IT Security Law for Federal Agencies As of: 30 December 2002
Federal Statutes: Information Technology Management Reform Act (Clinger/Cohen Act) (Title 40 USC §§ 1401) is about IT investments There are numerous CIO responsibilities outlined, including investments for security Federal Information Security Management Act (Title 44 USC Chapter 35 Sub-Chapter II) specifically addresses IT security Other applicable statutes include: Chief Financial Officers’ Act (Title 31 USC §§ xxx) Federal Financial Management Improvement Act of 1996 (Title 31 USC §§ xxx) Inspector General Act of 1978 (Title 5 USC Appendix) Other relevant documents (Implementing OMB’s authority under GISRA - ) OMB Circular A-130 OMB Ltr M dtd 16 January 2001 OMB Ltr M dtd 22 June 2002 Title 5- Gov Organization & Employees Title 31–Money & Finance Title 44- Title 40 (primarily) Other (non-Statute) Relevant Authorities for IT Security Public Printing & Docs
Legislative History The Government Information Security Reform Act (GISRA) ended in November 02 due to a sunset provision Congress enacted the Federal Information Security Management Act (FISMA) in November 02 –This Bill was included as Title X of the Homeland Security Act of 2002 In December 02, Congress passed a newer version of FISMA –This Bill was included as Title III of the E-Government Act of 2002 –At the bill signing, the President announced that the Administration would consider the E-Gov Act version of FISMA as superseding the previously passed DHS Act version of FISMA (so this is the current law that we must follow) FISMA
Developing and overseeing the implementation of policies, principles, standards (including NIST standards), and guidelines on information security Requiring Federal agencies to identify and provide security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency, or operated by a contractor of an agency on behalf of an agency Coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; Overseeing agency compliance with the requirements of this subchapter to enforce accountability for compliance with such requirements; Reviewing at least annually, and approving or disapproving, agency information security programs; Coordinating information security policies and procedures with related information resources management policies and procedures; Overseeing the operation of the Federal information security incident center Reporting to Congress no later than March 1 of each year on agency compliance with the requirements of this subchapter OMB Director’s Authority and Functions FISMA
In General, Agency Heads are responsible for: FISMA Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; Complying with the information security standards promulgated under section of title 40 (NIST Standards); Ensuring that information security management processes are integrated with agency strategic and operational planning processes; Ensuring that senior agency officials provide information security for the information and information systems that support the operations and assets under their control, including: –Determining levels of information security appropriate to protect information and info systems in accordance with standards promulgated under sec of title 40; –Implementing policies and procedures to cost-effectively reduce risks to an acceptable level –Periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented Ensuring the agency has trained personnel sufficient to assist the agency in com plying with security requirements
Delegating to the agency Chief Information Officer (CIO) the authority to ensure compliance with requirements imposed on the agency, including: Designating a senior agency information security officer who shall: Carry out the Chief Information Officer’s information security responsibilities Possess professional qualifications, including training and experience, required to administer the security functions Have information security duties as a primary duty Head an office with the mission and resources to assist in ensuring agency compliance Developing and maintaining an agency-wide information security program (as outlined on next few slides) Developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements Training and overseeing personnel with significant responsibilities for information security with respect to those responsibilities Assisting senior agency officials concerning their IT security responsibilities Ensuring that the CIO, in conjunction with other senior agency officials, reports annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions Specific Agency Head Responsibilities for CIO FISMA
Each agency shall: IT Security Program Develop, document, and implement an agency-wide information security program to provide information security for information and information systems that support the operations and assets of the agency, including those provided or managed by another agency –Program must be approved by the Director of OMB Review the Security Program at least annually by agency program officials in consultation with the Chief Information Officer FISMA
Each program shall include : FISMA Periodic assessments of the risk and magnitude of the harm to information and information systems that support the operations and assets of the agency Various enumerated policies and procedures, including those prescribed by the Director of OMB, and other statutory information security standards Subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems Security awareness training Periodic testing and evaluation Process for planning, implementing, evaluating, and documenting remedial action Procedures for detecting, reporting, and responding to security incidents Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency
