Transcript Document

The Federal Information Security
Management Act (FISMA):
An Auditor’s View
Presented by Loren Schwartz,
CPA, CISSP, CISA, CIPP
February 2015
Agenda
•
•
•
•
What Is FISMA?
NIST Framework
How To Perform a FISMA Audit
Future of FISMA
2
What Is FISMA?
It's the great irony of our Information Age –
the very technologies that empower us to
create and to build also empower those who
would disrupt and destroy.
– President Barack Obama, May 29, 2009
3
What Is FISMA?
Given the rapid agility of those seeking to compromise
Federal systems and data, the Federal Government
needs a consistent, central, and repeatable method for
identifying cybersecurity threats and vulnerabilities.
– Office of Management and Budget (OMB) Memorandum M15-01, Fiscal Year 2014-2015 Guidance on Improving Federal
Information Security and Privacy Management Practices
4
What Is FISMA?
• The Federal Information Security
Modernization Act (FISMA)
– Formerly known as the Federal
Information Security Management Act and
Title III of the E-Government Act of 2002
– Serves as a framework to manage risk and
ensure the confidentiality, availability, and
integrity of federal information and
information systems
5
What Is FISMA?
• FISMA (cont.)
– Assigns specific development,
management, oversight, and reporting
responsibilities to two federal
agencies:
• The National Institute of Standards and
Technology (NIST)
• The Office of Management and Budget
(OMB)
6
What Is FISMA?
• FISMA establishes the following roles and
responsibilities for the IT security
management team:
– Agency Head
• Is ultimately accountable for protecting the agency’s
systems
• Must include security as part of strategic and
operational planning
• Assigns responsibility for compliance to Chief
Information Officers (CIOs)
7
What Is FISMA?
• FISMA roles and responsibilities (cont.):
– Inspector General
• Performs an annual independent evaluation of the
agency’s security program
– The evaluation must include testing the effectiveness of
information security policies, procedures, and practices of a
representative subset of the agency's information systems.
8
What Is FISMA?
• FISMA roles and responsibilities (cont.):
– Chief Information Officer
• Designates a senior information security officer
• Is accountable for the agency-wide security program
• Develops and implements policies, procedures, and
controls
• Provides quarterly progress reports to OMB
9
What Is FISMA?
• FISMA roles and responsibilities (cont.):
– Information System Security Officer (ISSO)/Chief
Information Security Officer (CISO)
• Carries out responsibilities delegated by the CIO
– Security is the ISSO’s primary responsibility
• Maintains professional qualifications
10
What Is FISMA?
• FISMA roles and responsibilities (cont.):
– Program Officials and System Owners
• Assess risk and test controls
• Update system documentation
• Ensure that systems are certified and accredited (SA&A)
11
What Is FISMA?
[FISMA] requires each federal agency to
develop, document, and implement an
agency-wide program to provide information
security for the information and information
systems that support the operations and
assets of the agency, including those provided
or managed by another agency, contractor, or
other source.
– NIST website
What Is FISMA?
• FISMA is intended to assist federal agencies in
standardizing their security control selection and
assessment by providing:
– A consistent framework for protecting information at the
federal level
– Effective management for information security risks
– Assistance in developing adequate controls to protect
information and systems
– A mechanism for effective oversight of federal security
programs
13
What Is FISMA?
• FISMA is probably the most criticized law since Prohibition.
– That MAY be an overstatement
• When implemented poorly, FISMA is an exercise in
paperwork.
• When implemented well,
FISMA can be the cornerstone
of a well-designed, wellimplemented, and wellmanaged information security
program.
14
What Is FISMA?
• FISMA requires agencies to submit quarterly reports to OMB
on the status of their information security program.
– OMB sets reporting standards annually; these standards have become
more stringent over time
– The quarterly reports consist of the annual report and three quarterly
updates in December, March, and June
– These reports are also submitted to other groups, including:
• House Committees on Government Reform and Science
• Senate Committees on Government Affairs and Commerce, Science, and
Transportation
• Authorization and appropriations committees for each individual agency
of Congress
• Government Accountability Office
15
NIST Framework
• FISMA granted NIST responsibility for
developing information security
standards and guidelines for federal
information systems other than those
designated as national security
systems.
– Information security standards include
NIST’s Federal Information Processing
Standards (FIPS)
– Guidelines include Special Publications
(SPs) in the 800 series
• FISMA also assigned NIST specific
responsibilities.
