federal information security management act (fisma) - office of

Federal Information Security Management Act

(FISMA)

Timothy C. Fitzgerald

U.S. Department of State

February 2004

A FISMA Reference Model

Agenda

• History Statutes and Guidelines• Assumptions• FISMA Overview• The Agency Program• Supporting the Processes• Plan of Actions and Milestones• Audit and Inspection Areas• Timeline• Report Building• Next Steps

Assumptions

• Definitions

• IT Inventory

• Accountability

History and Statutes• 1929: Federal Records Act• 1942: Federal Reports Act• 1947: Hoover Commission• 1949: Federal Property and Administrative Services

Act• 1952: Still-classified Executive Order establishing

NSA• 1965: Brooks Automatic Data Processing Act

(Brooks Act)• 1974: Privacy Act• 1978: Inspectors General Act • 1984: NSDD-145: National Policy for the Security

of National Security Telecommunications and Information Systems

• 1988: Warner Amendment to Brooks Act• 1987: Computer Security Act of 1987• 1990: NSD-42: National Policy for the Security of

National Security Telecommunications and Information Systems

• 1990: Chief Financial Officers Act • 1993: Government Performance and Results Act

(GPRA) • 1995: Paperwork Reduction Act of 1995 OMB

Circular A-130, App. III, Security of Federal Automated Information

• Executive Order 13010, Critical Infrastructure Protection

• Executive Order 13011, Federal Information Technology

• 1996: Information Technology Management Reform Act (renamed Clinger-Cohen Act of 1996)

• Health Insurance Portability and Accountability Act (HIPPA) (updating Privacy Act)

• 1997: President’s Commission on Critical Infrastructure Protection releases report

• 1998: PDD-63, Protecting America’s Critical Infrastructures

• Government Paperwork Elimination Act (GPEA)• 2000: Government Information Security Reform

Act (GISRA) (formerly Thompson-Liebermann Act)

• 2001: USA Patriot Act• 2002: Homeland Security Act (Title X –

Information Security) replaced by E-Government Act - Federal Information Security Management Act (FISMA)

• 2003: Homeland Security Presidential Directive/Hspd-7

Guidelines

• OMB Circular and Memoranda

• National Institute of Standards and Technology (NIST) FIPS and SP

• Committee for National Security Systems (formerly National Telecommunications and Information Systems Security

Committee(NTISSC))

• Federal Information Systems Control Audit Manual (FISCAM)

This Reference Model

Senior Agency Information Systems Security Officer

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c)

Certification and Accreditation §3544

Agency-wide Security Program§3544(b)

Agency Information System Programs§3544(a)(2)

EnterpriseArchitectureCCA Capital

InvestmentPlanning

CCA

PerformancePlans

§3544(d)

CIO

Agency Head

Senior Agency Officials

AGENCYMISSION

Agency Mission

Office of Management and Budget

(OMB)

National Institute of Science and Technology

(NIST)

FIP

S an

d S

pecial P

ub

lications

Memoranda &Circulars

11331 Title 40

Certification and Accreditation §3544

Agency-wide Security Program§3544(b)

Agency Information System Programs§3544(a)(2)

This Reference Model

PerformancePlans

§3544(d)

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital

InvestmentPlanning

CCA

CIO

Agency Head

Senior Agency Information Security Officer

Senior Agency Officials

Agency-wide Security Program

Information Assurance Program

PerformancePlans

§3544(d)Agency-wide Security Program

§3544(b)

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital

InvestmentPlanning

CCA

CIO

Agency Head

Senior Agency Information Security Officer

Office of Management and Budget

(OMB)

Agency-wide Security Program

Agency-wide Security Program§3544(b)

Security PolicyArchitecture

Access ControlsNetwork MonitoringPersonnel Security

Mainframe SecurityEducation, Training and Awareness

Physical and Environmental Security

Systems EvaluationsContinuity of Services

Technical Security Technical Security Countermeasures

Enterprise Network ManagementLifecycle Management

Virus Program Computer Emergency Response Capability

Cryptographic Services

PerformancePlans

§3544(d)

Agency Information System and Programs

Mission Program Plans

Information ManagementModernization Plans

Agency Information System Programs§3544(a)(2)

PerformancePlans

§3544(d)

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital

InvestmentPlanning

CCA

CIO

Agency Head

Senior Agency Officials

Capital Investment Planning

Capital Investment Process

OMB Circular A-11Exhibits 52Exhibits 53

Exhibits 300

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital

InvestmentPlanning

CCA

CIO

Agency Head

Office of Management and Budget

(OMB)

Certification and

Accreditation

Certification and Accreditation

Risk Management

Information Requirements

TechnologyModernization

Projects

Balance of Requirements and Technology

vs.Vulnerabilities, Threats and Risk

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital

InvestmentPlanning

CCA

CIO

Agency Head

This Reference Model

Senior Agency Information Security Officer

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c)

Certification and Accreditation §3544

Agency-wide Security Program§3544(b)

Agency Information System Programs§3544(a)(2)

EnterpriseArchitectureCCA Capital

InvestmentPlanning

CCA

PerformancePlans

§3544(d)

CIO

Agency Head

Senior Agency Officials

Plans of Action and Milestones

• IT Audit Findings• IT Inspections Findings• C&A Residual Findings

– IATO– Denials

• CIP Assessments• Self-Assessments (NIST SP800-26)• GAO Audits

PoA&Ms

OMB Circular A-11Exhibits 52Exhibits 53

Exhibits 300

Plans of Action and Milestones

Risk Management Prioritize IT Spending

Fixing The Important Weakness first

AGENCYMISSION

Strategic Goals & Objectives

§ 3544(a)(1)(c) EnterpriseArchitectureCCA

CIO

Agency Head

CapitalInvestmentPlanning

CCA

Audit

• Asset Management

• Enterprise Architecture

• Technology Capital Investment Planning

• Certification and Accreditation

• Information Assurance Programs

• Agency Information System Programs

Inspection

• Management Controls– Roles And Responsibility Implementation – Policy And Procedures Implementation

• Operational Controls– Executed Logs, Checklist, Procedural Documents

• Technical Controls– Validation Assessments

Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep

4th Quarter PoAMS Agency

Corrective Action Plans

1st Quarter PoAMS

2nd Quarter PoAMS

3rd Quarter PoAMS

Agency-wide Security Program Audits and Inspections

Agency Information System Programs Audits and Inspections

OMB FISMA Report to

Congress

AgencyFISMA Report

FISMA Timeline

Building the Report

• Clearly Defined Roles And Responsibilities• An Approved Agency-wide Security Plan• An IT Asset And Logistic Process • Realistic Certification And Accreditation Process

And Schedule• Integration Of The POAM Reporting Into The

Management Process• Cross Statute Issues • Rollup Of Inspections And Audit Findings

Next Steps

• Modify Audit And Inspection Guidelines

• Plan Security Program Reviews

• Fiscal Timeline For Reporting

• Rollup Results To FISMA Report

A FISMA Model

• Questions

Timothy C. FitzgeraldU.S. Department of StateFitzgeraldtc@state.gov

703-284-2650