university of maryland university college (umuc) 3/11/2004 poa&m and fisma what does it really...
TRANSCRIPT
University of Maryland University College (UMUC)
3/11/2004
POA&M and FISMAWhat does it really mean?
FISSEA Annual Conference
2
Agenda
FISMA – an introduction
Roles and Responsibilities
FISMA Requirements
Transition from report to process
3
Congress emphasized the importance of information security when it included the Federal Information Security Management Act (FISMA) as part of the E-Government Act of 2002
FISMA consolidates many security requirements and guidance into an overall framework for managing information security and protecting the nation’s critical information infrastructure from harm
FISMA requires executive agencies within the federal government to:
– Plan for security
– Ensure that appropriate officials are assigned security responsibility
– Review periodically the security controls in their information systems
– Authorize system processing prior to operations, and periodically after deploying
FISMA has three main sections
– Annual security reporting requirement (Annual Program Review – CIO)
– Independent Evaluation – (IG) and
– Corrective action plan for remediation of security weaknesses
4
FISMA requires agencies to submit quarterly reports to OMB regarding the status of their information security program
Reporting standards are set annually by OMB and have become more stringent over time
In addition to the annual report, there are quarterly updates (Dec, Mar, June)
Other groups also receive agency FISMA reports:
– House Committees on Government Reform and Science
– Senate Committees on Government Affairs and Commerce, Science, and Transportation
– Authorization and appropriations committees for each individual agency of Congress
– General Accounting Office
5
While reporting is a key component, achieving the goals of FISMA require that an agency build a mature security program using security management processes that are ongoing and continual
Goals of FISMAGoals of FISMA Agency Goals for FISMAAgency Goals for FISMA
More consistent, comparable, and repeatable evaluations of security controls applied to information systems
A better understanding of enterprise-wide mission risks resulting from the operation of information systems
More complete, reliable, and trustworthy information for authorizing officials, facilitating more informed security accreditation decisions
More secure information systems within the Federal government including the critical infrastructure of the United States
More consistent, comparable, and repeatable evaluations of security controls applied to information systems
A better understanding of enterprise-wide mission risks resulting from the operation of information systems
More complete, reliable, and trustworthy information for authorizing officials, facilitating more informed security accreditation decisions
More secure information systems within the Federal government including the critical infrastructure of the United States
Achieve performance and risk based management for security programs
Demonstrate a mature security program
– Agency risk assessments
– Security policies and procedures
– Subordinate plans (i.e., individual system security plans)
– Training plans
– Annual testing and evaluation
– Corrective action process
– Security incident reporting
– Continuity of operations plans
– Integrate security into the business
Achieve performance and risk based management for security programs
Demonstrate a mature security program
– Agency risk assessments
– Security policies and procedures
– Subordinate plans (i.e., individual system security plans)
– Training plans
– Annual testing and evaluation
– Corrective action process
– Security incident reporting
– Continuity of operations plans
– Integrate security into the business
6
Agenda
FISMA – an introduction
Roles and Responsibilities
FISMA Requirements
Transition from report to process
7
As part of their strategy for a successful US government IT security posture, NIST plans to work with government agencies and industry on FISMA related issues
FISMA strengthens the reach of NIST
Standards issued by NIST are now “compulsory and binding”
NIST plays a more active role in defining how Federal agencies should be protecting their systems and infrastructure
Much guidance is under development to support agency program and system reviews
According to the NIST web site, their vision for supporting FISMA is to promote the development of standards and guidelines including:
– Security categorization of information and information systems
– Selection of appropriate security controls for information systems
– Verification of security control effectiveness and determination of information system vulnerabilities
– Operational authorization for processing (security accreditation) of information systems
8
Inspector General
For federal departments and agencies, FISMA identifies roles and responsibilities for the IT security management team
Verify that security program elements exist
Validate POA&Ms
Identify all known security weaknesses and that a robust process exists for maintaining the POA&M
Agency Head
Held accountable ultimately for the protection of an agency’s systems
Expected to include security as a part of strategic and operational planning
Assign CIOs compliance responsibility
ISSO
Chief Information Officer
Designate a senior information security officer who reports directly to the CIO
Held accountable for agency-wide security program
Develop and implement policies, procedures and controls
Report on progress quarterly to OMB
Carry out responsibilities of the CIO
Security is the ISSO’s primary responsibility, not an other duty as assigned
Maintain professional qualifications
People play a key role in FISMA
Program Officials and System Owners
Assess risk and test controls
Update system documentation
Ensure systems are certified and accredited
9
Agenda
FISMA – an introduction
Roles and Responsibilities
FISMA Requirements
Transition from report to process
