Embed Size (px)
Citation preview
Federal Information Security Management Act
(FISMA)
Timothy C. Fitzgerald
U.S. Department of State
February 2004
A FISMA Reference Model
Agenda
• History Statutes and Guidelines• Assumptions• FISMA Overview• The Agency Program• Supporting the Processes• Plan of Actions and Milestones• Audit and Inspection Areas• Timeline• Report Building• Next Steps
Assumptions
• Definitions
• IT Inventory
• Accountability
History and Statutes• 1929: Federal Records Act• 1942: Federal Reports Act• 1947: Hoover Commission• 1949: Federal Property and Administrative Services
Act• 1952: Still-classified Executive Order establishing
NSA• 1965: Brooks Automatic Data Processing Act
(Brooks Act)• 1974: Privacy Act• 1978: Inspectors General Act • 1984: NSDD-145: National Policy for the Security
of National Security Telecommunications and Information Systems
• 1988: Warner Amendment to Brooks Act• 1987: Computer Security Act of 1987• 1990: NSD-42: National Policy for the Security of
National Security Telecommunications and Information Systems
• 1990: Chief Financial Officers Act • 1993: Government Performance and Results Act
(GPRA) • 1995: Paperwork Reduction Act of 1995 OMB
Circular A-130, App. III, Security of Federal Automated Information
• Executive Order 13010, Critical Infrastructure Protection
• Executive Order 13011, Federal Information Technology
• 1996: Information Technology Management Reform Act (renamed Clinger-Cohen Act of 1996)
• Health Insurance Portability and Accountability Act (HIPPA) (updating Privacy Act)
• 1997: President’s Commission on Critical Infrastructure Protection releases report
• 1998: PDD-63, Protecting America’s Critical Infrastructures
• Government Paperwork Elimination Act (GPEA)• 2000: Government Information Security Reform
Act (GISRA) (formerly Thompson-Liebermann Act)
• 2001: USA Patriot Act• 2002: Homeland Security Act (Title X –
Information Security) replaced by E-Government Act - Federal Information Security Management Act (FISMA)
• 2003: Homeland Security Presidential Directive/Hspd-7
Guidelines
• OMB Circular and Memoranda
• National Institute of Standards and Technology (NIST) FIPS and SP
• Committee for National Security Systems (formerly National Telecommunications and Information Systems Security
Committee(NTISSC))
• Federal Information Systems Control Audit Manual (FISCAM)
This Reference Model
Senior Agency Information Systems Security Officer
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c)
Certification and Accreditation §3544
Agency-wide Security Program§3544(b)
Agency Information System Programs§3544(a)(2)
EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
PerformancePlans
§3544(d)
CIO
Agency Head
Senior Agency Officials
AGENCYMISSION
Agency Mission
Office of Management and Budget
(OMB)
National Institute of Science and Technology
(NIST)
FIP
S an
d S
pecial P
ub
lications
Memoranda &Circulars
11331 Title 40
Certification and Accreditation §3544
Agency-wide Security Program§3544(b)
Agency Information System Programs§3544(a)(2)
This Reference Model
PerformancePlans
§3544(d)
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Senior Agency Information Security Officer
Senior Agency Officials
Agency-wide Security Program
Information Assurance Program
PerformancePlans
§3544(d)Agency-wide Security Program
§3544(b)
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Senior Agency Information Security Officer
Office of Management and Budget
(OMB)
Agency-wide Security Program
Agency-wide Security Program§3544(b)
Security PolicyArchitecture
Access ControlsNetwork MonitoringPersonnel Security
Mainframe SecurityEducation, Training and Awareness
Physical and Environmental Security
Systems EvaluationsContinuity of Services
Technical Security Technical Security Countermeasures
Enterprise Network ManagementLifecycle Management
Virus Program Computer Emergency Response Capability
Cryptographic Services
PerformancePlans
§3544(d)
Agency Information System and Programs
Mission Program Plans
Information ManagementModernization Plans
Agency Information System Programs§3544(a)(2)
PerformancePlans
§3544(d)
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Senior Agency Officials
Capital Investment Planning
Capital Investment Process
OMB Circular A-11Exhibits 52Exhibits 53
Exhibits 300
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Office of Management and Budget
(OMB)
Certification and
Accreditation
Certification and Accreditation
Risk Management
Information Requirements
TechnologyModernization
Projects
Balance of Requirements and Technology
vs.Vulnerabilities, Threats and Risk
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
This Reference Model
Senior Agency Information Security Officer
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c)
Certification and Accreditation §3544
Agency-wide Security Program§3544(b)
Agency Information System Programs§3544(a)(2)
EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
PerformancePlans
§3544(d)
CIO
Agency Head
Senior Agency Officials
Plans of Action and Milestones
• IT Audit Findings• IT Inspections Findings• C&A Residual Findings
– IATO– Denials
• CIP Assessments• Self-Assessments (NIST SP800-26)• GAO Audits
PoA&Ms
OMB Circular A-11Exhibits 52Exhibits 53
Exhibits 300
Plans of Action and Milestones
Risk Management Prioritize IT Spending
Fixing The Important Weakness first
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA
CIO
Agency Head
CapitalInvestmentPlanning
CCA
Audit
• Asset Management
• Enterprise Architecture
• Technology Capital Investment Planning
• Certification and Accreditation
• Information Assurance Programs
• Agency Information System Programs
Inspection
• Management Controls– Roles And Responsibility Implementation – Policy And Procedures Implementation
• Operational Controls– Executed Logs, Checklist, Procedural Documents
• Technical Controls– Validation Assessments
Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep
4th Quarter PoAMS Agency
Corrective Action Plans
1st Quarter PoAMS
2nd Quarter PoAMS
3rd Quarter PoAMS
Agency-wide Security Program Audits and Inspections
Agency Information System Programs Audits and Inspections
OMB FISMA Report to
Congress
AgencyFISMA Report
FISMA Timeline
Building the Report
• Clearly Defined Roles And Responsibilities• An Approved Agency-wide Security Plan• An IT Asset And Logistic Process • Realistic Certification And Accreditation Process
And Schedule• Integration Of The POAM Reporting Into The
Management Process• Cross Statute Issues • Rollup Of Inspections And Audit Findings
Next Steps
• Modify Audit And Inspection Guidelines
• Plan Security Program Reviews
• Fiscal Timeline For Reporting
• Rollup Results To FISMA Report