16
NIST Framework
17
NIST Framework
• Knowledge of these and other NIST publications is essential
for FISMA compliance. Such publications include:
– Standards to be used by federal agencies to categorize
information and information systems based on the objectives of
providing appropriate levels of information security according to
a range of risk levels
– Guidelines recommending the types of information and
information systems to be included in each category
– Minimum information security requirements (management,
operational, and technical security controls) for information and
information systems in each such category
18
NIST Framework
Helpful NIST Publications:
NIST Publication
Description
FIPS Publication 199
Security Categorization
FIPS Publication 200
Minimum Security Requirements
NIST SP 800-18, Rev. 1
Security Planning
NIST SP 800-30, Rev. 1
Risk Management
NIST SP 800-34, Rev. 1
Contingency Planning
NIST SP 800-37, Rev. 1
Certification & Accreditation
NIST SP 800-53, Rev. 4
Recommended Security Controls
NIST SP 800-53A, Rev. 4
Security Control Assessment
NIST SP 800-60, Rev. 1
Security Category Mapping
19
NIST Framework
• FIPS 199, Standards for the Security Categorization of
Federal Information and Information Systems
– FIPS 199 is the standard used by federal agencies to
categorize information and information systems based on the
objective of providing appropriate levels of information
security according to a range of risk levels.
– Information systems are categorized as low, moderate, or
high risk based on the confidentiality, integrity, and
availability security requirements necessary to protect the
data/information processed, stored, or transmitted by the
information system.
20
NIST Framework
• FIPS 200, Minimum Security Requirements for
Federal Information and Information Systems
– FIPS 200 provides the minimum information security
requirements for information and information systems in
each security category defined in FIPS 199.
– It requires agencies to use NIST SP 800-53 for their
baseline security control requirements.
21
NIST Framework
• NIST SP 800-18, Rev. 1, Guide for Developing Security
Plans for Federal Information Systems
– NIST SP 800-18, Rev. 1 defines the format and content for
security plans, as required by OMB Circular A-130.
– The main functions of the security plan include:
• Providing an overview of the system’s security requirements
• Describing the controls in place or planned for meeting those
requirements
• Delineating responsibilities and expected behavior for all
individuals who access the system
• Documenting the structured process of planning adequate, costeffective security protection for the system
22
NIST Framework
• NIST SP 800-30, Rev. 1, Risk Management Guide for
Information Technology Systems
– NIST SP 800-30, Rev. 1 provides definitional and practical guidance
regarding the concept and practice of managing IT-related risks.
– Risk management provides balance between the operational
objectives and economic costs of protective measures. It:
• Enables agencies to better secure IT systems that store, process, or
transmit organizational information
• Enables management to make well-informed risk management
decisions to justify expenditures
• Assists management in authorizing (or accrediting) IT systems
23
NIST Framework
• NIST SP 800-34, Rev. 1, Contingency Planning Guide
For Federal Information Systems
– NIST SP 800-34, Rev. 1 provides instructions,
recommendations, and considerations for government IT
contingency planning.
– It provides specific contingency planning
recommendations for seven IT platforms and includes
strategies and techniques common to all systems.
24
NIST Framework
• NIST SP 800-37, Rev. 1, Guide to Apply the Risk Management
Framework to Federal Information Systems
– NIST SP 800-37, Rev. 1 establishes a six-step risk management
framework for federal information systems:
•
•
•
•
•
•
Categorize the Information System
Select Security Controls
Implement Security Controls
Assess Security Controls
Authorize the Information System
Monitor the Security Controls
– This SP applies to all federal information systems other than those
designated as national security systems, as defined in the Federal
Information Security Management Act of 2002.
25
NIST Framework
• NIST SP 800-53, Rev. 4, Recommended Security
Controls for Federal Information Systems and
Organizations
– NIST SP 800-53, Rev. 4 is intended to provide guidelines for
selecting and specifying security controls for information
systems.
– It applies to all federal information systems other than
those designated as national security systems, as defined
in 44 U.S.C., Section 3542.
26
NIST Framework
• NIST SP 800-53, Rev. 4 (cont.)
– This SP was broadly developed from a technical
perspective in order to complement similar guidelines
issued by agencies and offices operating or exercising
control over national security systems.
– It provides guidance to federal agencies in accordance with
FIPS 200, Minimum Security Controls for Federal
Information Systems.
