FISMA 2.0: Feds Meet New Security Standard
Federal information security managers are in the early stages of updating their computer systems to conform to the Federal Information Systems Modernization Act, which President Obama signed into law in December.
The new law updates cybersecurity accountability, reporting requirements and overall security strategies. At its core, it was written to help agencies better share information as well as provide greater insight into the security threats the government and the nation’s critical infrastructure now face.
The law is the first major federal security update since the Federal Information Security Management Act of 2002, which has served as the government’s security standard for
more than a decade.
With the Times
“FISMA needed to change to reflect today’s data security realities,” says Rich Santalesa, founding member of the Sm@rtEdge Law Group, which specializes in the digital economy. “With the increase in large-scale data breaches, there’s a general perception that Federal agencies have fallen behind in securing their systems against current threats.”
One of the law’s most important components is its focus on account-ability. Each agency head is now responsible for delegating other senior agency officials — including the CIO, CISO or other equivalent position — to carry out the law’s requirements.
“Senior agency executives are expected to have a reasonable understanding of agency security to provide sufficient IT security funding, which is welcome news in light of recent flat and declining agency budgets,” says Tonya Manning, the Department of Labor’s director of information assurance. “This will help us communicate more effectively with the agency’s senior executives and get the budget support we need.”
Manning says that aspect of the law will help component agencies obtain the additional resources needed to strengthen their security programs, which is the case at places such as the U.S. Census Bureau.
“We’ll be working more closely with our parent agency, the Department of Commerce, to make sure we’re in alignment and can provide them with the information they need to provide as part of FISMA reporting,” says Timothy Ruland, chief of the bureau’s Office of Information Security.
The number of data breach events in the federal government in 2013 that involved personally identifiable information, up from 10,481 in 2009
SOURCE: Government Accountability Office, “Federal Agencies Need to Enhance Responses to Data Breaches,” April 2014
Oversight Changes
As with the first version of FISMA, the update’s oversight is assigned to the Office of Management and Budget (OMB); however, increased operational responsibility will also shift to DHS, which is responsible for the coordination of governmentwide information security efforts.
“This is a positive step,” says Gregory Wilshusen, director of information security issues at the Government Accountability Office. “OMB certainly could review agency budget plans, but it often lacked the expertise to understand agency security programs in depth. DHS is much better positioned to provide that kind of assistance.”
That aspect of the law closely follows the recent National Cybersecurity Protection Act of 2014, which tasked DHS with creating the National Cybersecurity and Communications Integration Center to share information on security incidents across agencies and critical infrastructure operators.
Incident Reporting
As part of information sharing efforts, the FISMA update requires agencies to notify Congress of major security incidents within seven days of their occurrence. Agencies must also provide annual reports detailing the threats, threat actors, detection, and related vulnerabilities and impacts.
“Until now, agencies just reported the effectiveness of their security controls in their annual reports to Congress,” Wilshusen says. “The law’s requirement to also report compliance of the affected systems with security requirements at the time of the incident will help to discover whether incidents are occurring because of weak controls.”
For incidents involving personally identifiable information, reports must include the number of individuals affected and a description of the exposed information.
Agency response to FISMA was frequently criticized for conforming to lists of controls from the National Institute of Standards and Technology, rather than addressing actual threats.
As part of the ongoing trend toward risk-based security, the FISMA update calls for agencies to perform periodic risk assessments to evaluate the security posture of information systems and create security policies and procedures based on those risk assessments. It also looks for agencies to do periodic testing and evaluation of security controls to ensure they’re effective.
“We’ve been implementing a very robust risk management framework using NIST guidelines,” Ruland says. “It will help us tailor how we monitor system controls and get away from a checklist mentality. It also helps us embed security in any new system or software development.”
Automated Tools
The act also looks toward government use of automated tools to continuously monitor networks, allowing agency officials to decide if they would prefer to deploy a commercially available solution that meets their needs.
“Much of this will involve tools for ongoing hardware and software inventory to detect rogue assets, as well as vulnerability assessment, endpoint malware protection and automated patching and configuration monitoring to ensure baseline systems configurations haven’t changed,” says Jennifer Nowell, senior director of U.S. public sector strategic programs for Symantec. “There will also be more focus on identity management and data loss prevention to ensure sensitive information isn’t leaving the agency in emails or getting into the wrong hands.”
Santalesa says next-generation firewalls and Big Data analytics tools that focus on anomalies in system behavior will become more important.
Many of those tools can be procured through the DHS’s Continuous Diagnostics and Mitigation program.
“If they’re properly designed and implemented, they can help agencies identify and prioritize the security actions and controls that need to be taken to improve their security posture,” Wilshusen says. “They can focus on the most impactful actions, recognizing that resources are constrained.”
Many of the components of the FISMA update pull together initiatives and trends that were already occurring in many agencies. The new law will ensure that they spread across government, bringing with it a safer computing environment for all.