The assignment of roles and responsibilities for information security within the federal government was clarified or reiterated within FISMA to cover policy, pro-curement, standards, and incident response. Although FISMA was the last major leg-islative framework, over the years the foundation has been built upon by a series of Executive Orders, directives, policies, regulations, standards and guidelines. Within FISMA, several specific roles were identified:
• Director of the Office of Management and Budget (OMB).
• National Institute of Standards and Technology (NIST).
• Federal Agencies:
• Head of Agency or equivalent.
• Chief Information Officer (CIO).
• Senior Agency Information Security Officer (SAISO).
3From 104th Congress. Paperwork Reduction Act of 1995. Washington: US Congress; 1995. In part it ensured “the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to the privacy and confidentiality, including section 552a of title 5, security of information, including the Computer Security Act of 1987 (Public Law 100-235); and access to information, including section 552 of title 5.”
4Public Law 104-106, Information Technology Management Reform Act of 1996 (also known as the Clinger-Cohen Act) directed the National Institute of Standards and Technology (NIST) to develop standards, guidelines, and associated methods and techniques for federal computer systems. The stan-dards and guidelines issued by NIST, known as Federal Information Processing Stanstan-dards (FIPS), are used government-wide and developed when there are compelling federal government requirements and there are no existing voluntary standards to address the federal requirements for the interoperability of different systems, the portability of data and software, and computer security.
5Section 3541 defined the purpose of the Subchapter III—Information Security.
105 Introduction to FISMA
• Secretary of Defense (SecDef).
• Director of the Central Intelligence Agency (CIA).
In this section, each role will be discussed as it relates to the responsibilities described in FISMA.
Director of OMB
OMB has as one of its key roles6 the responsibility to implement and enforce govern-ment-wide policies. Through FISMA, the Director of OMB was given the authority for overseeing the federal agency implementation and enforcement of security poli-cies and practices. The authorities included:
• Developing and overseeing the implementation of policies, principles, stand-ards, and guidelines on information security (including ensuring timely adop-tion and compliance by federal agencies);
• Requiring federal agencies to identify and provide for the information security protection for federal information systems and information;
• Coordinating and developing standards and guidelines;
• Overseeing federal agency compliance with FISMA requirements;
• Reviewing (approving/disapproving), at least annually, federal agency informa-tion security programs;
• Coordinating information security policies and procedures with related infor-mation resources management policies and procedures;
• Overseeing the operation of the federal information security incident center;7 and
• Reporting annually to Congress on compliance by federal agencies with FISMA requirements (no later than March 1).8
These authorities were limited with respect to national security systems (NSSs),9 except as they relate to budgetary actions and annual reporting to Congress. In this
6For additional information on the function of the Office of Management and Budget (OMB), see http://www.whitehouse.gov/omb/organization_mission.
7The Federal Computer Incident Response Capability (FedCIRC) resides within the Department of Homeland Security (DHS), National Cyber Security Division (NCSD), Information Analysis and Infrastructure Protection (IA&IP) Directorate. For more information on the IA&IP, see http://www.
dhs.gov/xlibrary/assets/CII_Act.pdf.
8The annual FISMA report includes: summary of findings of annual independent evaluations (e.g., Office of Inspector General Audits), assessment of adoption and compliance with the NIST standards and guidelines, significant deficiencies in federal agency information security practices, any planned remediation actions to address deficiencies, and summary of a report developed by the NIST.
9From E-Government Act of 2002 [Internet]. Washington: US Government Printing Office [cited 2011 Dec 5]. Available from: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.htm.
Any information system whose function, operations, or use involves intelligence activities, involves cryp-tographic activities related to national security, involves command and control of military forces, involves equipment that is an integral part of a weapon or weapons system, is critical to the fulfillment of military or intelligence missions (excluding any system that is used for administrative and business applications), or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
106 CHAPTER 5 Applying the NIST Risk Management Framework
chapter, only those aspects of NSSs related to the NIST Risk Management Frame-work (RMF) will be discussed.10
NIST
NIST, under FISMA, was assigned the responsibility to develop standards, guide-lines, and associated methods and techniques for federal agencies. These standards and guidelines include the minimum requirements for providing adequate informa-tion security for federal informainforma-tion systems (excluding nainforma-tional security systems):
• Standards to be used for categorizing information and information systems based on objectives of providing an adequate level of information security (Federal Information Processing Standard (FIPS) PUB 199, Standards for Security Categorization of Federal Information and Information Systems);
• Guidelines recommending the types of information and information systems (NIST Special Publication (SP) 800-60 Revision 1, Volume I and II: Guide for Mapping Types of Information and Information System to Security Categories); and
• Minimum information security requirements (Federal Information Processing Standard (FIPS) PUB 200, Minimum Security Requirements for Federal Information and Information Systems and NIST Special Publication (SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations).
