Overview of current revisions to Federal Information Security Management Act of 2002
March 17, 2009
John W. Cook
john@johncook.net
Observations:
- Scope of Information Security practices is broad and covers federal, state, and local jurisdictions.
- Federal government is working to update their security framework.
- New (Florida) legislation proposes to clarify role of AEIT and create information security plan.
- State CIO is interested in leveraging FISMA and NIST national standards.
- State needs to consider how to utilize these standards at the state and local level.
- Specifically, how to place them in the appropriate context using prior work experiences.
FISMA is a cyber security and risk based policy initiative to promote cost effective information security practice. Directs all federal agencies to create annual review policies and submit reports to the Office of Management and Budget (OMB).
Points of Interest:
- Information Security (Info Sec) practices consists of 9.2% of Fed IT budget
- FISMA is a comprehensive information security control catalog (framework)
- Specifically, a policy mechanism for improving operational oversight
- Defines Info Sec to protect both information and information systems from unauthorized access, use, disclosure, modification, or destruction in order to provide:
1. Integrity
2. Confidentiality
3. Availability
NIST Standards
National Institute of Standards and Technology (NIST), a US Department of Commerce organization is responsible for developing FISMA compliance framework (implementation plan) by defining standards, guidelines, and associated methods and techniques using series of working document call special publications.
Revision to FISMA Mandates
Most recent activities of interest include extension of Recommended Security Controls for Federal Information Systems and Organizations, SP-800-53 Version 2 codified December 2005. Working draft, version 3 was released Feb 2009. Three significant revisions to the security catalog include; low-moderate-high impact baseline modifications for the allocation and enhancement of security controls necessary to accommodate growing threat environment and cyber attacks; specification harmonization across federal government jurisdictions; and creation of new security controls to broaden scope of organization-wide security programs including conceptual security program plan to capture organizational management requirements. A fourth section regarding privacy related material will be released in near future as a separate publication.
Simplified Six Step Risk Management Framework
1. Categorize Information System
2. Select Baseline Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls
Works Cited:
http://en.wikipedia.org/wiki/FISMAhttp://csrc.nist.gov/publications/drafts/800-53/800-53-rev3-markup-02-05-2009.pdf