Documente Academic
Documente Profesional
Documente Cultură
Implementation of FISMA
In accordance with FISMA, NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies. NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory.[6] NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. NIST hosts the following: FISMA implementation project[7] Information Security Automation Program (ISAP) * National Vulnerability Database (NVD) the U.S. government content repository for ISAP and SCAP. NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA)[8]
Security controls
Federal information systems must meet the minimum security requirements.[9] These requirements are defined in the second mandatory security standard required by the FISMA legislation, namely FIPS 200 "Minimum Security Requirements for Federal Information and Information Systems".[11] Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems". The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan.
Risk assessment
The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems. The agency's risk assessment validates the security control set and determines if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of security due diligence for the federal agency and its contractors.[13] A risk assessment starts by identifying potential threats and vulnerabilities and mapping implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated. If mitigated by the implementation of a control, one needs to describe what additional Security Controls will be added to the system. NIST also initiated the Information Security Automation Program (ISAP) and Security Content Automation Protocol (SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.
Federal Information Security Management Act of 2002 made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.[14] In July 2010, Google Apps for Government was the first cloud computing collaboration platform to received the FISMA certification. This approval will make it easier for United States based governmental agencies or groups to evaluate and adopt Google Apps for use within their organizations.[15] Google Apps for Government includes all of the applications in the company's Google Apps Premier Edition (GAPE) suite, including Gmail, Google Docs, Google Calendar and Postini security services. The collaboration platform, which Google hosts in its servers and provisions over the Web, will run government agencies $50 per user per year, or the same as GAPE for non-governmental customers.[16]
Continuous monitoring
All accredited systems are required to monitor a selected set of security controls and the system documentation is updated to reflect changes and modifications to the system. Large changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved.
Critique
Security experts Bruce Brody, a former federal chief information security officer, and Alan Paller, director of research for the SANS Institute have described FISMA as a well-intentioned but fundamentally flawed tool, and argued that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security.[17] Past federal chief technology officer Keith Rhodes said that FISMA can and has helped government system security but that implementation is everything, and if security people view FISMA as just a checklist, nothing is going to get done.[18]
Status
As of June 2010, multiple bills in Congress are proposing changes to FISMA, including shifting focus from periodic assessment to real-time assessment and increasing use of automation for reporting.[19]
References
[1] http:/ / www. law. cornell. edu/ uscode/ 44/ 3541. html [2] http:/ / www. gpo. gov/ fdsys/ pkg/ PLAW-107publ347/ content-detail. html [3] NIST: FISMA Overview (http:/ / csrc. nist. gov/ groups/ SMA/ fisma/ overview. html) [4] FY 2005 Report to Congress on Implementation of The Federal Information Security Management Act of 2002 [5] FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of 2002 [6] NIST Computer Security Division 2008 report (http:/ / csrc. nist. gov) [7] FISMA implementation (http:/ / csrc. nist. gov/ groups/ SMA/ fisma/ overview. html) [8] National Vulnerability Database (http:/ / nvd. nist. gov/ ) [9] The 2002 Federal Information Security Management Act (FISMA) [10] NIST SP 800-18, Revision 1, "Guide for Developing Security Plans for Federal Information Systems" [11] Catalog of FIPS publications (http:/ / csrc. nist. gov/ publications/ PubsFIPS. html) [12] Catalog of NIST SP-800 publications (http:/ / csrc. nist. gov/ publications/ PubsSPs. html) [13] NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems"
(http://csrc.nist.gov/groups/SMA/fisma/index.html) NIST: FISMA Implementation Project FISMApedia project (http://www.fismapedia.org) (http://www.fismaresources.com) FISMA Guidance
External links
NIST SP 800 Series Special Publications Library (http://csrc.nist.gov/publications/nistpubs/index.html) NIST FISMA Implementation Project Home Page (http://csrc.nist.gov/sec-cert/) Full text of FISMA (http://csrc.nist.gov/drivers/documents/FISMA-final.pdf) Report on 2004 FISMA scores (http://searchsecurity.techtarget.com/originalContent/ 0,289142,sid14_gci1059656,00.html) FISMA Resources (http://www.fismacenter.com/default.asp?lnc=resources) Rsam: Automated Platform for FISMA Compliance and Continuous Monitoring (http://www.rsam.com/ rsam_fisma.htm)
License
Creative Commons Attribution-Share Alike 3.0 Unported http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/