University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference

1 Agenda  FISMA – an introduction  Roles and Responsibilities  FISMA Requirements  Transition from report to process

2 Congress emphasized the importance of information security when it included the Federal Information Security Management Act (FISMA) as part of the E-Government Act of 2002  FISMA consolidates many security requirements and guidance into an overall framework for managing information security and protecting the nation ’ s critical information infrastructure from harm  FISMA requires executive agencies within the federal government to: –Plan for security –Ensure that appropriate officials are assigned security responsibility –Review periodically the security controls in their information systems –Authorize system processing prior to operations, and periodically after deploying  FISMA has three main sections –Annual security reporting requirement (Annual Program Review – CIO) –Independent Evaluation – (IG) and –Corrective action plan for remediation of security weaknesses

3 FISMA requires agencies to submit quarterly reports to OMB regarding the status of their information security program  Reporting standards are set annually by OMB and have become more stringent over time  In addition to the annual report, there are quarterly updates (Dec, Mar, June)  Other groups also receive agency FISMA reports: –House Committees on Government Reform and Science –Senate Committees on Government Affairs and Commerce, Science, and Transportation –Authorization and appropriations committees for each individual agency of Congress –General Accounting Office

4 While reporting is a key component, achieving the goals of FISMA require that an agency build a mature security program using security management processes that are ongoing and continual Goals of FISMA Agency Goals for FISMA  More consistent, comparable, and repeatable evaluations of security controls applied to information systems  A better understanding of enterprise-wide mission risks resulting from the operation of information systems  More complete, reliable, and trustworthy information for authorizing officials, facilitating more informed security accreditation decisions  More secure information systems within the Federal government including the critical infrastructure of the United States  More consistent, comparable, and repeatable evaluations of security controls applied to information systems  A better understanding of enterprise-wide mission risks resulting from the operation of information systems  More complete, reliable, and trustworthy information for authorizing officials, facilitating more informed security accreditation decisions  More secure information systems within the Federal government including the critical infrastructure of the United States  Achieve performance and risk based management for security programs  Demonstrate a mature security program –Agency risk assessments –Security policies and procedures –Subordinate plans (i.e., individual system security plans) –Training plans –Annual testing and evaluation –Corrective action process –Security incident reporting –Continuity of operations plans –Integrate security into the business  Achieve performance and risk based management for security programs  Demonstrate a mature security program –Agency risk assessments –Security policies and procedures –Subordinate plans (i.e., individual system security plans) –Training plans –Annual testing and evaluation –Corrective action process –Security incident reporting –Continuity of operations plans –Integrate security into the business

5 Agenda  FISMA – an introduction  Roles and Responsibilities  FISMA Requirements  Transition from report to process

6 As part of their strategy for a successful US government IT security posture, NIST plans to work with government agencies and industry on FISMA related issues  FISMA strengthens the reach of NIST  Standards issued by NIST are now “compulsory and binding”  NIST plays a more active role in defining how Federal agencies should be protecting their systems and infrastructure  Much guidance is under development to support agency program and system reviews  According to the NIST web site, their vision for supporting FISMA is to promote the development of standards and guidelines including: –Security categorization of information and information systems –Selection of appropriate security controls for information systems –Verification of security control effectiveness and determination of information system vulnerabilities –Operational authorization for processing (security accreditation) of information systems

7 Inspector General For federal departments and agencies, FISMA identifies roles and responsibilities for the IT security management team  Verify that security program elements exist  Validate POA&Ms  Identify all known security weaknesses and that a robust process exists for maintaining the POA&M Agency Head  Held accountable ultimately for the protection of an agency’s systems  Expected to include security as a part of strategic and operational planning  Assign CIOs compliance responsibility ISSO Chief Information Officer  Designate a senior information security officer who reports directly to the CIO  Held accountable for agency- wide security program  Develop and implement policies, procedures and controls  Report on progress quarterly to OMB  Carry out responsibilities of the CIO  Security is the ISSO’s primary responsibility, not an other duty as assigned  Maintain professional qualifications People play a key role in FISMA Program Officials and System Owners  Assess risk and test controls  Update system documentation  Ensure systems are certified and accredited

8 Agenda  FISMA – an introduction  Roles and Responsibilities  FISMA Requirements  Transition from report to process

9 FISMA requirements can be segmented into four main categories – foundational, review, mitigation, measurement…  Foundational –Inventory –Assignment of security responsibilities –Configuration requirements –Incident response –Identification of critical assets  Review –NIST self assessment –Certification and accreditation –Risk assessment –Continuity of system operations  Mitigation –Plan of action and milestones  Measurement –Track progress –Evaluate performance of all components –Report quarterly …and two others which span across all phases of the program FISMA REQUIREMENTS Foundational Review Mitigation Measurement Training and Capital Planning

10 To fulfill FISMA requires, an agency should focus on building a solid foundation within their IT security program  Senior information security official should appointed by and report to the CIO  An inventory program which is: –Updated at least annually –Made available to the Comptroller General –Used to support information resources management –Synchronized with their enterprise architecture inventory efforts  Identification of critical assets and their interdependencies with other assets  An established patch management process which assumes –a configuration management process exists –patches are tested prior to implementation  Incident response is closely tied to patch management Foundational

