Overview of current revisions to Federal Information Security Management Act of 2002
March 17, 2009
John W. Cook
john@johncook.net

Observations:
- Scope of Information Security practices is broad and covers federal, state, and local jurisdictions.
- Federal government is working to update their security framework.
- New (Florida) legislation proposes to clarify role of AEIT and create information security plan.
- State CIO is interested in leveraging FISMA and NIST national standards.
- State needs to consider how to utilize these standards at the state and local level.
- Specifically, how to place them in the appropriate context using prior work experiences.

FISMA is a cyber security and risk based policy initiative to promote cost effective information security practice. Directs all federal agencies to create annual review policies and submit reports to the Office of Management and Budget (OMB).

Points of Interest:
- Information Security (Info Sec) practices consists of 9.2% of Fed IT budget
- FISMA is a comprehensive information security control catalog (framework)
- Specifically, a policy mechanism for improving operational oversight
- Defines Info Sec to protect both information and information systems from unauthorized access, use, disclosure, modification, or destruction in order to provide:
1. Integrity
2. Confidentiality
3. Availability

NIST Standards
National Institute of Standards and Technology (NIST), a US Department of Commerce organization is responsible for developing FISMA compliance framework (implementation plan) by defining standards, guidelines, and associated methods and techniques using series of working document call special publications.

Revision to FISMA Mandates

Most recent activities of interest include extension of Recommended Security Controls for Federal Information Systems and Organizations, SP-800-53 Version 2 codified December 2005. Working draft, version 3 was released Feb 2009. Three significant revisions to the security catalog include; low-moderate-high impact baseline modifications for the allocation and enhancement of security controls necessary to accommodate growing threat environment and cyber attacks; specification harmonization across federal government jurisdictions; and creation of new security controls to broaden scope of organization-wide security programs including conceptual security program plan to capture organizational management requirements. A fourth section regarding privacy related material will be released in near future as a separate publication.

Simplified Six Step Risk Management Framework
1. Categorize Information System
2. Select Baseline Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls

Works Cited:
http://en.wikipedia.org/wiki/FISMA
http://csrc.nist.gov/publications/drafts/800-53/800-53-rev3-markup-02-05-2009.pdf

Just a few years ago, Amazon.com was one of the fore runners on cloud computing by offering low cost, high available network storage. Today, cloud computing is beginning to provide lower cost for processing resources through use of virtual servers and a new technology called hypervisor.

Cloud computing, a metaphor used to describe a new class of network based computing services.

A hypervisor is a virtual machine software component that eliminates alternative device driver shims (commonly used by VMWare and Microsoft) installed between the microprocessor tha operating systems. With hypervisor, this additional overhead is no longer neccessary. Operating systems and applications can now execute in purely encapsulated virtual sessions.

The significance of this new technology is that use of a hypervisor, VM systems can achieve higher economies of scale in the server farm and the knowlege worker. One such technology recently aquired by Citrus, Inc. called Xen, claims to reduce VM overhead from 35% to as little as 3%.

Hypervisors also promise new functionality by allowing mobile users to seemless disconnect from a virtualization host and continue working on a desktop running its own hypervisor.

Benefits of hyperviser vmm are more stable server and desktop environment. Increased security protection is also achevied. Because hypervisors create a protective boundry between and more secure working environments, operative systems and specialized applications, including antivirus protection can now execute along side of the hypervisor or another guest os, separate from the working operating system space.

http://www.xen.org/

FSU's campus is a nurturing environment. It's a place to explore academic and personal opportunities. It's also a place to challenge and push yourself. I attribute some of my successes by working on projects and roles outside my comfort zone and skill set. For the Fall semester, I have enrolled in several business courses in preparation of attending an MBA program in 2009.

During the Summer 2008, student volunteers from the FSU College of Information participated in a community service program to assist the JPII Catholic High School with performing a comprehensive technology inventory assessment. Another aspect of this project is to assist the school with creating their technology plan in a format that can be communicated, documenting, and well organized. As an initial effort, volunteers worked to complete four tasks:

1. Determine Strategy and Objectives
2. Perform Inventory Assessment
3. Compile and Create Documentation
4. Refurbish Inoperable Desktops


The assessment consists of several deliverables, including an inventory of hardware and software assets, a technology plan, and a centralized document store. The technology inventory contains an extensive amount of detail to benefit the JPII, both administratively and operationally. With over 400 documented hardware and software elements contained in the inventory, JPII decision makers now have the ability to electronically locate all working and non-functional technology assets used in support of academic learning objectives.

Student volunteers also assembled a technology plan for consideration by JPII Catholic High School stakeholders. Using current best practices for information technology planning methodologies, the technology plan can be used as a common reference point to assist JPII stakeholders and volunteers with future planning efforts. A centralized document store has also been designated.

Tasks to refurbish inoperable desktops remain in planning stages due to schedule changes.

Since May 2008, twelve student volunteers donated approximately 720 man hours of technology resources to complete work tasks. The estimated valued of current work tasks is approximately $24,930.00.

Although several work objectives remain incomplete, current project deliverables contain practical information to better manage current resources. These documents are available for immediate use.

As the end of the summer semester nears, I continue to organize more personal activities and work experiences on this site. Professionaly, I plan to highlight work accomplishments to suit a wide range of audiences. On the personal side, I will be spending time documenting my cooking activities, original menus, and maybe a few pictures of my outdoor cooking center.

As part of a course assignment, I am to create a YouTube video to demonstrate communications and technological proficiency. Well, I really like big productions. They give me goose bumps. Not to worry though, because the $40 Logitech camera doesn't have autofocus. And yes, i know how to fix it!

I had two wonderful weeks of downtime to enjoy completion of the spring semester. It was difficult at times, but I completed 18 credit hours. The hard work paid off for me because I earned my place on the Dean's list for the first time. Now i have to go back and hit the books for another round. The question is, will it be my last round of college?

Whew! It was a big accomplishment for me personally and now see the light at the end of the tunnel. I am now fifteen hours away from completing the Information Technology program and given high scores recieved thus far, I expect continued positive momentum and am confident I can perform in similar conditions of the summer semester. If all goes well, i can expect to complete the program this summer.

Attached is my html calendar containing my summer schedule.