POA&M and FISMA What does it really mean? FISSEA Annual Conference University of Maryland University College (UMUC) 3/11/2004 Booz Allen Hamilton Standard Colors Colors should be used in the color pairs whenever possible. Do not mix and match colors, use pairs together as shown. Black, White and Gray can be used with any of the other colors. Purple Pantone 2765 R 12 G 4 B 79 Green Pantone 357 R 15 G 67 B 24 Blue Pantone 2 88 R 11 G 31 B 101 Pantone Cool Gray 6 R 158 G 158 B 158 FISSEA Annual Conference Black Red Pantone 485 R 252 G 5 B 14 Yellow Pantone 3965 R 232 G 244 B 4 Aqua Pantone 319 R 126 G 204 B 189 White

Agenda FISMA – an introduction Roles and Responsibilities FISMA Requirements Transition from report to process

Congress emphasized the importance of information security when it included the Federal Information Security Management Act (FISMA) as part of the E-Government Act of 2002 FISMA consolidates many security requirements and guidance into an overall framework for managing information security and protecting the nation’s critical information infrastructure from harm FISMA requires executive agencies within the federal government to: Plan for security Ensure that appropriate officials are assigned security responsibility Review periodically the security controls in their information systems Authorize system processing prior to operations, and periodically after deploying FISMA has three main sections Annual security reporting requirement (Annual Program Review – CIO) Independent Evaluation – (IG) and Corrective action plan for remediation of security weaknesses

FISMA requires agencies to submit quarterly reports to OMB regarding the status of their information security program Reporting standards are set annually by OMB and have become more stringent over time In addition to the annual report, there are quarterly updates (Dec, Mar, June) Other groups also receive agency FISMA reports: House Committees on Government Reform and Science Senate Committees on Government Affairs and Commerce, Science, and Transportation Authorization and appropriations committees for each individual agency of Congress General Accounting Office

While reporting is a key component, achieving the goals of FISMA require that an agency build a mature security program using security management processes that are ongoing and continual Goals of FISMA Agency Goals for FISMA More consistent, comparable, and repeatable evaluations of security controls applied to information systems A better understanding of enterprise-wide mission risks resulting from the operation of information systems More complete, reliable, and trustworthy information for authorizing officials, facilitating more informed security accreditation decisions More secure information systems within the Federal government including the critical infrastructure of the United States Achieve performance and risk based management for security programs Demonstrate a mature security program Agency risk assessments Security policies and procedures Subordinate plans (i.e., individual system security plans) Training plans Annual testing and evaluation Corrective action process Security incident reporting Continuity of operations plans Integrate security into the business

Agenda FISMA – an introduction Roles and Responsibilities FISMA Requirements Transition from report to process

As part of their strategy for a successful US government IT security posture, NIST plans to work with government agencies and industry on FISMA related issues FISMA strengthens the reach of NIST Standards issued by NIST are now “compulsory and binding” NIST plays a more active role in defining how Federal agencies should be protecting their systems and infrastructure Much guidance is under development to support agency program and system reviews According to the NIST web site, their vision for supporting FISMA is to promote the development of standards and guidelines including: Security categorization of information and information systems Selection of appropriate security controls for information systems Verification of security control effectiveness and determination of information system vulnerabilities Operational authorization for processing (security accreditation) of information systems

For federal departments and agencies, FISMA identifies roles and responsibilities for the IT security management team Agency Head Chief Information Officer Held accountable ultimately for the protection of an agency’s systems Expected to include security as a part of strategic and operational planning Assign CIOs compliance responsibility Inspector General Designate a senior information security officer who reports directly to the CIO Held accountable for agency-wide security program Develop and implement policies, procedures and controls Report on progress quarterly to OMB Verify that security program elements exist Validate POA&Ms Identify all known security weaknesses and that a robust process exists for maintaining the POA&M ISSO Program Officials and System Owners Carry out responsibilities of the CIO Security is the ISSO’s primary responsibility, not an other duty as assigned Maintain professional qualifications Assess risk and test controls Update system documentation Ensure systems are certified and accredited People play a key role in FISMA

Agenda FISMA – an introduction Roles and Responsibilities FISMA Requirements Transition from report to process

Training and Capital Planning FISMA requirements can be segmented into four main categories – foundational, review, mitigation, measurement… Foundational Inventory Assignment of security responsibilities Configuration requirements Incident response Identification of critical assets Review NIST self assessment Certification and accreditation Risk assessment Continuity of system operations Mitigation Plan of action and milestones Measurement Track progress Evaluate performance of all components Report quarterly FISMA REQUIREMENTS Training and Capital Planning Measurement Review Mitigation Foundational …and two others which span across all phases of the program

To fulfill FISMA requires, an agency should focus on building a solid foundation within their IT security program Senior information security official should appointed by and report to the CIO An inventory program which is: Updated at least annually Made available to the Comptroller General Used to support information resources management Synchronized with their enterprise architecture inventory efforts Identification of critical assets and their interdependencies with other assets An established patch management process which assumes a configuration management process exists patches are tested prior to implementation Incident response is closely tied to patch management Foundational

Agencies are required to complete an annual FISMA review to ensure that security controls maintain risk at an acceptable level Depth and breadth of an annual FISMA review depends on several factors such as: The acceptable level of risk and magnitude of harm to the system or information The extent to which system configurations and settings are documented and continuously monitored The extent to which patch management is employed for the system The relative comprehensiveness of the most recent past review The vintage of the most recent in-depth testing and evaluation as part of system certification and final accreditation Testing should also include management, operational and technical controls Review