27
NIST Framework
• NIST categorizes FISMA principles into 18 security
control families, which can be found in NIST SP 800-53,
Minimum Security Controls for Federal Information
Systems
– Each control area contains numerous requirements based on
the sensitivity level of the system.
– NIST controls often cover most of the controls included in
other frameworks, such as International Organization for
Standardization (ISO) and Payment Card Industry Data
Security Standard (PCI DSS).
28
NIST Framework
Management Controls
Operational Controls
Technical Controls
RA – Risk Assessment
PS – Personnel Security
IA – Identification &
Authentication
PL – Planning
PE – Physical &
Environmental Protection
AC – Access Control
SA – System & Services
Acquisition
CP – Contingency Planning
AU – Audit & Accountability
CA – Security Assessment &
Authorization
CM – Configuration
Management
SC – System &
Communications Protection
PM – Program Management
MA – Maintenance
SI – System & Information
Integrity
MP – Media Protection
IR – Incident Response
AT – Awareness & Training
29
NIST Framework
• NIST SP 800-53A, Rev. 4, Guide for Assessing the
Security Controls In Federal Information Systems
– NIST SP 800-53A, Rev. 4 provides standardized
techniques and procedures to verify the effectiveness
of security controls.
– It provides a single baseline verification procedure for
each security control.
– It allows agencies to apply additional verification
techniques and procedures at their discretion.
30
NIST Framework
• NIST SP 800-60, Rev. 1, Volumes I and II, Guide for
Mapping Types of Information and Information
Systems to Security Categories
– NIST SP 800-60, Rev. 1 provides guidelines recommending
the types of information and information systems to be
included in each category of potential security impact.
– It assists agencies in consistently mapping security impact
levels to types of:
1.
2.
Information (e.g., privacy, medical, proprietary, financial,
contractor-sensitive, trade secret, investigation)
Information systems (e.g., mission-critical, mission-support,
administrative)
31
NIST Framework
• Required Documentation:
–
–
–
–
–
–
Authorization Boundary/Security Categorization (FIPS 199)
System Security Plan (NIST SP 800-18)
Risk Assessment (NIST SP 800-30)
Security Assessment Report (NIST SP 800-30, 800-37)
Contingency Plan/Disaster Recovery Plan (NIST SP 800-34)
Privacy Impact Assessment
– Plan of Action and Milestones (POA&M)
32
NIST Framework
• POA&Ms are an agency’s primary management tool
for tracking the mitigation of its IT security program
and system-level weaknesses.
– POA&Ms are designed to facilitate review, analysis, and
decision-making in order to improve performance in
implementing corrective actions.
– Departments use POA&Ms to determine the organization’s
progress in the area of IT security.
– POA&Ms are reviewed both within the department and by
OMB.
33
NIST Framework
• POA&Ms (cont.):
– OMB uses all federal POA&Ms in conducting its
assessment of the IT security maturity of the federal
government.
– Inspector Generals (IGs) are asked to use specific criteria to
assess whether the agency has developed and
implemented an agency-wide POA&M process, and
whether it is appropriately managing this process.
• The IG’s assessment in this area is critical.
– Effective remediation of IT security weaknesses is essential
to achieving a mature IT security program.
34
How to Perform a FISMA Audit
• FISMA audits:
– Are driven by the annual DHS/OMB memorandum
– Are typically (but not always) structured as a performance
audit
– Follow a methodology that is similar to the methodology
for an audit under the Federal Information System
Controls Audit Manual (FISCAM)
– Do not have exactly the same scope for each OIG
– Typically consist of selecting and testing a subset of
systems
– Are performed annually at approximately the same time
as the financial statement audit in order to gain possible
efficiencies
35
How to Perform a FISMA Audit
• Selecting a Representative Subset of Systems
– The evaluator uses their professional judgment to
identify a sufficient scope for systems testing to
constitute a representative subset of the entity’s
systems.
– The subset should be representative of all of the
entity’s systems covered by FISMA.
36
How to Perform a FISMA Audit
• Selecting a Representative Subset of Systems (cont.):
– The selection should include:
• Systems at different risk levels (i.e., high, moderate, and low)
• Both general support systems and major application systems
• Different types of applications (e.g., financial management,
operations)
• Major processing locations
• General and business process controls
• Coverage of the FISCAM control areas
• Contractor and other non-entity systems that are covered by
FISMA requirements
37
How to Perform a FISMA Audit
• FISCAM may be used as a basis for the independent
evaluation of a federal agency’s information security
program as required by FISMA (Appendix IX:
Application of FISCAM to FISMA).
