Transcript Slide 1

United States
Department of the
Interior
Federal Information
Security Management
Act (FISMA)
April 2008
Larry Ruffin
&
Joe Seger
© Material
1
Agenda




FISMA - It’s about enabling mission success through the
protection of our sensitive agency information.

Federal Legislation & Directives

BIG PICTURE
Roles and Responsibilities

Mission Executives & Chief Information Officers

System Owners & Information System Security Managers
Certification & Accreditation

Assessments, Audits, Evaluations and Testing

Plans of Actions and Milestones
Enabling Efficient Mission Delivery and Success

Mission Efficiency through Business and Information Technology Integration

Integrating Risk Management into the Enterprise
Federal Legislation & Directives
- Driving IT Security Improvements 
E-Government Act of 2002 - Public Law 107-347


Title III - FISMA



Development and maintain minimum controls to protect Federal systems
Section 208 – Privacy Provisions


Enhance management and promote e-Gov services/processes
Protect the privacy of personal information
OMB Circular A-130 (Office of Management and Budget)

Policy for the management of Federal information resources.

Requires protection commensurate with risk and magnitude of harm

Requires security’s role be explicit in IT investments and capital programming
Appendix III - Security of Federal Automated Information Resources

Minimum set of controls for Federal information security programs

Requires a security plan for information systems

Requires reviews of security controls
Big Picture
Presidential Management
Agenda
PMA:
• Strategic management of human capital
• Budget and performance integration
• Competitive sourcing
• Electronic-Government
• Improved financial management
E-Government Act
E-Gov:
• Enhance management and promote
electronic Government services and
processes
• Establish a Federal CIO in OMB
• Establish a framework of measures
• Enhance citizen access to Government
information and services
FISMA (Title III of E-gov):
• Comprehensive framework to ensure effectiveness of
system controls
• Recognize highly networked nature of Federal computing
• Minimum controls required to protect Federal Information
Federal Information Security
Management Act
C&A
CIP
Asset
Inventory
CIRT
SATE
EA (IS)
System &
Program
POA&Ms
Patch
Mgmt
Assessments
Security
Program
Capital
Planning
PM

FISMA – Programs that make a comprehensive security program.

Protecting our Critical Infrastructure, responding quickly to incidents, educating the
community, assess ourselves, Planning for security from the start, and of course
documenting proof of what we have done and performing risk analysis and management
through C&A. These are just a few of the elements that FISMA mandates, but how do we
know it’s effective?

E-Gov – It measures how well we are managing our e-business, and how well is our business
serving the U.S. citizens. E-Govs mandates the reporting how well we are managing
electronic services, but how do we know we are working toward the same goal as the rest of
the Federal Government?

PMA – Managing human capital, budget and performance, competitive sourcing, and the
financial services we provide is essential to carrying out an efficient, accurate, and effective
mission, for which we are accountable. The electronic-Government mission is the common
thread that runs through all missions. It supports them all, so it must be planned for, properly
implemented, protected, and reviewed periodically, all in an efficient manner.

Integration is the key to making this all work together, and to optimize resources.
Roles & Responsibilities


Mission Executives (Business Process Owners)

Responsible to ensure security controls commensurate with risk
(control the budget and the requirements)

Missions require the deployment of systems before relevant IT
security disciplines are defined, integrated, and standardized
Chief Information Officers

Ensure compliance with security requirements while enabling the
mission

Provide assurance of security effectiveness
Roles & Responsibilities


System owner

Procures, implements, and integrates information systems

Represents mission priorities and security requirements to the
Designated Approving Authority (DAA) supporting risk-based
decisions

Makes judgments on independent advise of reasonable risk
Information System Security Manager

Ensures systems are Certified and Accredited

Implements agency policies and standards

Coordinates with system owners and business process owners

Balances mission risk in consideration of IT Security Risks
Certification and Accreditation
Accountability for:

Adequate safeguards and countermeasures are
employed within information systems.

Information system safeguards and
countermeasures are effective in their application.

Risk to organizational operations, assets,
individuals, other organizations, and the Nation is
explicitly understood and accepted by leaders at
all levels.
Certification and Accreditation
Federal Information Systems

An information system used or operated by an
executive agency (of the federal government), by a
contractor of an executive agency, or by another
organization on behalf of an executive agency.

Federal information systems process, store, and/or transmit
federal information.

Authorization decisions for federal information systems are
an inherently federal responsibility and cannot be delegated
to other than federal officials.
Certification and Accreditation
Accreditation Boundary

All components of an organizational information
system to be accredited by an authorizing official;
excludes separately accredited systems, to which
the information system is connected.

Defines the scope of protection for the organizational
information system (i.e., what the organization agrees
to protect under its direct control).

Includes the people, processes, and technologies that
are part of the information system supporting
enterprise missions and business processes.
Certification and Accreditation
Four Phase C&A Process

Initiation Phase
 Certification Phase
 Accreditation Phase
 Continuous Monitoring Phase
Expressed within the context of the NIST Risk
Management Framework as follows…
C&A Risk Management Framework
Starting Point
MONITOR
CATEGORIZE
SELECT
Security Controls
Information System
Security Controls
AUTHORIZE
SUPPLEMENT
Information System
Security Controls
ASSESS
IMPLEMENT
DOCUMENT
Security Controls
Security Controls
Security Controls
Types of Controls
Security Planning
Management
Controls
Risk Assessment
System and Services Acquisition
Certification, Accreditation, and Security Assessments
Security Awareness and Training
Configuration Management
Contingency Planning
Operational
Controls
Media Protection
Physical and Environmental Protection
System and Information Integrity
Incident Response
System Maintenance
Personnel Security
Access Control
Technical
Controls
Auditing and Accountability
Identification and Authentication
System and Communications Protection
Assessments, Audits, Evaluations and Testing
Part of IT Security Program
Plans of Actions and Milestones
 Audit
or Assessment Findings:
Identified
vulnerabilities and weaknesses
Documented on program- or system-level POA&Ms
Corrective/mitigating action plans tracked to resolution
I found a
weakness!
IT System Lifecycle
Plan Design Build
Customers
Suppliers
Test Deploy
Operate
Employees
Mission
Partners
Dispose
IT Security Lifecycle
Plan Design Build
Test Deploy
Operate
Dispose
Identify Risks
Implement Controls
Capital Planning
&
Investment
Monitor & Respond
Inspect Controls
Resolve Weaknesses
Enabling Efficient Mission Delivery and Success
 “Baking-in”
IT Security & Privacy Protections

Information security requirements must be considered
first order requirements and are critical to mission and
business success.

An effective organization-wide information security
program helps to ensure that security considerations
are specifically addressed in the enterprise architecture
for the organization and are integrated early into the
system development life cycle.
Enabling Mission Efficiency through
Information Technology

Mission – Provide what’s needed to get the job done

Challenge – Meet mission and security needs and remain
effective

Critical assets are frequently updated and customized

Business solutions require interconnections to internal and external systems

Security of interconnections relies on cooperation and integration
Customers
Suppliers
Employees
Mission
Partners
NIST Computer Security Division & OMB Sites

Computer Security Resource Center (CSRC) library




http://csrc.nist.gov/index.html
Federal Information Processing Standard (FIPS) publications

FIPS 199 and 200

http://csrc.nist.gov/publications/fips
Special Publications (SP)

800 Series (primarily 800-18, 34, 37, 47, 53, 53A and 60)

http://csrc.nist.gov/publications/nistpubs/index.html
OMB Memoranda

Memoranda M07-19, 06-19, 05-15, 04-25 and 03-19

http://www.whitehouse.gov/omb/memoranda/index.html