federal information security management act (fisma) - office of
TRANSCRIPT
![Page 1: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/1.jpg)
Federal Information Security Management Act
(FISMA)
Timothy C. Fitzgerald
U.S. Department of State
February 2004
A FISMA Reference Model
![Page 2: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/2.jpg)
Agenda
• History Statutes and Guidelines• Assumptions• FISMA Overview• The Agency Program• Supporting the Processes• Plan of Actions and Milestones• Audit and Inspection Areas• Timeline• Report Building• Next Steps
![Page 3: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/3.jpg)
Assumptions
• Definitions
• IT Inventory
• Accountability
![Page 4: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/4.jpg)
History and Statutes• 1929: Federal Records Act• 1942: Federal Reports Act• 1947: Hoover Commission• 1949: Federal Property and Administrative Services
Act• 1952: Still-classified Executive Order establishing
NSA• 1965: Brooks Automatic Data Processing Act
(Brooks Act)• 1974: Privacy Act• 1978: Inspectors General Act • 1984: NSDD-145: National Policy for the Security
of National Security Telecommunications and Information Systems
• 1988: Warner Amendment to Brooks Act• 1987: Computer Security Act of 1987• 1990: NSD-42: National Policy for the Security of
National Security Telecommunications and Information Systems
• 1990: Chief Financial Officers Act • 1993: Government Performance and Results Act
(GPRA) • 1995: Paperwork Reduction Act of 1995 OMB
Circular A-130, App. III, Security of Federal Automated Information
• Executive Order 13010, Critical Infrastructure Protection
• Executive Order 13011, Federal Information Technology
• 1996: Information Technology Management Reform Act (renamed Clinger-Cohen Act of 1996)
• Health Insurance Portability and Accountability Act (HIPPA) (updating Privacy Act)
• 1997: President’s Commission on Critical Infrastructure Protection releases report
• 1998: PDD-63, Protecting America’s Critical Infrastructures
• Government Paperwork Elimination Act (GPEA)• 2000: Government Information Security Reform
Act (GISRA) (formerly Thompson-Liebermann Act)
• 2001: USA Patriot Act• 2002: Homeland Security Act (Title X –
Information Security) replaced by E-Government Act - Federal Information Security Management Act (FISMA)
• 2003: Homeland Security Presidential Directive/Hspd-7
![Page 5: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/5.jpg)
Guidelines
• OMB Circular and Memoranda
• National Institute of Standards and Technology (NIST) FIPS and SP
• Committee for National Security Systems (formerly National Telecommunications and Information Systems Security
Committee(NTISSC))
• Federal Information Systems Control Audit Manual (FISCAM)
![Page 6: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/6.jpg)
This Reference Model
Senior Agency Information Systems Security Officer
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c)
Certification and Accreditation §3544
Agency-wide Security Program§3544(b)
Agency Information System Programs§3544(a)(2)
EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
PerformancePlans
§3544(d)
CIO
Agency Head
Senior Agency Officials
![Page 7: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/7.jpg)
AGENCYMISSION
Agency Mission
Office of Management and Budget
(OMB)
National Institute of Science and Technology
(NIST)
FIP
S an
d S
pecial P
ub
lications
Memoranda &Circulars
11331 Title 40
![Page 8: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/8.jpg)
Certification and Accreditation §3544
Agency-wide Security Program§3544(b)
Agency Information System Programs§3544(a)(2)
This Reference Model
PerformancePlans
§3544(d)
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Senior Agency Information Security Officer
Senior Agency Officials
![Page 9: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/9.jpg)
Agency-wide Security Program
Information Assurance Program
PerformancePlans
§3544(d)Agency-wide Security Program
§3544(b)
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Senior Agency Information Security Officer
Office of Management and Budget
(OMB)
![Page 10: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/10.jpg)
Agency-wide Security Program
Agency-wide Security Program§3544(b)
Security PolicyArchitecture
Access ControlsNetwork MonitoringPersonnel Security
Mainframe SecurityEducation, Training and Awareness
Physical and Environmental Security
Systems EvaluationsContinuity of Services
Technical Security Technical Security Countermeasures
Enterprise Network ManagementLifecycle Management
Virus Program Computer Emergency Response Capability
Cryptographic Services
PerformancePlans
§3544(d)
![Page 11: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/11.jpg)
Agency Information System and Programs
Mission Program Plans
Information ManagementModernization Plans
Agency Information System Programs§3544(a)(2)
PerformancePlans
§3544(d)
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Senior Agency Officials
![Page 12: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/12.jpg)
Capital Investment Planning
Capital Investment Process
OMB Circular A-11Exhibits 52Exhibits 53
Exhibits 300
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
Office of Management and Budget
(OMB)
![Page 13: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/13.jpg)
Certification and
Accreditation
Certification and Accreditation
Risk Management
Information Requirements
TechnologyModernization
Projects
Balance of Requirements and Technology
vs.Vulnerabilities, Threats and Risk
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
CIO
Agency Head
![Page 14: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/14.jpg)
This Reference Model
Senior Agency Information Security Officer
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c)
Certification and Accreditation §3544
Agency-wide Security Program§3544(b)
Agency Information System Programs§3544(a)(2)
EnterpriseArchitectureCCA Capital
InvestmentPlanning
CCA
PerformancePlans
§3544(d)
CIO
Agency Head
Senior Agency Officials
![Page 15: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/15.jpg)
Plans of Action and Milestones
• IT Audit Findings• IT Inspections Findings• C&A Residual Findings
– IATO– Denials
• CIP Assessments• Self-Assessments (NIST SP800-26)• GAO Audits
![Page 16: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/16.jpg)
PoA&Ms
OMB Circular A-11Exhibits 52Exhibits 53
Exhibits 300
Plans of Action and Milestones
Risk Management Prioritize IT Spending
Fixing The Important Weakness first
AGENCYMISSION
Strategic Goals & Objectives
§ 3544(a)(1)(c) EnterpriseArchitectureCCA
CIO
Agency Head
CapitalInvestmentPlanning
CCA
![Page 17: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/17.jpg)
Audit
• Asset Management
• Enterprise Architecture
• Technology Capital Investment Planning
• Certification and Accreditation
• Information Assurance Programs
• Agency Information System Programs
![Page 18: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/18.jpg)
Inspection
• Management Controls– Roles And Responsibility Implementation – Policy And Procedures Implementation
• Operational Controls– Executed Logs, Checklist, Procedural Documents
• Technical Controls– Validation Assessments
![Page 19: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/19.jpg)
Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep
4th Quarter PoAMS Agency
Corrective Action Plans
1st Quarter PoAMS
2nd Quarter PoAMS
3rd Quarter PoAMS
Agency-wide Security Program Audits and Inspections
Agency Information System Programs Audits and Inspections
OMB FISMA Report to
Congress
AgencyFISMA Report
FISMA Timeline
![Page 20: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/20.jpg)
Building the Report
• Clearly Defined Roles And Responsibilities• An Approved Agency-wide Security Plan• An IT Asset And Logistic Process • Realistic Certification And Accreditation Process
And Schedule• Integration Of The POAM Reporting Into The
Management Process• Cross Statute Issues • Rollup Of Inspections And Audit Findings
![Page 21: Federal Information Security Management Act (FISMA) - Office of](https://reader035.vdocuments.mx/reader035/viewer/2022081602/5562c006d8b42a09618b4f82/html5/thumbnails/21.jpg)
Next Steps
• Modify Audit And Inspection Guidelines
• Plan Security Program Reviews
• Fiscal Timeline For Reporting
• Rollup Results To FISMA Report