Agency Reporting Requirements Each agency shall report annually to the Director of OMB, the Committees on Government Reform and Science of the House of Representatives, the Committees on Governmental Affairs and Commerce, Science, and Transportation of the Senate, the appropriate authorization and appropriations committees of Congress, and the Comptroller General on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements. Reports must specifically: Address the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to: Annual agency budgets; Information resources and technology management; Security program performance; Financial management systems; Internal accounting and administrative controls Report any significant deficiency in a policy, procedure, or practice relating to a material weakness or to a financial management system In addition to the above requirements, each agency, in consultation with the Director of OMB, shall include as part of the agency performance plan (required under a different section) a description of the time periods and the resources necessary to implement the security program This description shall be based on risk assessments Each agency shall also provide the public with timely notice and opportunities for comment on proposed information security policies and procedures to the extent that such policies and procedures affect communication with the public FISMA
Performance goals to define the level of performance to be achieved by a program activity Goals must be stated in an objective, quantifiable, and measurable form A brief description the operational processes, skills and technology, and the human, capital, information, or other resources required to meet the performance goals Performance indicators to be used in measuring or assessing the relevant outputs, service levels, and outcomes of each program activity A basis for comparing actual program results with the established performance goals A description of the means to be used to verify and validate measured values Performance Plan Requirement IT Security is a key program/activity and “the adequacy and effectiveness of IT security policies, procedures, and practices in plans and reports relating to program performance” must be included in the annual FISMA report FISMA further states that in addition to the general review requirements, each agency, in consultation with the Director of OMB, shall include as part of the agency’s overall performance plan a description of the time periods and resources, including budget, staffing, and training, which are necessary to implement the IT security program FISMA (Title 31) Money & Finance Title 31 of the US Code requires each Federal agency to submit a performance plan for key programs and activities, and must include:
Annual Independent Evaluation Each year each agency shall have performed by their IG an independent evaluation of the information security policies, procedures, and practices of that agency Each evaluation shall include: Testing of the effectiveness of information security control techniques for an appropriate subset of the agency's information systems An assessment (Based of the testing) of the compliance with: The requirements of this statute Any related information security policies, procedures, standards, and guidelines For agencies with Inspectors General appointed under the Inspector General Act of 1978 (5 U.S.C. App.) or any other law, the annual evaluation required under this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General The agency head shall submit annually to the Director of OMB the results of each evaluation The Director of OMB shall submit to Congress each year a report summarizing the materials received from agencies The Comptroller General shall periodically evaluate and report to Congress on the adequacy and effectiveness of agency information security policies and practices FISMA IG
OMB Circular A-130, Transmittal Memorandum #4 (11/28/2000) (Title: Management of Federal Information Resources) Appendix III – “Security of Federal Automated Information Resources” - addresses IT security Was incorporated, for the most part, into FISMA Assignment of responsibility for security of each major application An application specific security plan for each major application, including: Application rules concerning use and behavior Specialized training Personnel security controls Contingency planning Technical controls Information sharing controls Public access controls Periodic review of application controls Application authorization by management official based on review of application specific security plan
OMB Letter M (Dated 16 January 2001) Provides specific guidance on implementing GISRA (now FISMA) –Requires FISMA submissions (program reviews, IG evaluations, and mandated agency reporting to OMB) to be included as part of the normal budget process Outlines Agency responsibilities under FISMA. Each Federal agency must: –Have an agency-wide program practiced throughout life-cycle management –Have an incident response capability –Conduct an annual program review (agency officials, in consultation with the CIO) –Report significant deficiencies –Include additional items in agency performance plans As a practical matter this letter establishes no new requirements over and above the ones in the actual statute; however, the letter does provide detailed explanations for FISMA compliance.
Amplifies reporting requirement as follows: Agencies must include a short (no more than 15 pages) executive summary, developed by the CIO, agency program officials, and the Inspector General, that is based on the results of their work The executive summary must have two components, one prepared by the CIO working with the program officials, and one prepared by the Inspector General The CIO section of the executive summary should respond to 14 specific areas in three categories as follows: OMB Letter M (Dated 22 June 2002) General overview Total security funding Total number of programs Methodology for reviews Material weaknesses Security Program Performance Specifics for risk assessments Specifics for Security Program How security training is assured Security Program Performance (continued) Procedures for incident handling Capital planning and investment process Methodology for protecting critical assets Security associated with life cycle management How agency has integrated IT security with CIP How to ensure contractors meet requirements Next Steps Strategy to correct weaknesses