62
The Federal Information Security Management Act (FISMA): An Auditor’s View Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP February 2015
| Date post: | 19-Dec-2015 |
| Category: |
Documents |
| Upload: | piers-preston |
| View: | 220 times |
| Download: | 0 times |
The Federal Information Security Management Act (FISMA):
An Auditor’s View
Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP
February 2015
2
Agenda
• What Is FISMA?• NIST Framework• How To Perform a FISMA Audit• Future of FISMA
3
What Is FISMA?
It's the great irony of our Information Age – the very technologies that empower us to create and to build also empower those who would disrupt and destroy. – President Barack Obama, May 29, 2009
4
What Is FISMA?
Given the rapid agility of those seeking to compromise Federal systems and data, the Federal Government needs a consistent, central, and repeatable method for identifying cybersecurity threats and vulnerabilities.
– Office of Management and Budget (OMB) Memorandum M-15-01, Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices
5
What Is FISMA?
• The Federal Information Security Modernization Act (FISMA)– Formerly known as the Federal
Information Security Management Act and Title III of the E-Government Act of 2002
– Serves as a framework to manage risk and ensure the confidentiality, availability, and integrity of federal information and information systems
6
What Is FISMA?
• FISMA (cont.)– Assigns specific development,
management, oversight, and reporting responsibilities to two federal agencies: • The National Institute of Standards and
Technology (NIST)• The Office of Management and Budget
(OMB)
7
What Is FISMA?
• FISMA establishes the following roles and responsibilities for the IT security management team:– Agency Head• Is ultimately accountable for protecting the agency’s
systems• Must include security as part of strategic and
operational planning• Assigns responsibility for compliance to Chief
Information Officers (CIOs)
8
What Is FISMA?
• FISMA roles and responsibilities (cont.):– Inspector General• Performs an annual independent evaluation of the
agency’s security program – The evaluation must include testing the effectiveness of
information security policies, procedures, and practices of a representative subset of the agency's information systems.
9
What Is FISMA?
• FISMA roles and responsibilities (cont.):– Chief Information Officer• Designates a senior information security officer • Is accountable for the agency-wide security program• Develops and implements policies, procedures, and
controls• Provides quarterly progress reports to OMB
10
What Is FISMA?
• FISMA roles and responsibilities (cont.):– Information System Security Officer (ISSO)/Chief
Information Security Officer (CISO)• Carries out responsibilities delegated by the CIO
– Security is the ISSO’s primary responsibility
• Maintains professional qualifications
11
What Is FISMA?
• FISMA roles and responsibilities (cont.):– Program Officials and System Owners• Assess risk and test controls• Update system documentation• Ensure that systems are certified and accredited (SA&A)
What Is FISMA?
[FISMA] requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. – NIST website
13
What Is FISMA?
• FISMA is intended to assist federal agencies in standardizing their security control selection and assessment by providing:– A consistent framework for protecting information at the
federal level– Effective management for information security risks– Assistance in developing adequate controls to protect
information and systems– A mechanism for effective oversight of federal security
programs
14
What Is FISMA?
• When implemented well, FISMA can be the cornerstone of a well-designed, well-implemented, and well-managed information security program.
• FISMA is probably the most criticized law since Prohibition. – That MAY be an overstatement
• When implemented poorly, FISMA is an exercise in paperwork.
15
What Is FISMA?
• FISMA requires agencies to submit quarterly reports to OMB on the status of their information security program.– OMB sets reporting standards annually; these standards have become
more stringent over time– The quarterly reports consist of the annual report and three quarterly
updates in December, March, and June– These reports are also submitted to other groups, including:
• House Committees on Government Reform and Science• Senate Committees on Government Affairs and Commerce, Science, and
Transportation • Authorization and appropriations committees for each individual agency
of Congress• Government Accountability Office
16
NIST Framework
• FISMA granted NIST responsibility for developing information security standards and guidelines for federal information systems other than those designated as national security systems. – Information security standards include
NIST’s Federal Information Processing Standards (FIPS)
– Guidelines include Special Publications (SPs) in the 800 series
• FISMA also assigned NIST specific responsibilities.
