FISMA

Views:
 
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Slide 1: 

Doug Wagoner www.dsainc.com FISMA Federal Information Security Management Act Overview

FISMA Background : 

FISMA Background Federal Information Security Management Act – Rep. Tom Davis is the champion Replaced GISRA signed in October 2000 Title III of the Electronic Government Act of 2002 Applies to Federal Agencies, including government contractors Purpose is to secure Information Infrastructure used in all of the Federal Agencies

FISMA Requirements : 

Plan for security Ensure that appropriate officials are assigned security responsibility Review periodically the security controls in their information systems Annual security reporting to Office of Management and Budget Security awareness training Follow guidelines issued by NIST for information security controls FISMA Requirements

FISMA Requirements : 

Report to Congress provides: A summary of government-wide performance in the area of information technology security management An analysis of government-wide weaknesses in information technology security practices, and, A plan of action to improve information technology security performance Report to Congress includes: Certification and accreditation of systems Security costs Annual testing of system controls Contingency planning Implementation of security configuration requirement FISMA Requirements

FISMA Management : 

FISMA Management IS Program Management(Strategic) Information Security Operations Policy & Compliance Mgmt System Integration, Configuration, & Lifecycle Mgmt Vulnerability, Certification & Accreditation Mgmt

FISMA Implementation : 

Most CIO’s place responsibility for compliance to the CISO Decentralized departments having most problems IG’s review FISMA process and reporting Reports sent to OMB by the end of each FY Reporting standards governed by OMB-130 and NIST Special Publications 800-26 with changes including 800-53 FISMA Implementation

NIST View Of FISMA : 

AGENCY INFORMATION AND INFORMATION SYSTEM Security Authorization (Accreditation) Verification of Security Control Effectiveness Categorization of Information and Information System Defines categories of information and information systems according to levels of risk for confidentiality, integrity, and availability; maps information types to security categories Measures the effectiveness of the security controls associated with information systems through security testing and evaluation SP 800-37 SP 800-53A FIPS 199 SP 800-60 The authorization of information systems to process, store, or transmit information, granted by a senior agency official, based on the effectiveness of security controls and residual risk Security Control Selection and Implementation Risk Assessment Security Planning Management, operational, and technical controls (i.e., safeguards and countermeasures) planned or in place to protect information and information systems Documents the security requirements and security controls planned or in place for the protection of information and information systems Analyzes the threats to and vulnerabilities of IT and the potential impact of harm that the loss of confidentiality, integrity, or availability would have on an agency SP 800-53 SP 800-18 SP 800-30 SP 800-37 NIST View Of FISMA

Grades Getting a Little Better : 

Grades Getting a Little Better

Slide 9: 

$4.2B in FY04 Information Security Over 7% of IT budget Fastest growing part of IT budget at 12% according to INPUT However… Cost of non-compliance is inferior security of systems, national security and taxpayer data Congress can assess budget cuts for non-compliance Department Pride FISMA Costs

FISMA Resources : 

FISMA Resources Office of Management and Budget. "Security of Federal Automated Information Resources." Appendix III, OMB Circular No. A-130, http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html NIST - FISMA Implementation Projects http://csrc.nist.gov/sec-cert/ GAO - Management Planning Guide for Information Systems Security Auditing http://www.gao.gov/

authorStream Live Help