NIST was also given the responsibility for developing guidelines for the detection and handling of information security incidents (NIST Special Publication (SP) 800-61 Revi-sion 2, Computer Security Incident Handling Guide), and guidelines for identifying an information system as a national security system (NIST Special Publication (SP) 800-59, Guideline for Identifying an Information System as a National Security System).11 Federal Agencies
Federal agencies are required to comply with the provisions defined in FISMA. As part of their obligation, they must ensure for the protection of federal information
10From NIST Special Publication (SP) 800-53, Revision 4 Update Announcement [Internet]. Maryland:
National Institute of Standards and Technology [cited 2011 Dec 7]. Available from: http://csrc.nist.
gov/groups/SMA/fisma/documents/800-53-Rev4_announcement.pdf. “As part of the ongoing cyber security partnership among the United States Department of Defense, the Intelligence Community, and the Federal Civil Agencies, five foundational publications are being developed by the partnership’s Joint Task Force to create a unified information security framework for the federal government and its contractors.”
11From Certification & Accreditation Transformation [Internet]. Maryland: National Institute of Stan-dards and Technology [cited 2011 Dec 27]. Available from: http://www.doncio.navy.mil/chips/Article-Details.aspx?ID=3005. DoDI 8510.01 aligns with the risk management processes included in NIST SP 800-37 (“Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”) and describes the DoD risk management process, the DoD Information Assurance Risk Management Framework (DIARMF).
107 Introduction to FISMA
and information systems commensurate with the risk and magnitude of harm result-ing from unauthorized access, use, disclosure, disruption, modification, or destruc-tion [2]. This includes complying with informadestruc-tion security standards12 for non-NSSs and standards and guidelines13 for NSSs. Federal agencies must also ensure informa-tion security is an integrated part of their strategic planning and operainforma-tional planning processes so there is alignment of goals and objectives.
Head of Agency or Equivalent
The Head of the Agency (or the highest-level senior official), in an effort to estab-lish commitment and accountability for information security, was given the respon-sibility for ensuring senior agency officials (e.g., authorizing officials) provide for the protection of federal information and information systems for which they have budgetary oversight, or which support the mission and/or business operations [3].
Protections include:
• Conducting risk assessments;
• Categorizing information and information systems;
• Implementing security policies and procedures; and
• Periodically testing and evaluating security controls and techniques.
The Head of the Agency must ensure security policies, procedures, and practices are adequate. To support this requirement, the Head of the Agency is required to designate a Federal Agency CIO with the authority for the compliance of FISMA.
The Federal Agency CIO, in turn, designates his or her IT security responsibilities to a Senior Agency Information Security Officer (SAISO),14 who is both qualified and trained in information security. These IT security responsibilities include:
• Developing and maintaining an information security program;
• Developing and maintaining information security policies, procedures, and controls;
• Training and overseeing personnel with significant information security respon-sibilities; and
• Assisting authorizing officials.
12From Evans, D., Bond, P., Bement, A. Federal Information Processing Standard (FIPS) PUB 199, Standards for Security Categorization of Federal Information and Information Systems. Maryland:
National Institute of Standards and Technology; 2004. “Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Manage-ment Act of 2002 (Public Law 107-347).”
13From the Committee on National Security Systems (CNSS) [Internet]. Maryland: CNSS [cited 2011 Dec 8]. Available from: http://www.cnss.gov/history.html. “The CNSS (formerly named the National Security Telecommunications and Information Systems Security Committee (NSTISSC)) was estab-lished by National Security Directive (NSD)-42, National Policy for the Security of National Security Telecommunications and Information Systems.”
14In most federal agencies the title for this role is the Chief Information Security Officer (CISO).
108 CHAPTER 5 Applying the NIST Risk Management Framework
Federal Agency Information Security Program
Federal agencies are also required to establish an agency-wide information security program. The program developed by the federal agency must address the following requirements:
• Security awareness training;
• Risk assessments;
• Policies and procedures;
• Integration of security into the system development lifecycle;
• Compliance programs that include security planning, testing, and remediation;
• Incident response capability; and
• Continuity of operations planning.
Federal Agency Independent Evaluations and Reporting
On an annual basis, federal agencies are required by law to conduct an independent evaluation of their information security program to ensure its effectiveness. The inde-pendent evaluations involve the testing of the effectiveness of the organization’s poli-cies, procedures, and practices, and an assessment compliance with FISMA, including any supporting federal policies, procedures, standards, and guidelines. The results of the independent evaluations are sent through the Head of the Agency to the Director of OMB. The Director of OMB includes information from all independent evaluations across the federal government and develops a comprehensive summary in a government-wide report that is submitted to Congress.15
15OMB reports to Congress no later than March 1st of each year.
TIP
To support federal agencies in evaluating their programs, NIST developed the Program Review for Information Security Management Assistance (PRISMA).16 The PRISMA methodology uses “a standardized approach to review and measure the information security posture of an information security program” [4]. The PRISMA process includes 11 steps that cover both preparation and execution.
Preparation Steps:
• Review initiation.
• Review scope definition.
• Planning.
• Kickoff meeting.
Execution Steps:
• Review execution.
• Review documentation.
16Program Review for Information Security Management Assistance (PRISMA). Available from: http://
csrc.nist.gov/groups/SMA/prisma/index.html.
109