In analyzing FISMA and breaking down its requirements from an agency perspective, a useful approach for the CISO to take is to clarify its requirements in four categories: general requirements, requirements for senior agency officials, requirements for CIOs, and requirements for agency information security programs. These categories are addressed in the following four sections, in which agency perspectives are reflected according to what I have observed in my experiences with implementing FISMA-based information security programs at the federal agency level.
General FISMA Requirements
There are four requirements in this category. These include establishment of the agency information security program, integration of information security management into agency processes, annual reporting, and availability of trained personnel.
Information Security Program: Agencies normally meet this requirement by developing and maintaining an agency-wide information security policy document. This policy may be written in varying degrees of detail, but at a minimum establishes the authority for the program and its related roles and responsibilities. The scope of the policy document may also vary by agency in that it may cover all aspects of information security, or may be limited to specific subsets such as information technology security, security of classified information, security of non-automated information, etc.
Process Integration: Agencies integrate information security management processes with agency strategic and operational planning processes in response to FISMA requirements by linking them to processes for managing the agency strategic plan, the information resource/information management strategic plan, the enterprise architecture, capital planning and investment control, enterprise IT architecture, system development life cycle, and IT project management. Requirements documented
in the information security policy are linked to these processes to ensure that critical security activities are performed and are completed in a timely and cost-effective fashion.
Annual Reporting: The general requirement for the CIO to report to the agency head annually on the effectiveness of information security program and status of remedial actions is normally accomplished through submission of the annual FISMA Report. This may be accompanied by expanded documentation on the health and posture of the program as specified by agency executive management, and a formal presentation to the head of the department or agency on this topic. Additional reporting may result from quarterly FISMA reporting being channeled to the agency head for information or approval, as well as other, more frequent reporting resulting from the agency continuous monitoring process.
Training: The requirement for the agency to ensure that there are sufficient trained personnel available for the information security program falls under the purview of the CISO who manages the program, and supporting functions. This extends to the CISO's management of the staffing of dedicated security personnel for his office, as well as overseeing the designation and training and performance of personnel assigned to other established information security roles, including authorizing officials, system owners, and information system security officers. The CISO fulfills this requirement through the use of staffing plans in concert with human resources personnel, and by means of agency-level performance measurement plans and processes.
Requirements for Senior Agency Officials
This second category encompasses requirements applicable to senior agency-level officials given responsibility for the security of information and information systems, and includes four process-specific requirements for these official to address: risk assessment, categorization, policies and procedures, and systems certification.
Risk Assessment: Designated senior agency officials, normally system owners and authorizing officials, are required to ensure that risk to the information and information systems under their control are assessed for the probability and impact of its "unauthorized access, use, disclosure, disruption, modification, or destruction." To satisfy this requirement, owners of agency systems must ensure that NIST SP 800-30-compliant risk assessments are performed as part of the system authorization process and are included in the system authorization package for use by the authorizing officials to accredit the system. System owners are also charged with performing risk assessments when systems undergo significant change.
Categorization: To comply with FISMA requirements in this area, system owners evaluate the information processed, stored, or transmitted by their information systems using NIST SP 800-60 and Federal Information Processing Standard (FIPS) 199 to categorize the system to serve as a basis for determining the appropriate levels of protection required. The result of this process is identification of system information types and categorization of the system as high, moderate, or low, based on the system's security requirements for confidentiality, integrity, and availability.
Policies and Procedures: The responsibilities of the senior agency officials referenced in this requirement are normally fulfilled by system owners, who must implement the requirements of the information security policy and procedures in the form of security controls to cost-effectively reduce risks to information and information systems under their responsibility. In response to this requirement, system owners document security controls in system security plans and note weaknesses in plans of action and milestones following the guidance of NIST SP 800-18, 800-37, and 800-53.
Systems Certification: This requirement calls for the periodic testing and evaluation of information security controls and techniques to ensure they have been effectively implemented. Security certification or security testing and evaluation processes have been employed by government agencies to meet requirements of this type as part of the system authorization process, which requires reaccreditation every three years, or when significant changes to information systems are proposed. Guidance for performing testing and evaluation activities is provided in NIST SP 800-37, 800-53, and 800-53A.
Requirements for CIOs
This third category comprises requirements applicable to agency CIOs, who are given authority by the agency head to ensure compliance with agency-applicable FISMA requirements. The CIO category includes four requirements relating to designation of an agency CISO: provision of security assistance, development of policies and procedures, system configuration, and specialized security training.
Senior Agency Information Security Officer: The CIO is charged under FISMA to designate a senior agency information security officer (SAISO) whose primary duty is information security and who leads an office in the performance of his or her functions. Agencies typically meet this requirement by appointing a full-time CISO under the direction of the CIO, although other position titles are often used. The CISO carries out the CIO's information security responsibilities, most often heads an office assigned the information security or information technology security function, and competes with other agency elements for resources necessary to fulfill the information security mission.