17
NIST Framework
18
NIST Framework
• Knowledge of these and other NIST publications is essential for FISMA compliance. Such publications include:– Standards to be used by federal agencies to categorize
information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels
– Guidelines recommending the types of information and information systems to be included in each category
– Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category
19
NIST Framework
Helpful NIST Publications:NIST Publication Description
FIPS Publication 199 Security Categorization
FIPS Publication 200 Minimum Security Requirements
NIST SP 800-18, Rev. 1 Security Planning
NIST SP 800-30, Rev. 1 Risk Management
NIST SP 800-34, Rev. 1 Contingency Planning
NIST SP 800-37, Rev. 1 Certification & Accreditation
NIST SP 800-53, Rev. 4 Recommended Security Controls
NIST SP 800-53A, Rev. 4 Security Control Assessment
NIST SP 800-60, Rev. 1 Security Category Mapping
20
NIST Framework
• FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems– FIPS 199 is the standard used by federal agencies to
categorize information and information systems based on the objective of providing appropriate levels of information security according to a range of risk levels.
– Information systems are categorized as low, moderate, or high risk based on the confidentiality, integrity, and availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.
21
NIST Framework
• FIPS 200, Minimum Security Requirements for Federal Information and Information Systems– FIPS 200 provides the minimum information security
requirements for information and information systems in each security category defined in FIPS 199.
– It requires agencies to use NIST SP 800-53 for their baseline security control requirements.
22
NIST Framework
• NIST SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems– NIST SP 800-18, Rev. 1 defines the format and content for
security plans, as required by OMB Circular A-130.– The main functions of the security plan include:
• Providing an overview of the system’s security requirements• Describing the controls in place or planned for meeting those
requirements• Delineating responsibilities and expected behavior for all
individuals who access the system• Documenting the structured process of planning adequate, cost-
effective security protection for the system
23
NIST Framework
• NIST SP 800-30, Rev. 1, Risk Management Guide for Information Technology Systems– NIST SP 800-30, Rev. 1 provides definitional and practical guidance
regarding the concept and practice of managing IT-related risks.– Risk management provides balance between the operational
objectives and economic costs of protective measures. It:• Enables agencies to better secure IT systems that store, process, or
transmit organizational information• Enables management to make well-informed risk management
decisions to justify expenditures • Assists management in authorizing (or accrediting) IT systems
24
NIST Framework
• NIST SP 800-34, Rev. 1, Contingency Planning Guide For Federal Information Systems– NIST SP 800-34, Rev. 1 provides instructions,
recommendations, and considerations for government IT contingency planning.
– It provides specific contingency planning recommendations for seven IT platforms and includes strategies and techniques common to all systems.
25
NIST Framework
• NIST SP 800-37, Rev. 1, Guide to Apply the Risk Management Framework to Federal Information Systems– NIST SP 800-37, Rev. 1 establishes a six-step risk management
framework for federal information systems:• Categorize the Information System• Select Security Controls• Implement Security Controls• Assess Security Controls• Authorize the Information System• Monitor the Security Controls
– This SP applies to all federal information systems other than those designated as national security systems, as defined in the Federal Information Security Management Act of 2002.
26
NIST Framework
• NIST SP 800-53, Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations– NIST SP 800-53, Rev. 4 is intended to provide guidelines for
selecting and specifying security controls for information systems.
– It applies to all federal information systems other than those designated as national security systems, as defined in 44 U.S.C., Section 3542.
27
NIST Framework
• NIST SP 800-53, Rev. 4 (cont.)– This SP was broadly developed from a technical
perspective in order to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems.
– It provides guidance to federal agencies in accordance with FIPS 200, Minimum Security Controls for Federal Information Systems.
28
NIST Framework
• NIST categorizes FISMA principles into 18 security control families, which can be found in NIST SP 800-53, Minimum Security Controls for Federal Information Systems– Each control area contains numerous requirements based on
the sensitivity level of the system.– NIST controls often cover most of the controls included in
other frameworks, such as International Organization for Standardization (ISO) and Payment Card Industry Data Security Standard (PCI DSS).