10
FISMA requirements can be segmented into four main categories – foundational, review, mitigation, measurement…
Foundational– Inventory– Assignment of security responsibilities– Configuration requirements– Incident response– Identification of critical assets
Review– NIST self assessment– Certification and accreditation– Risk assessment– Continuity of system operations
Mitigation– Plan of action and milestones
Measurement– Track progress– Evaluate performance of all components– Report quarterly
…and two others which span across all phases of the program
FISMA REQUIREMENTS
FoundationalR
ev
iew
Mit
iga
tio
n
Me
as
ure
me
nt
Training and Capital Planning
11
To fulfill FISMA requires, an agency should focus on building a solid foundation within their IT security program
Senior information security official should appointed by and report to the CIO
An inventory program which is:
– Updated at least annually
– Made available to the Comptroller General
– Used to support information resources management
– Synchronized with their enterprise architecture inventory efforts
Identification of critical assets and their interdependencies with other assets
An established patch management process which assumes
– a configuration management process exists
– patches are tested prior to implementation
Incident response is closely tied to patch management
Foundational
12
Agencies are required to complete an annual FISMA review to ensure that security controls maintain risk at an acceptable level
Depth and breadth of an annual FISMA review depends on several factors such as:
1. The acceptable level of risk and magnitude of harm to the system or information
2. The extent to which system configurations and settings are documented and continuously monitored
3. The extent to which patch management is employed for the system
4. The relative comprehensiveness of the most recent past review
5. The vintage of the most recent in-depth testing and evaluation as part of system certification and final accreditation
Testing should also include management, operational and technical controls
Rev
iew
13
Plan of Action and Milestones (POA&M) is an agency’s primary management tool for tracking the mitigation of its IT security program and system-level weaknesses
Plan of Action and Milestones (POA&M) are:
– Designed to facilitate review, analysis, and decision making forperformance improvement in implementing corrective actions
– Used as a point of comparison for a Department to compare an organization’s progress in the area of IT security
– Reviewed within a Department and by OMB
OMB uses all Federal POA&Ms to conduct their assessment of the Federal government’s IT security maturity
IGs are asked this year to assess against specific criteria whether the agency has developed, implemented, and is managing an agency-wide POA&M process
The IG’s assessment in this area is critical
Effective remediation of IT security weaknesses is essential to achieving a mature IT security program M
itig
atio
n
14
For a successful mitigation strategy an agency should aim to create as comprehensive a POA&M as possible
All security weaknesses (programs and systems) must be included in the POA&M
POA&M is a living document – it evolves over time as weaknesses are corrected and new ones arise
POA&Ms are used to support the funding decision making process
To promote the integration of security into capital planning, POA&Ms should draw from data in exhibits 300 and 53
The IG must verify that POA&Ms identify all known security weaknesses
15
The following screenshot represents a sample POA&M
Weakness POCResources Required
Scheduled Completion Date
Milestones with Completion Dates
Changes to Milestones
Source Status
1. No risk assessment has been conducted on the ABC Network
ABC Network PM
80K 5/15/04
2.1 Identify baseline security requirements11/15/02
NIST Self Assessment
On-going2.2 Conduct risk assessment 12/20/02
2.3 Document risk assessment results 1/15/02
2. No program level security plan exists for ABC Bureau
ABC Bureau CIO
25K 4/2/04
1.1 Complete Initial Draft 1/4/03
ABC IG Audit On-going
1.2 Complete Final based on comments received 2/28/03
16
The following items are required in an agency’s POA&M submission
Weakness
Activities
Milestones with Completion DatesMilestones with
Completion Dates
Scheduled Completion Date
Scheduled Completion Date
Resources Required
Resources Required
Changes to MilestonesChanges to Milestones
POC
Status
SourceSource
• Refers to a SPECIFIC identified program or system weakness • Must be clear enough to discern weakness yet not reveal sensitive data
• Identifies the office or organization held accountable for correcting weakness
• Describes monetary amount needed to complete that is not already accounted for with current staffing
• Indicates corrective action completion date• Meeting dates becomes a major criteria of evaluation for OMB
• Refers to major steps along the way that occur while completing the corrective action • Timelines/Dates are required to be associated with each step
• Indicates when the timeline changes• Justification for the change will be required elsewhere
• Identifies where the weakness was first identified
• Indicates if a corrective action is ongoing or completed
17
Here are some other important POA&M concepts to keep in mind when putting together an agency’s mitigation strategy
CIOs and agency program officials must develop, implement, and manage POA&Ms for all programs and systems that they operate and control
A separate POA&M must be developed for every program and system for which weaknesses are identified
System level POA&Ms must be tied directly to the system budget request through the IT business case as required in OMB Budget guidance (Circular A-11)
Sufficient data regarding the weakness description and its corrective action plan is necessary
POA&M process represents a prioritization of agency IT security weaknesses that ensures that significant IT security weaknesses are addressed in a timely manner and receive appropriate resources.