Security Assistance: The CISO acting on the behalf of the CIO provides assistance to senior agency officials concerning their information security responsibilities, including risk assessment, categorization, policies and procedures, weakness remediation, and systems certification. Many agency CISOs perform this assistance function through the use of security service and support contracts to provide support to system owners in meeting these requirements. Additional assistance in performing information security responsibilities is provided through information sharing (e.g., ISSO councils), periodic outreach, and publication of guidelines and instructions.
Policies and Procedures: Under FISMA, the CIO must develop and maintain information security policies, procedures, and control techniques to address all applicable FISMA requirements, including those issued by OMB. This function is carried out for the CIO by the CISO and includes documentation of the information security policy, standards, procedures, guidelines, instructions, processes, and templates.
Specialized Security Training: The CIO is charged with training and overseeing personnel assigned significant information security responsibilities as part of their duties, and normally relies on the CISO to develop and deliver role-based training according to NIST SP 800-16. This training is targeted at individuals performing duties as authorizing officials, system owners, ISSOs, system administrators, project managers, developers, as well as IT managers, operators, and executives.
Information Security Program Requirements
The fourth category addresses the requirements found in Section 3544(b), which pertain to agency information security programs. Such programs must be applicable agency-wide and must be approved by OMB. In this category, we find eight requirements relating to periodic assessment of risk, development of policies and procedures, security planning, awareness training, periodic controls testing, remediation of deficiencies, security incident response procedures, and continuity of operations for information systems.
Risk Assessment: In addition to the requirements levied on senior agency officials as noted earlier, the agency information security program must provide for periodic assessments of risk to information and information systems. This should include provisions for annual updates of existing risk assessments, and completion of a risk assessment as part of periodic information system reauthorization.
Policies and Procedures: In addition to related requirements for the CIO and for senior agency officials, FISMA requires the agency program to include development and maintenance of cost-effective information security policies and procedures that reduce risks to an acceptable degree, ensure that security is addressed throughout the life cycle of agency information systems, and ensure compliance with FISMA, OMB, NIST, agency-specific, and national security systems directives and guidance. In response to this requirement, agencies find it necessary to develop policies and procedures that address specific provisions of NIST guidance such as the controls requirements of NIST SP 800-53, and also publish security configuration baselines to document agency-specific, minimally acceptable configurations standards.
Security Planning: The agency information security program must include provisions for subordinate plans for protecting agency networks, facilities, systems, or groups of systems. To do this, agencies document requirements for security plans for its information systems in accordance with NIST Special Publication 800-18, and require security plans to be included in system authorization documentation.
Security Awareness Training: The agency program must address requirements for training of all users on risks associated with their activities and on their responsibilities for complying with agency information security policies and procedures. In response to this requirement, agencies provide user-level security awareness information (often computer based) to employees and contractors at least annually, and on an occasional, as-needed basis, through e-mail messages, announcements, newsletters, etc.
Controls Testing: Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices must also be a part of the agency information security program. This must include testing of management, operational, and technical controls for every system listed in the agency inventory based on the level of risk to the system, but no less frequently than annually. Agencies devised plans for conducting annual controls testing that first aimed at testing all controls of all systems, and the NIST SP 800-26 self-assessment approach was normally used to meet the requirement. NIST refined guidance to encourage the testing of a subset of controls for each system according to risk, to which agencies responded by identifying core controls for annual testing and a combination of biennial or triennial testing for the remaining controls. To lessen the burden of this requirement, certification testing of systems undergoing reaccreditation was accepted for this requirement. More recently, agencies have used the incremental testing associated with their continuous monitoring efforts to meet this requirement.
Remediation of Weaknesses: The agency information security program must provide for a process to plan, implement, evaluate, and document remediation of deficiencies in agency policies, procedures, and practices. For this, agency CISOs rely on the plan of action and milestones (POA&M) process, and use the process to consolidate information on security weaknesses, support it with automated mechanisms to create a primary repository of vulnerabilities, and use it to track remediation activities in coordination with system owners.
Incident Response: Procedures for incident detection, reporting, and response to security-related incidents must be addressed in the agency information security program. The program must also include mitigation of risks resulting from the incident and appropriate notification to internal and external officials having a need to know. To achieve this, agency CISOs establish incident response capabilities that provide a means of receiving, responding to, analyzing, reporting, and documenting security incidents during and beyond normal agency operating hours. This capability is supported by documented operating procedures that also provide guidance on performing these tasks as well as identification and detection of incidents, and coordination and investigation roles and responsibilities.
Continuity of Operations: Finally, the agency program must also include plans and procedures for ensuring the continuity of operations for agency information systems. To meet this requirement, CISOs develop policies and procedures for development, testing, and update of system-level contingency plans, and assign system owners responsibility for compliance. Inclusion of these plans in system authorization packages is often a requirement, as is annual testing and update of these plans in accordance with the testing guidance of NIST SP 800-34.
Patrick D. Howard is Chief Information Security Officer of the Nuclear Regulatory Commission. This is from his most recent book, FISMA Principles and Best Practices: Beyond Compliance,. published by Auerbach Publications in March 2011.