CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Law

What's in Store for FISMA in 2005

By Stacey McDaniel

When it comes to meeting the stringent technology and procedural requirements of the Federal Information Security Management Act (FISMA), federal agencies are making slow, but steady progress.

What FISMA covers

Maintaining the integrity of the federal government's information infrastructure is critical -- in fact, maintaining a secure cyberspace has become essential to homeland and national security. As the federal government's reliance on electronic data increased, however, it was slow to address the need for stronger information security practices within the government. Finally, in 2002, the importance of information security was officially addressed through Title III of the E-Government Act, which is FISMA.

FISMA requires every federal agency, and any organization whose information systems possess or make use of federal information, to develop, document, and implement an agency-wide, risk-based information security program. FISMA also requires periodic testing and evaluation of the effectiveness of the information security policies, procedures, and practices in place. While FISMA lays out the required elements of the security program, it doesn't set any security benchmarks, or provide much in the way of guidance on how to achieve these requirements. That's where The National Institute of Standards and Technology (NIST) comes in. NIST was enlisted to support FISMA by developing publications that provide guidance and best security practices to government agencies.

NIST on FISMA compliance

NIST has developed a range of special publications offering guidance on topics like security incident management, selecting and testing security controls for information systems, and assigning levels of risk to information systems. Here are the two most recent NIST publications that address important FISMA requirements:

  • A final draft of NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems," was released on January 26, and is currently up for final public review. December will be the deadline for security controls mandated by FISMA to be in place. 800-53 not only provides instructions for adopting technical controls, such as intrusion detection, but also recommends management and operational controls for safeguarding federal information and the systems that provide that information. The recommended controls vary, but the list is extensive and includes 17 categories of security controls. Among the management controls are access and audit controls and user identification and authentication. Operational controls include incident response and contingency planning and operations.


  • On January 31, NIST released the first draft of Special Publication 800-77, "Guide to IPsec VPNs." The draft explains the three primary VPN architectures: gateway-to-gateway, host-to-gateway, and host-to-host, and describes scenarios when each can be used. It also explains the IPsec security framework, and provides a helpful way to achieve successful IPsec deployments involving five phases: identity needs, design the solution, implement and test a prototype, deploy the solution, and manage the solution.

Competing concerns

Complying with FISMA regulations is not the only thing weighing on the minds of chief information security officers (CISOs) in the federal government. In a survey released in November 2004 by O'Keeffe & Co., patch management was cited as the number one concern of federal CISOs. Achieving FISMA compliance and avoiding a compromised network tied for second place among the concerns. The survey found that while CISOs spend a large portion of their time on administrative activities related to FISMA compliance, they feel they lack the resources and funds necessary to achieve compliance. In fact, more than 60 percent of federal agencies with information security budgets of less than $500,000 found their managers spending at least three hours a day, on average, on compliance requirements.

Compliance numbers

In the summer of 2004, the Government Accountability Office (GAO) released a report that described agency compliance with FISMA as irregular. The GAO's survey of 24 federal agencies found that 63 percent of information systems met the NIST guidelines, including the minimum-security controls mandated by FISMA. The GAO report found that compliance and accreditation varied greatly. Seven of the 24 agencies said more than 90 percent of their systems were certified and accredited as secure, while six reported less than half of their systems were accredited as secure. Only the Social Security Administration and the Nuclear Regulatory Commission achieved 100 percent accreditation and certification. NASA reported 98 percent compliance, and the National Science Foundation reported that 95 percent of its information systems met the guidelines. Seventy-seven percent of the Defense Department systems met the guidelines, according to the GAO.

More visibility this year

In 2005, expect Chairman of the House Government Reform Committee Rep. Tom Davis (R-Va.) to become a prominent figure in the information technology community. In January, Davis cited cybersecurity, and FISMA in particular, as one of the key items on his 2005 agenda for Congress. In spite of rules like FISMA, Davis said "Cybersecurity is one area where the government is falling backward, not moving forward." According to Davis, FISMA is not receiving the attention it deserves, and it should be something that every committee in Congress is concerned about. As Davis said, "Nobody knows what FISMA is. We have 10 members (in Congress) out of 535 who know what FISMA is."

Davis said his committee will lobby for more awareness and funding for FISMA in 2005, and he hopes the new information policy, information technology, and information security challenges that have arisen since FISMA and the 25 E-Government initiatives were enacted in 2002 will be addressed. This is important, because the technology landscape -- and the potential threats to it -- can change dramatically and quickly, and guidelines made three years ago may not address today's needs.

Conclusion

Although O'Keeffe & Co.'s recent study found that budget and time constraints are the most common reasons for agencies falling behind in FISMA compliance, there are compliance tools that can ease the administrative burden with automatic policy monitoring.

While such tools are making compliance easier, influential people like Rep. Davis plan to push for more funding and awareness to ease the costly and time-consuming FISMA burden. Expect to hear more about FISMA, and about some interesting challenges and changes in attitude toward IT security within the federal government, in the coming year.

Stacey McDaniel has been writing about high-tech issues for more than six years.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"Seventy-seven percent of Defense Department systems have met FISMA guidelines."

--Government Accountability Office
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


CIO Interview: CIO of Port of Portland, Michelle Gaines
Playtime: 7 min 59 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service