29
NIST Framework
Management Controls Operational Controls Technical Controls RA – Risk Assessment PS – Personnel Security IA – Identification &
Authentication
PL – Planning PE – Physical & Environmental Protection
AC – Access Control
SA – System & Services Acquisition
CP – Contingency Planning AU – Audit & Accountability
CA – Security Assessment & Authorization
CM – Configuration Management
SC – System & Communications Protection
PM – Program Management MA – Maintenance
SI – System & Information Integrity
MP – Media Protection
IR – Incident Response
AT – Awareness & Training
30
NIST Framework
• NIST SP 800-53A, Rev. 4, Guide for Assessing the Security Controls In Federal Information Systems– NIST SP 800-53A, Rev. 4 provides standardized
techniques and procedures to verify the effectiveness of security controls.
– It provides a single baseline verification procedure for each security control.
– It allows agencies to apply additional verification techniques and procedures at their discretion.
31
NIST Framework
• NIST SP 800-60, Rev. 1, Volumes I and II, Guide for Mapping Types of Information and Information Systems to Security Categories– NIST SP 800-60, Rev. 1 provides guidelines recommending the
types of information and information systems to be included in each category of potential security impact.
– It assists agencies in consistently mapping security impact levels to types of:
1. Information (e.g., privacy, medical, proprietary, financial, contractor-sensitive, trade secret, investigation)
2. Information systems (e.g., mission-critical, mission-support, administrative)
32
NIST Framework
• Required Documentation:– Authorization Boundary/Security Categorization (FIPS 199) – System Security Plan (NIST SP 800-18) – Risk Assessment (NIST SP 800-30) – Security Assessment Report (NIST SP 800-30, 800-37) – Contingency Plan/Disaster Recovery Plan (NIST SP 800-34)– Privacy Impact Assessment– Plan of Action and Milestones (POA&M)
33
NIST Framework
• POA&Ms are an agency’s primary management tool for tracking the mitigation of its IT security program and system-level weaknesses.– POA&Ms are designed to facilitate review, analysis, and
decision-making in order to improve performance in implementing corrective actions.
– Departments use POA&Ms to determine the organization’s progress in the area of IT security.
– POA&Ms are reviewed both within the department and by OMB.
34
NIST Framework
• POA&Ms (cont.):– OMB uses all federal POA&Ms in conducting its
assessment of the IT security maturity of the federal government.
– Inspector Generals (IGs) are asked to use specific criteria to assess whether the agency has developed and implemented an agency-wide POA&M process, and whether it is appropriately managing this process.• The IG’s assessment in this area is critical.
– Effective remediation of IT security weaknesses is essential to achieving a mature IT security program.
35
How to Perform a FISMA Audit
• FISMA audits: – Are driven by the annual DHS/OMB memorandum– Are typically (but not always) structured as a performance
audit– Follow a methodology that is similar to the methodology
for an audit under the Federal Information System Controls Audit Manual (FISCAM)
– Do not have exactly the same scope for each OIG– Typically consist of selecting and testing a subset of
systems– Are performed annually at approximately the same time
as the financial statement audit in order to gain possible efficiencies
36
How to Perform a FISMA Audit
• Selecting a Representative Subset of Systems – The evaluator uses their professional judgment to
identify a sufficient scope for systems testing to constitute a representative subset of the entity’s systems.
– The subset should be representative of all of the entity’s systems covered by FISMA.
37
How to Perform a FISMA Audit
• Selecting a Representative Subset of Systems (cont.): – The selection should include:
• Systems at different risk levels (i.e., high, moderate, and low) • Both general support systems and major application systems• Different types of applications (e.g., financial management,
operations) • Major processing locations• General and business process controls• Coverage of the FISCAM control areas• Contractor and other non-entity systems that are covered by
FISMA requirements
38
How to Perform a FISMA Audit
• FISCAM may be used as a basis for the independent evaluation of a federal agency’s information security program as required by FISMA (Appendix IX: Application of FISCAM to FISMA).– The agency’s IG must perform independent evaluations of
federal information systems other than those designated as national security systems.
– Evaluations of systems related to national security may only be performed by an entity designated by the agency head.