Department CIO is expected to centrally track and maintain all POA&M activities
18
Another key element of a successful IT security program is an effective measurement strategy which includes quarterly metrics
Mea
sure
men
t
Quarterly POA&M Update InformationQuarterly POA&M Update Information
Total number of weaknesses identified at the start of the quarter.
Number of weaknesses for which corrective action was completed on time (including testing) by the end of the quarter
Number of weaknesses for which corrective action is ongoing and is on track to complete as originally scheduled
Number of weaknesses for which corrective action has been delayed including a brief explanation for the delay
Number of new weaknesses discovered following the last POA&M update and a brief description of how they were identified (e.g., agency review, IG evaluation, etc.).
Total number of weaknesses identified at the start of the quarter.
Number of weaknesses for which corrective action was completed on time (including testing) by the end of the quarter
Number of weaknesses for which corrective action is ongoing and is on track to complete as originally scheduled
Number of weaknesses for which corrective action has been delayed including a brief explanation for the delay
Number of new weaknesses discovered following the last POA&M update and a brief description of how they were identified (e.g., agency review, IG evaluation, etc.).
Number of systems assessed for risk and assigned a level or risk
Number of systems that have an up-to-date IT security plan
Number of systems certified and accredited
Number of systems with security control costs integrated into the life cycle of the system
Number of systems for which security controls have been tested and evaluated in the last year
Number of systems with a contingency plan
Number of systems for which contingency plans have been tested
Number of systems assessed for risk and assigned a level or risk
Number of systems that have an up-to-date IT security plan
Number of systems certified and accredited
Number of systems with security control costs integrated into the life cycle of the system
Number of systems for which security controls have been tested and evaluated in the last year
Number of systems with a contingency plan
Number of systems for which contingency plans have been tested
Quarterly IT Security Measures UpdateQuarterly IT Security Measures Update
+ =
19
Agencies should integrate training and IT security capital planning, throughout their program
Integrating IT security into the capital planning process
– POA&Ms, annual FISMA reports, and executive summaries must be cross-referenced to the budget materials
– Exhibit 300: Capital asset plan and justification
– Exhibit 53: Summary of IT systems and expenditures.
– Unique project identifier that stems from Exhibit 300s and 53s must be referenced in the “Resources Required” column of the POA&M.
– Although the POA&M and Exhibit 300s may cite the same unique project identifiers, the security costs will not match because the Exhibit 300s also contains ongoing security maintenance costs.
Training
– All parts of IT security management team need awareness and training
– Responsibility to provide training is placed on CIO
– Responsibility of program officials to complete training
Mit
igat
ion
Training and Capital Planning
20
Results of non-compliance
Probable exploitation of security vulnerabilities
Unauthorized access and/or modification of sensitive data
Jeopardize funding for current and future IT projects
21
Agenda
FISMA – a higher cause?
Roles and Responsibilities
FISMA Requirements
Transition from report to process
22
Putting the pieces together for a successful IT security management program requires that an agency shift its focus from the FISMA report to a more comprehensive management process
Communication throughout the program is key
– FISMA encourages communication across and between business lines
– System owners, budget and security personnel are expected to collaborate so that suitable decisions are made regarding functionality and security of IT assets
Management assumes an active posture towards IT security
– If you can’t respond to the different measures associated with FISMA, then there is no plan for protecting your IT resources
Documentation may seem painful, but it is necessary
– Provides accountability
– Prevents overreliance on a subset of staff
– Promotes knowledge management
23
In summary, here are some aspects of FISMA to remember when building a successful IT security management program
Performance and risk based decision making essential for sound security program
It’s not just a report – it’s a process
Know your inventory
Communicate and involve stakeholders in all phases security management
– Budget personnel and program managers are stakeholders too!
Understand the mission that systems support – map to business processes
Review programs and systems
Identify and then fix security problems
Document and justify risks that are accepted