– The agency’s IG must perform independent evaluations of
federal information systems other than those designated
as national security systems.
– Evaluations of systems related to national security may
only be performed by an entity designated by the agency
head.
38
How to Perform a FISMA Audit
• OMB Memorandum (Questionnaire):
– The OMB memorandum is released annually.
– It directs CIOs and OIGs as to the areas on
which they must report.
– The Department of Homeland Security (DHS)
is currently responsible for information
security; DHS therefore designs the questions
and reporting requirements while OMB is
responsible for sending out the document.
39
How to Perform a FISMA Audit
• OMB Memorandum (cont.):
– The memorandum is primarily comprised of the same
questions from year to year, but OMB throws some
curveballs.
– It contains a frequently asked questions (FAQ) section
and a questionnaire with separate questions for CIOs,
OIGs, and Senior Agency Officials for Privacy (SAOPs).
– The questions are no longer publically accessible; the
auditor receives them from the Contracting Officer’s
Technical Representative (COTR).
40
How to Perform a FISMA Audit
• OMB Memorandum (cont.):
– The auditor usually selects a subset of systems to
review for the questionnaire, but it depends on
the contract.
– The auditor may also select one of the systems
each year to undergo a detailed audit based on
NIST SP 800-53.
41
How to Perform a FISMA Audit
• OMB Memorandum (cont.):
– The memorandum questions have evolved over
the years. It originally asked a mix of questions
with answers that were qualitative (e.g., excellent,
good, fair, poor), percentages, or numbers; now all
of the questions have yes/no answers.
– Questions that have been removed include:
• Peer-to-peer questions
• E-authentication questions
42
How to Perform a FISMA Audit
• Question areas for the CIO:
– Data feeds directly from security management tools (or
from Excel)
•
•
•
•
•
•
•
Inventory
Systems and Services
Hardware
Software
External Connections
Security Training
Identity Management and Access
– Government-wide benchmarking on security posture
43
How to Perform a FISMA Audit
• Question areas for the SAOP:
– Update on the breach notification policy, if it has
changed significantly since the last year’s report
– Progress update on eliminating the unnecessary
use of social security numbers
– Progress update on review and reduction of
holdings of personally identifiable information
44
How to Perform a FISMA Audit
• Question areas for the OIG:
– Continuous monitoring management
– Configuration management
– Identity and access management
– Incident response and reporting
– Risk management (security assessment and
authorization (SA&A) process)
– Security training
45
How to Perform a FISMA Audit
• Question areas for the OIG (cont.):
– Plans of action and milestones
– Remote access management
– Contingency planning
– Contractor systems
– Security capital planning
46
How to Perform a FISMA Audit
• Key FAQs from the memorandum include:
– Should agencies set an internal FISMA reporting cut-off
date?
– Should all of the agency’s information systems be included
as part of the FISMA report?
– Is use of NIST publications required?
– Are NIST guidelines flexible?
– Are the security requirements outlined in the Act limited
to information in electronic form?
47
How to Perform a FISMA Audit
• Key FAQs from the memorandum (cont.):
– When OMB asks if an agency has a process, is it also asking
if the process is implemented and is effective?
– How do agencies ensure FISMA compliance for
connections to non-agency systems? Do Statement on
Standards for Attestation Engagements (SSAE) No. 16
audits meet the requirements of FISMA and
implementation policies and guidance?
48
How to Perform a FISMA Audit
• Key FAQs from the memorandum (cont.):
– Is a security authorization required for all information
systems? OMB Circular A-130 requires a security
authorization to process only for general support systems
and major applications.
– Must all agency information systems be tested and evaluated
annually?
– Must government contractors abide by FISMA requirements?
– Do employees who never access electronic information
systems need annual security and privacy awareness
training?
49
How to Perform a FISMA Audit
• FISMA-specific reporting requirements:
– Determine whether any weaknesses identified
(individually or collectively) represent significant
deficiencies under FISMA.
• FISMA requires agencies to report any significant
deficiencies:
1.
2.
As material weaknesses under the Federal Managers'
Financial Integrity Act (FMFIA)
As instances of a lack of substantial compliance under the
Federal Financial Management Improvement Act (FFMIA), if
related to financial management systems
50
How to Perform a FISMA Audit
• FISMA-specific reporting requirements (cont.):
– A significant deficiency in FISMA is a weakness in an
agency’s overall information systems security program or
management control structure, or within one or more
information systems which:
• Significantly restricts the capability of the agency to carry out its
mission.