39
How to Perform a FISMA Audit
• OMB Memorandum (Questionnaire):– The OMB memorandum is released annually.– It directs CIOs and OIGs as to the areas on
which they must report.– The Department of Homeland Security (DHS)
is currently responsible for information security; DHS therefore designs the questions and reporting requirements while OMB is responsible for sending out the document.
40
How to Perform a FISMA Audit
• OMB Memorandum (cont.):– The memorandum is primarily comprised of the same
questions from year to year, but OMB throws some curveballs.
– It contains a frequently asked questions (FAQ) section and a questionnaire with separate questions for CIOs, OIGs, and Senior Agency Officials for Privacy (SAOPs).
– The questions are no longer publically accessible; the auditor receives them from the Contracting Officer’s Technical Representative (COTR).
41
How to Perform a FISMA Audit
• OMB Memorandum (cont.):– The auditor usually selects a subset of systems to
review for the questionnaire, but it depends on the contract.
– The auditor may also select one of the systems each year to undergo a detailed audit based on NIST SP 800-53.
42
How to Perform a FISMA Audit
• OMB Memorandum (cont.):– The memorandum questions have evolved over
the years. It originally asked a mix of questions with answers that were qualitative (e.g., excellent, good, fair, poor), percentages, or numbers; now all of the questions have yes/no answers.
– Questions that have been removed include:• Peer-to-peer questions• E-authentication questions
43
How to Perform a FISMA Audit
• Question areas for the CIO:– Data feeds directly from security management tools (or
from Excel)• Inventory• Systems and Services• Hardware• Software• External Connections• Security Training• Identity Management and Access
– Government-wide benchmarking on security posture
44
How to Perform a FISMA Audit
• Question areas for the SAOP:– Update on the breach notification policy, if it has
changed significantly since the last year’s report– Progress update on eliminating the unnecessary
use of social security numbers– Progress update on review and reduction of
holdings of personally identifiable information
45
How to Perform a FISMA Audit
• Question areas for the OIG:– Continuous monitoring management– Configuration management– Identity and access management– Incident response and reporting– Risk management (security assessment and
authorization (SA&A) process)– Security training
46
How to Perform a FISMA Audit
• Question areas for the OIG (cont.):– Plans of action and milestones– Remote access management – Contingency planning– Contractor systems– Security capital planning
47
How to Perform a FISMA Audit
• Key FAQs from the memorandum include: – Should agencies set an internal FISMA reporting cut-off
date?– Should all of the agency’s information systems be included
as part of the FISMA report?– Is use of NIST publications required?– Are NIST guidelines flexible?– Are the security requirements outlined in the Act limited
to information in electronic form?
48
How to Perform a FISMA Audit
• Key FAQs from the memorandum (cont.): – When OMB asks if an agency has a process, is it also asking
if the process is implemented and is effective?– How do agencies ensure FISMA compliance for
connections to non-agency systems? Do Statement on Standards for Attestation Engagements (SSAE) No. 16 audits meet the requirements of FISMA and implementation policies and guidance?
49
How to Perform a FISMA Audit
• Key FAQs from the memorandum (cont.):– Is a security authorization required for all information
systems? OMB Circular A-130 requires a security authorization to process only for general support systems and major applications.
– Must all agency information systems be tested and evaluated annually?
– Must government contractors abide by FISMA requirements?– Do employees who never access electronic information
systems need annual security and privacy awareness training?
50
How to Perform a FISMA Audit
• FISMA-specific reporting requirements: – Determine whether any weaknesses identified
(individually or collectively) represent significant deficiencies under FISMA.• FISMA requires agencies to report any significant
deficiencies:1. As material weaknesses under the Federal Managers'
Financial Integrity Act (FMFIA)2. As instances of a lack of substantial compliance under the
Federal Financial Management Improvement Act (FFMIA), if related to financial management systems
51
How to Perform a FISMA Audit
• FISMA-specific reporting requirements (cont.):– A significant deficiency in FISMA is a weakness in an
agency’s overall information systems security program or management control structure, or within one or more information systems which:• Significantly restricts the capability of the agency to carry out its
mission.• Compromises the security of its information, information systems,
personnel, or other resources, operations, or assets.
