Matthew Christian Dave Maddox Tim Toennies FISMA at SLU Matthew Christian Dave Maddox Tim Toennies
Agenda FISMA overview Current state of FISMA at SLU Future state
Acronym soup oversimplification FERPA: Federal Educational Rights and Privacy Act; students HIPAA: Health Insurance Portability and Accountability Act; patients PII: Personally Identifiable data; all people PCI: Payment Card Industry; credit cards FISMA: Federal Information Security Management Act; government
What is FISMA? Included by Congress as part of e-Government act in 2002, modernized in 2014. Codified by Department of Homeland Security. Establishes security guidelines for federal agencies or those providing services to federal agencies Mandatory for federal contracts, may be required for federal grants. How do I know? FISMA: Effective in 2002, modernized in 2014. (1) if the grant requires the research organization to return the data to the federal project sponsor, and (2) if the grant has been awarded using a contracting form.
Does my work need FISMA cert? Look for language in the contract to know if FISMA is required: System Security Plan Authority to Operate (ATO) OMB A130 FIPS 199 Comply with all applicable NIST standards If any of these are in a Grant treat it as a red flag, confirm. OMB: White House Office of Management and Budget FIPS 199: Government standard for categorizing federal information and information systems according to an agency's level of concern for data & confidentiality. NIST: National Institute of Standards and Technology
FISMA security levels Different security levels Low Moderate High . Each level has a mandatory set of security controls, with each level building upon the previous. In addition, FISMA mandates separate evaluations for the confidentiality, integrity, and availability of the sensitive data. For example, research data containing individually identifiable health information would pose significant consequences to the university if that data was stolen, lost, or inadvertently disclosed, and thus the confidentiality security category would likely be Moderate. This same historical data may not require 24/7 access so the security category for availability may be Low. FISMA Low could be done by CDC, FISMA High by DOD.
FISMA impact Separate Accounts Remote Access Controlled Data Transfer Formal Change Management Proactive Log Review Security Assessment . Each level has a mandatory set of security controls, with each level building upon the previous. In addition, FISMA mandates separate evaluations for the confidentiality, integrity, and availability of the sensitive data. For example, research data containing individually identifiable health information would pose significant consequences to the university if that data was stolen, lost, or inadvertently disclosed, and thus the confidentiality security category would likely be Moderate. This same historical data may not require 24/7 access so the security category for availability may be Low.
FISMA is a Framework
Top FISMA Requirements Maintain an inventory of information systems Categorize information and information systems according to risk level Maintain a system security plan Utilize security controls Conduct risk assessments Certification and accreditation Conduct continuous monitoring While the full FISMA are extensive and very detailed, the top requirements can be summarized by the following: Maintain an inventory of information systems – Every agency should have in place an inventory of information systems that are operated by or under the control of the agency. The inventory must include an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency. Categorize information and information systems according to risk level – All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels defined by FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems.” The guidelines are provided by NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories.” Maintain a system security plan – Agencies should develop and maintain a system security plan, which is a living document that requires periodic review, modification, and plans of action and milestones for implementing security controls. The system security plan is the major input to the security certification and accreditation process for the system. Utilize security controls – Federal information systems must meet the minimum security requirements which are defined in FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems.” Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems.” Agencies have flexibility in applying the baseline security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan. Conduct risk assessments – Each agency should conduct risk assessments to validate its security controls and to determine if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the United States. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors. Certification and accreditation – Once the system documentation and risk assessment have been completed, the system’s controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems.” Conduct continuous monitoring – All accredited systems are required to monitor a selected set of security controls and the system documentation should be updated to reflect changes and modifications to the system. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.
Current State FISMA Ready Compliance is not a quick effort; lots of planning and coordination are needed. At this time there are is no research at SLU which requires FISMA but… We have the hardware on site and to the best of our knowledge it has been built to the standards but.. It’s necessary to qualify the hardware which would need to be done by the Agency we work with for Certification. The Agency chosen would be dependent on the security level. Once completed the Agency would provide an Authority to Operate (ATO) FISMA Low could be done by CDC, FISMA High by DOD.
Current State We believe the environment on-site has been built to FISMA standards The environment is capable and scalable for large needs. We have the hardware on site and to the best of our knowledge it has been built to the standards but.. It’s necessary to qualify the hardware which would need to be done by the Agency we work with for Certification. The Agency chosen would be dependent on the security level. Once completed the Agency would provide an Authority to Operate (ATO) FISMA Low could be done by CDC, FISMA High by DOD.
Future State Up to all of us… The FISMA hardware was not a trivial investment; we would love the opportunity to use it.
Keep in mind.. FISMA certification is not an overnight process… There would need to be a project plan and resources marshalled for the effort.
Who should I contact? Work with Research department Ask the CISO Review the material in the Appendix
VP Research, Matthew Christian CISO, Dave Maddox
Questions ??
Appendix For further research: https://www.slu.edu/its/services-and-products/research-technology-group/secure-research-environment-and-fisma https://www.dhs.gov/fisma https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 https://csrc.nist.gov/Topics/Laws-and-Regulations/laws/FISMA
Contact Information Tim Toennies tim.toennies@health.slu.edu 314-977-7365 Dave Maddox dave.maddox@health.slu.edu 314-977-4917 Matthew Christian matthew.christian@slu.edu 314-977-2047