• Compromises the security of its information, information systems,
personnel, or other resources, operations, or assets.
– The risk is great enough that the agency head and outside
agencies must be notified and immediate or nearimmediate corrective action must be taken.
51
How to Perform a FISMA Audit
• FISMA-specific reporting requirements (cont.):
– The OIG is responsible for entering its responses to template
questions using the CyberScope portal hosted by DHS.
– The OIG will usually also issue a performance audit report,
generally supported by the work performed to answer the
template questions.
– The OIG will often perform more detailed testing of a
selected system and issue a separate performance audit
report on that system.
– There are also other varieties of reporting, such as separate
technical reports for internal use only.
52
How to Perform a FISMA Audit
• Common findings in FISMA audits include:
– SA&A packages are not complete or have issues.
– Configuration baselines are not developed and in place.
– The vulnerability management program is not well
implemented.
– The patch management process is ineffective.
– The agency’s training program is poor, or not all personnel
have completed training.
– Mobile devices have not been adequately secured.
53
Future of FISMA
• In December 2015, President Barack Obama signed a bill into
law that:
1.
2.
3.
4.
5.
Changed the name of FISMA from “Management” to
“Modernization.”
Extended OMB’s responsibility to determine IT security policies for
federal agencies.
Granted DHS authority to administer the operational aspects of
those policies among civilian agencies.
Eliminated the requirement for federal agencies to submit a checklist
verifying that their IT systems and processes met federal standards
and controls.
Moved agencies toward continuously monitoring their systems
for vulnerabilities.
54
Future of FISMA
• The new FISMA mandates continuous monitoring
and the use of “automated security tools to
continuously diagnose and improve security.” This
includes:
– Assessing information security risks on an ongoing basis.
– Developing an Information Security Continuous Monitoring
(ISCM) strategy that supports the implementation of a
program to continuously monitor and defend the agency’s
network(s) from cyber security risks, threats, and malicious
activity.
55
Future of FISMA
• OMB key initiatives for 2014-2015 include:
– New requirements based on assessment of emerging
threat activities.
– Streamlined agency reporting of information security
incidents to DHS’s U.S. Computer Emergency Readiness
Team (US-CERT) and improvement in DHS US-CERT's ability
to respond to information security incidents effectively.
– Enhanced FISMA metrics, a proactive vulnerability
scanning process, and updated incident response
procedures.
56
Future of FISMA
• Cross-Agency Priority (CAP) goals for FY 2015:
– National Security Council (NSC) staff and OMB
identified cybersecurity as one of the 14 CAP goals for
FY 2015, to build on the statutory requirements of
FISMA and to provide senior government officials with
greater visibility and accountability for this issue.
– Cybersecurity CAP goal initiatives and metrics are a
subset of the FISMA metrics.
57
Future of FISMA
• CAP goals for FY 2015 (cont.):
– OMB and NSC staff will maintain focus on Information
Security Continuous Monitoring (ISCM) and Identity,
Credential, and Access Management (ICAM).
– For the first time, OMB and NSC staff have identified
"Anti-Phishing and Malware Defense" as an additional
priority area.
58
Future of FISMA
• OMB, NSC staff, and DHS have taken the following approach in
developing the enhanced FY 2015 FISMA metrics:
1.
2.
3.
4.
Assessed the quality and validity of each metric by soliciting input
from more than 100 cybersecurity professionals from more than 24
federal agencies, who made more than 200 recommendations for the
metrics.
Where possible, removed metrics that had completed their lifecycle
or did not add sufficient value to the expanded assessment process.
Developed outcome-oriented metrics to complement existing
compliance-oriented metrics, to include anti-phishing and malware
defense metrics aimed at reducing the risk of malware introduced
through email and malicious or compromised websites.
Where possible, used existing federal agency data feeds to automate
responses to improve the quality and timeliness of reported data.
59
Future of FISMA
• DHS US-CERT will release its updated incident
notification guidelines, including:
1. A standard set of data elements for reporting
incidents
2. Updated incident notification requirements
3. Updated impact classifications
4. Updated threat vectors used to categorize and
address incidents
60
Future of FISMA
• It’s hard to see where all of this is going, but
cyberspace is clearly here to stay in our
everyday lives, both professional and
personal.
• Internal audit organizations will therefore
need to build their own skill sets to address
the risks and opportunities that come with
cyberspace.
61
Q&A
Thank you!