|
In the aftermath of September 11, 2001, Congress passed, and the President signed, the E-Government Act, which formally recognized the importance of information security to the United States' economic and national security interests. Title III of that act, the Federal Information Security Management Act (FISMA), requires federal agencies to develop, document, and implement agency-wide information security programs to protect the confidentiality, integrity, and availability of information and systems that support the operations and assets of the agency. FISMA's scope includes securing an agency's operations and assets that are provided or managed by another agency, contractor, or other source.
Compliance with FISMA is not just a good idea, it's the law. FISMA is codified in FIPS199, Standards for Security Categorization of Federal Information and Information Systems, which was signed into law December, 2003. FIPS199 defined the requirements to be used by Federal agencies in categorizing information and information systems in order to provide appropriate levels of information security, according to a range of risk levels. This standard established three levels of risk-low, moderate, and high-for each of the security objectives of confidentiality, integrity, and availability.
Implemented in March, 2006, FIPS200, Minimum Security Requirements for Federal Information and Information Systems, takes the next step. In applying the provisions of FIPS200, agencies will categorize their systems as required by FIPS199, and then select an appropriate set of security controls from technical guidance documents developed by the National Institute of Standards and Technology (NIST). Specifically, agencies must select security controls from NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems. NIST SP800-53 provides federal agencies with a foundation for understanding security controls and their use within an information security program. Information covered by NIST SP800-53 includes:
- Structural components of controls
- Organization of controls into classes of operational, management, and technical controls
- How controls are used to support information security programs
- Steps to follow to determine which controls are needed and how to assure and maintain their effectiveness
- Categorization of security controls for graduated levels of security requirements
- A catalog of security controls
NIST SP800-53 is designed to help federal agencies more easily comply with FISMA. Together, the FISMA requirements and NIST technical guidance documents are emerging as a world-class framework for implementing information security governance. They set forth clearly defined roles and responsibilities, data-driven risk classification, and the concept of unambiguous personal accountability for agency residual risk. As a result, the NIST framework is being closely scrutinized by agency Chief Information Security Officers (CISOs), Inspector Generals (IGs), the Office of Management and Budget (OMB) and Congress.
Exercising Due Diligence
Information security is a top priority. It is considered to be so important that the Department of Homeland Security recently promoted the Cyber Security position to an Assistant Secretary level. This sense of urgency within the Federal sector to comply with FISMA is also being felt at state, regional, and local levels of government. Agencies increasingly must demonstrate compliance due diligence by using a risk-based framework, like NIST SP800-53, that maximizes the use of limited resources to protect the most critical assets. Due diligence is not limited to existing information systems and data-it also applies to all new technology purchases.
An interim rule recently published by the Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council specifies new steps that IT procurement workers at federal agencies must take to ensure that information security considerations are an integral part of all technology purchases. The rule essentially incorporates the IT security provisions defined by FISMA into the Federal Acquisition Regulation (FAR).
Parallels with Sarbanes-Oxley Compliance
Thanks to several years spent in creating the NIST framework, federal agency CIOs and CISOs have at their fingertips a robust information security governance framework, tailored for their unique environments. The same framework can be easily extended to other government entities. Training is available. Certifications are emerging. Best practices derived from real-world use are entering knowledge repositories.
In the private sector, compliance issues have not been so clear-cut. Corporate Chief Financial Officers (CFOs) were challenged to comply with Sarbanes-Oxley (SOX) Section 302, which requires internal controls over financial reporting, at the same time that corporate Chief Information Officers (CIOs) were required to comply with SOX Section 404, which requires IT controls on systems related to financial reporting.
|
