Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Law

What's in Store for FISMA in 2005

By Stacey McDaniel

When it comes to meeting the stringent technology and procedural requirements of the Federal Information Security Management Act (FISMA), federal agencies are making slow, but steady progress.

What FISMA covers

Maintaining the integrity of the federal government's information infrastructure is critical -- in fact, maintaining a secure cyberspace has become essential to homeland and national security. As the federal government's reliance on electronic data increased, however, it was slow to address the need for stronger information security practices within the government. Finally, in 2002, the importance of information security was officially addressed through Title III of the E-Government Act, which is FISMA.

FISMA requires every federal agency, and any organization whose information systems possess or make use of federal information, to develop, document, and implement an agency-wide, risk-based information security program. FISMA also requires periodic testing and evaluation of the effectiveness of the information security policies, procedures, and practices in place. While FISMA lays out the required elements of the security program, it doesn't set any security benchmarks, or provide much in the way of guidance on how to achieve these requirements. That's where The National Institute of Standards and Technology (NIST) comes in. NIST was enlisted to support FISMA by developing publications that provide guidance and best security practices to government agencies.

NIST on FISMA compliance

NIST has developed a range of special publications offering guidance on topics like security incident management, selecting and testing security controls for information systems, and assigning levels of risk to information systems. Here are the two most recent NIST publications that address important FISMA requirements:

  • A final draft of NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems," was released on January 26, and is currently up for final public review. December will be the deadline for security controls mandated by FISMA to be in place. 800-53 not only provides instructions for adopting technical controls, such as intrusion detection, but also recommends management and operational controls for safeguarding federal information and the systems that provide that information. The recommended controls vary, but the list is extensive and includes 17 categories of security controls. Among the management controls are access and audit controls and user identification and authentication. Operational controls include incident response and contingency planning and operations.


  • On January 31, NIST released the first draft of Special Publication 800-77, "Guide to IPsec VPNs." The draft explains the three primary VPN architectures: gateway-to-gateway, host-to-gateway, and host-to-host, and describes scenarios when each can be used. It also explains the IPsec security framework, and provides a helpful way to achieve successful IPsec deployments involving five phases: identity needs, design the solution, implement and test a prototype, deploy the solution, and manage the solution.

Competing concerns

Complying with FISMA regulations is not the only thing weighing on the minds of chief information security officers (CISOs) in the federal government. In a survey released in November 2004 by O'Keeffe & Co., patch management was cited as the number one concern of federal CISOs. Achieving FISMA compliance and avoiding a compromised network tied for second place among the concerns. The survey found that while CISOs spend a large portion of their time on administrative activities related to FISMA compliance, they feel they lack the resources and funds necessary to achieve compliance. In fact, more than 60 percent of federal agencies with information security budgets of less than $500,000 found their managers spending at least three hours a day, on average, on compliance requirements.

Compliance numbers

In the summer of 2004, the Government Accountability Office (GAO) released a report that described agency compliance with FISMA as irregular. The GAO's survey of 24 federal agencies found that 63 percent of information systems met the NIST guidelines, including the minimum-security controls mandated by FISMA. The GAO report found that compliance and accreditation varied greatly. Seven of the 24 agencies said more than 90 percent of their systems were certified and accredited as secure, while six reported less than half of their systems were accredited as secure. Only the Social Security Administration and the Nuclear Regulatory Commission achieved 100 percent accreditation and certification. NASA reported 98 percent compliance, and the National Science Foundation reported that 95 percent of its information systems met the guidelines. Seventy-seven percent of the Defense Department systems met the guidelines, according to the GAO.

More visibility this year

In 2005, expect Chairman of the House Government Reform Committee Rep. Tom Davis (R-Va.) to become a prominent figure in the information technology community. In January, Davis cited cybersecurity, and FISMA in particular, as one of the key items on his 2005 agenda for Congress. In spite of rules like FISMA, Davis said "Cybersecurity is one area where the government is falling backward, not moving forward." According to Davis, FISMA is not receiving the attention it deserves, and it should be something that every committee in Congress is concerned about. As Davis said, "Nobody knows what FISMA is. We have 10 members (in Congress) out of 535 who know what FISMA is."

Davis said his committee will lobby for more awareness and funding for FISMA in 2005, and he hopes the new information policy, information technology, and information security challenges that have arisen since FISMA and the 25 E-Government initiatives were enacted in 2002 will be addressed. This is important, because the technology landscape -- and the potential threats to it -- can change dramatically and quickly, and guidelines made three years ago may not address today's needs.

Conclusion

Although O'Keeffe & Co.'s recent study found that budget and time constraints are the most common reasons for agencies falling behind in FISMA compliance, there are compliance tools that can ease the administrative burden with automatic policy monitoring.

While such tools are making compliance easier, influential people like Rep. Davis plan to push for more funding and awareness to ease the costly and time-consuming FISMA burden. Expect to hear more about FISMA, and about some interesting challenges and changes in attitude toward IT security within the federal government, in the coming year.

Stacey McDaniel has been writing about high-tech issues for more than six years.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"Seventy-seven percent of Defense Department systems have met FISMA guidelines."

--Government Accountability Office
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.

© MMVIII, CBS Corporation. All Rights Reserved.