– The risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.
52
How to Perform a FISMA Audit
• FISMA-specific reporting requirements (cont.):– The OIG is responsible for entering its responses to template
questions using the CyberScope portal hosted by DHS.– The OIG will usually also issue a performance audit report,
generally supported by the work performed to answer the template questions.
– The OIG will often perform more detailed testing of a selected system and issue a separate performance audit report on that system.
– There are also other varieties of reporting, such as separate technical reports for internal use only.
53
How to Perform a FISMA Audit
• Common findings in FISMA audits include:– SA&A packages are not complete or have issues.– Configuration baselines are not developed and in place.– The vulnerability management program is not well
implemented.– The patch management process is ineffective.– The agency’s training program is poor, or not all personnel
have completed training.– Mobile devices have not been adequately secured.
54
Future of FISMA
• In December 2015, President Barack Obama signed a bill into law that:1. Changed the name of FISMA from “Management” to
“Modernization.”2. Extended OMB’s responsibility to determine IT security policies for
federal agencies.3. Granted DHS authority to administer the operational aspects of
those policies among civilian agencies.4. Eliminated the requirement for federal agencies to submit a checklist
verifying that their IT systems and processes met federal standards and controls.
5. Moved agencies toward continuously monitoring their systems for vulnerabilities.
55
Future of FISMA
• The new FISMA mandates continuous monitoring and the use of “automated security tools to continuously diagnose and improve security.” This includes:– Assessing information security risks on an ongoing basis.– Developing an Information Security Continuous Monitoring
(ISCM) strategy that supports the implementation of a program to continuously monitor and defend the agency’s network(s) from cyber security risks, threats, and malicious activity.
56
Future of FISMA
• OMB key initiatives for 2014-2015 include:– New requirements based on assessment of emerging
threat activities.– Streamlined agency reporting of information security
incidents to DHS’s U.S. Computer Emergency Readiness Team (US-CERT) and improvement in DHS US-CERT's ability to respond to information security incidents effectively.
– Enhanced FISMA metrics, a proactive vulnerability scanning process, and updated incident response procedures.
57
Future of FISMA
• Cross-Agency Priority (CAP) goals for FY 2015: – National Security Council (NSC) staff and OMB
identified cybersecurity as one of the 14 CAP goals for FY 2015, to build on the statutory requirements of FISMA and to provide senior government officials with greater visibility and accountability for this issue.
– Cybersecurity CAP goal initiatives and metrics are a subset of the FISMA metrics.
58
Future of FISMA
• CAP goals for FY 2015 (cont.): – OMB and NSC staff will maintain focus on Information
Security Continuous Monitoring (ISCM) and Identity, Credential, and Access Management (ICAM).
– For the first time, OMB and NSC staff have identified "Anti-Phishing and Malware Defense" as an additional priority area.
59
Future of FISMA
• OMB, NSC staff, and DHS have taken the following approach in developing the enhanced FY 2015 FISMA metrics:
1. Assessed the quality and validity of each metric by soliciting input from more than 100 cybersecurity professionals from more than 24 federal agencies, who made more than 200 recommendations for the metrics.
2. Where possible, removed metrics that had completed their lifecycle or did not add sufficient value to the expanded assessment process.
3. Developed outcome-oriented metrics to complement existing compliance-oriented metrics, to include anti-phishing and malware defense metrics aimed at reducing the risk of malware introduced through email and malicious or compromised websites.
4. Where possible, used existing federal agency data feeds to automate responses to improve the quality and timeliness of reported data.
60
Future of FISMA
• DHS US-CERT will release its updated incident notification guidelines, including: 1. A standard set of data elements for reporting
incidents2. Updated incident notification requirements3. Updated impact classifications4. Updated threat vectors used to categorize and
address incidents
61
Future of FISMA
• It’s hard to see where all of this is going, but cyberspace is clearly here to stay in our everyday lives, both professional and personal.
• Internal audit organizations will therefore need to build their own skill sets to address the risks and opportunities that come with cyberspace.
Q&A
Thank you!