Plan of Action and Milestones (POA&M) is an agency’s primary management tool for tracking the mitigation of its IT security program and system-level weaknesses Plan of Action and Milestones (POA&M) are: Designed to facilitate review, analysis, and decision making for performance improvement in implementing corrective actions Used as a point of comparison for a Department to compare an organization’s progress in the area of IT security Reviewed within a Department and by OMB OMB uses all Federal POA&Ms to conduct their assessment of the Federal government’s IT security maturity IGs are asked this year to assess against specific criteria whether the agency has developed, implemented, and is managing an agency-wide POA&M process The IG’s assessment in this area is critical Effective remediation of IT security weaknesses is essential to achieving a mature IT security program Mitigation

For a successful mitigation strategy an agency should aim to create as comprehensive a POA&M as possible All security weaknesses (programs and systems) must be included in the POA&M POA&M is a living document – it evolves over time as weaknesses are corrected and new ones arise POA&Ms are used to support the funding decision making process To promote the integration of security into capital planning, POA&Ms should draw from data in exhibits 300 and 53 The IG must verify that POA&Ms identify all known security weaknesses

The following screenshot represents a sample POA&M Weakness POC Resources Required Scheduled Completion Date Milestones with Completion Dates Changes to Milestones Source Status 1.       No risk assessment has been conducted on the ABC Network ABC Network PM 80K 5/15/04 2.1 Identify baseline security requirements 11/15/02   NIST Self Assessment On-going 2.2 Conduct risk assessment 12/20/02 2.3 Document risk assessment results 1/15/02 2.       No program level security plan exists for ABC Bureau ABC Bureau CIO 25K 4/2/04 1.1 Complete Initial Draft 1/4/03 ABC IG Audit 1.2 Complete Final based on comments received 2/28/03

The following items are required in an agency’s POA&M submission Refers to a SPECIFIC identified program or system weakness Must be clear enough to discern weakness yet not reveal sensitive data Weakness Identifies the office or organization held accountable for correcting weakness POC Activities Resources Required Describes monetary amount needed to complete that is not already accounted for with current staffing Scheduled Completion Date Indicates corrective action completion date Meeting dates becomes a major criteria of evaluation for OMB Milestones with Completion Dates Refers to major steps along the way that occur while completing the corrective action Timelines/Dates are required to be associated with each step Changes to Milestones Indicates when the timeline changes Justification for the change will be required elsewhere Source Identifies where the weakness was first identified Status Indicates if a corrective action is ongoing or completed

Here are some other important POA&M concepts to keep in mind when putting together an agency’s mitigation strategy CIOs and agency program officials must develop, implement, and manage POA&Ms for all programs and systems that they operate and control A separate POA&M must be developed for every program and system for which weaknesses are identified System level POA&Ms must be tied directly to the system budget request through the IT business case as required in OMB Budget guidance (Circular A-11) Sufficient data regarding the weakness description and its corrective action plan is necessary POA&M process represents a prioritization of agency IT security weaknesses that ensures that significant IT security weaknesses are addressed in a timely manner and receive appropriate resources. Department CIO is expected to centrally track and maintain all POA&M activities

Another key element of a successful IT security program is an effective measurement strategy which includes quarterly metrics Quarterly POA&M Update Information Quarterly IT Security Measures Update Total number of weaknesses identified at the start of the quarter. Number of weaknesses for which corrective action was completed on time (including testing) by the end of the quarter Number of weaknesses for which corrective action is ongoing and is on track to complete as originally scheduled Number of weaknesses for which corrective action has been delayed including a brief explanation for the delay Number of new weaknesses discovered following the last POA&M update and a brief description of how they were identified (e.g., agency review, IG evaluation, etc.). Number of systems assessed for risk and assigned a level or risk Number of systems that have an up-to-date IT security plan Number of systems certified and accredited Number of systems with security control costs integrated into the life cycle of the system Number of systems for which security controls have been tested and evaluated in the last year Number of systems with a contingency plan Number of systems for which contingency plans have been tested + = Measurement

Training and Capital Planning Agencies should integrate training and IT security capital planning, throughout their program Integrating IT security into the capital planning process POA&Ms, annual FISMA reports, and executive summaries must be cross-referenced to the budget materials Exhibit 300: Capital asset plan and justification Exhibit 53: Summary of IT systems and expenditures. Unique project identifier that stems from Exhibit 300s and 53s must be referenced in the “Resources Required” column of the POA&M. Although the POA&M and Exhibit 300s may cite the same unique project identifiers, the security costs will not match because the Exhibit 300s also contains ongoing security maintenance costs. Training All parts of IT security management team need awareness and training Responsibility to provide training is placed on CIO Responsibility of program officials to complete training Training and Capital Planning Mitigation

Results of non-compliance Probable exploitation of security vulnerabilities Unauthorized access and/or modification of sensitive data Jeopardize funding for current and future IT projects

Agenda FISMA – a higher cause? Roles and Responsibilities FISMA Requirements Transition from report to process

Putting the pieces together for a successful IT security management program requires that an agency shift its focus from the FISMA report to a more comprehensive management process Communication throughout the program is key FISMA encourages communication across and between business lines System owners, budget and security personnel are expected to collaborate so that suitable decisions are made regarding functionality and security of IT assets Management assumes an active posture towards IT security If you can’t respond to the different measures associated with FISMA, then there is no plan for protecting your IT resources Documentation may seem painful, but it is necessary Provides accountability Prevents overreliance on a subset of staff Promotes knowledge management

In summary, here are some aspects of FISMA to remember when building a successful IT security management program Performance and risk based decision making essential for sound security program It’s not just a report – it’s a process Know your inventory Communicate and involve stakeholders in all phases security management Budget personnel and program managers are stakeholders too! Understand the mission that systems support – map to business processes Review programs and systems Identify and then fix security problems Document and justify risks that are accepted