Securing Federal information and systems is an ongoing challenge. By implementing comprehensive security compliance management methods for data collection, retention, monitoring and reporting, federal agencies can successfully demonstrate a sound framework that meets FISMA requirements.
www.netforensics.com
NETFORENSICS WHITE PAPER
Overcoming Persistent
FISMA Weaknesses Through
Security Compliance ManagementNETFORENSICS WHITE PAPER | FFIISSMMAA
Contents
1 GAO Report: FISMA Security Compliance is Persistently Weak
1 FISMA Minimum Security Requirements
2 Securing Federal Information and Systems is an Ongoing Challenge
2 Security Compliance Management Provides a Best Practice Framework for Risk Management and FISMA Compliance
4 nFX ONE Solutions: Align with FISMA Objectives and Address Weaknesses
5 nFX SIM One
6 nFX Data One
6 nFX Log One
7 The Case for Security Compliance Management Best Practices
7 Conclusions
8 About netForensicsNETFORENSICS WHITE PAPER | FFIISSMMAA
GAO Report: FISMA Security Compliance NIST defines and provides guidance on the mandatory standardsis Persistently Weak for FISMA compliance. For example, NIST released the Federal"Significant weaknesses in information security policies and Information Processing Standards (FIPS) Publication 200 in practices threaten the confidentiality, integrity, and availability of March 2006, announcing the standard for minimum securitycritical information and information systems used to support the requirements for federal information and information systems.operations, assets, and personnel of most federal agencies. These minimum security requirements cover 17 security-relatedRecently reported incidents at federal agencies have placed areas for protecting the confidentiality, integrity, and availability sensitive data at risk, including the theft, loss, or improper of federal information and systems.disclosure of personally identifiable information on millions ofAmericans, thereby exposing them to loss of privacy and identity The 17 security-related areas include: (i) access control; (ii)theft. Almost all of the major federal agencies had awareness and training; (iii) audit and accountability; (iv)weaknesses in one or more areas of information security certification, accreditation, and security assessments; (v)controls. In their fiscal year 2006 financial statement audit configuration management; (vi) contingency planning; (vii)reports, 21of 24 major agencies indicated that deficient identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical andinformation security controls were either a reportable condition environmental protection; (xii) planning; (xiii) personnel security;7 or a material weakness. Our audits continue to identify similar (xiv) risk assessment; (xv) systems and services acquisition; (xvi)weaknesses in nonfinancial systems. Similarly, in their annual system and communications protection; and (xvii) system andreporting under 31 U.S.C. § 3512 (commonly referred to as the information integrity. In complying with these requirements,Federal Managers' Financial Integrity Act of 1982), 17 of 24 government agencies must follow NIST Special Publication agencies reported shortcomings in information security, including 800-53 to select appropriate and adequate security controls. 7 that considered it a material weakness. IGs have also noted theseriousness of information security, with 21 of 24 including it as a Under FISMA regulations, each federal agency must develop,'major management challenge.' An underlying cause for these document, and implement an agency-wide information-weaknesses is that agencies have not fully implemented security program which includes:their information security programs. thereby leaving themvulnerable to attack or compromise." GAO Report to OMB, . Developing a comprehensive security program.July 27, 2007 . Ensuring that appropriate officials are assigned security responsibility.. Periodically reviewing the security controls in theirinformation systems.FISMA Minimum Security Requirements . Engaging in annual security reporting to the OMB.Enacted by the federal government in 2002, the Federal . Providing internal security awareness training.Information Security Management Act (FISMA) recognized the . Following guidelines issued by NIST for information need to define a comprehensive framework for establishing and security controls.1monitoring security programs for federal agencies. Governed bythe National Institute of Standards and Technology (NIST), the Act Federal agencies are also required to inventory their IT assets,applies to the inform... [download for more]
