to the work place. Agencies must assess and manage that change.

Create a library of trusted server builds. Trusted and approved server builds can be used to deploy authorized configurations more quickly and reduce the chance of security failures.

Integrate into release management testing and acceptance procedures. Standardization and documentation are key to information security. Release management determines whether components work together.

Ensure that all production activities go through change management. Production actions must be authorized, scheduled and audited by those in charge of change management.