11 Agencies are required to complete an annual FISMA review to ensure that security controls maintain risk at an acceptable level  Depth and breadth of an annual FISMA review depends on several factors such as: 1.The acceptable level of risk and magnitude of harm to the system or information 2.The extent to which system configurations and settings are documented and continuously monitored 3.The extent to which patch management is employed for the system 4.The relative comprehensiveness of the most recent past review 5.The vintage of the most recent in-depth testing and evaluation as part of system certification and final accreditation  Testing should also include management, operational and technical controls Review

12 Plan of Action and Milestones (POA&M) is an agency’s primary management tool for tracking the mitigation of its IT security program and system-level weaknesses  Plan of Action and Milestones (POA&M) are: –Designed to facilitate review, analysis, and decision making for performance improvement in implementing corrective actions –Used as a point of comparison for a Department to compare an organization’s progress in the area of IT security –Reviewed within a Department and by OMB  OMB uses all Federal POA&Ms to conduct their assessment of the Federal government’s IT security maturity  IGs are asked this year to assess against specific criteria whether the agency has developed, implemented, and is managing an agency-wide POA&M process  The IG’s assessment in this area is critical  Effective remediation of IT security weaknesses is essential to achieving a mature IT security program Mitigation

13 For a successful mitigation strategy an agency should aim to create as comprehensive a POA&M as possible  All security weaknesses (programs and systems) must be included in the POA&M  POA&M is a living document – it evolves over time as weaknesses are corrected and new ones arise  POA&Ms are used to support the funding decision making process  To promote the integration of security into capital planning, POA&Ms should draw from data in exhibits 300 and 53  The IG must verify that POA&Ms identify all known security weaknesses

14 The following screenshot represents a sample POA&M WeaknessPOC Resources Required Scheduled Completion Date Milestones with Completion Dates Changes to Milestones SourceStatus 1. No risk assessment has been conducted on the ABC Network ABC Network PM 80K5/15/ Identify baseline security requirements 11/15/02 NIST Self Assessment On-going 2.2 Conduct risk assessment 12/20/ Document risk assessment results 1/15/02 2. No program level security plan exists for ABC Bureau ABC Bureau CIO 25K4/2/ Complete Initial Draft 1/4/03 ABC IG AuditOn-going 1.2 Complete Final based on comments received 2/28/03

15 The following items are required in an agency’s POA&M submission Weakness Activities Milestones with Completion Dates Scheduled Completion Date Resources Required Changes to Milestones POC Status Source Refers to a SPECIFIC identified program or system weakness Must be clear enough to discern weakness yet not reveal sensitive data Identifies the office or organization held accountable for correcting weakness Describes monetary amount needed to complete that is not already accounted for with current staffing Indicates corrective action completion date Meeting dates becomes a major criteria of evaluation for OMB Refers to major steps along the way that occur while completing the corrective action Timelines/Dates are required to be associated with each step Indicates when the timeline changes Justification for the change will be required elsewhere Identifies where the weakness was first identified Indicates if a corrective action is ongoing or completed

16 Here are some other important POA&M concepts to keep in mind when putting together an agency’s mitigation strategy  CIOs and agency program officials must develop, implement, and manage POA&Ms for all programs and systems that they operate and control  A separate POA&M must be developed for every program and system for which weaknesses are identified  System level POA&Ms must be tied directly to the system budget request through the IT business case as required in OMB Budget guidance (Circular A-11)  Sufficient data regarding the weakness description and its corrective action plan is necessary  POA&M process represents a prioritization of agency IT security weaknesses that ensures that significant IT security weaknesses are addressed in a timely manner and receive appropriate resources.  Department CIO is expected to centrally track and maintain all POA&M activities

17 Another key element of a successful IT security program is an effective measurement strategy which includes quarterly metrics Measurement Quarterly POA&M Update Information  Total number of weaknesses identified at the start of the quarter.  Number of weaknesses for which corrective action was completed on time (including testing) by the end of the quarter  Number of weaknesses for which corrective action is ongoing and is on track to complete as originally scheduled  Number of weaknesses for which corrective action has been delayed including a brief explanation for the delay  Number of new weaknesses discovered following the last POA&M update and a brief description of how they were identified (e.g., agency review, IG evaluation, etc.).  Total number of weaknesses identified at the start of the quarter.  Number of weaknesses for which corrective action was completed on time (including testing) by the end of the quarter  Number of weaknesses for which corrective action is ongoing and is on track to complete as originally scheduled  Number of weaknesses for which corrective action has been delayed including a brief explanation for the delay  Number of new weaknesses discovered following the last POA&M update and a brief description of how they were identified (e.g., agency review, IG evaluation, etc.).  Number of systems assessed for risk and assigned a level or risk  Number of systems that have an up-to-date IT security plan  Number of systems certified and accredited  Number of systems with security control costs integrated into the life cycle of the system  Number of systems for which security controls have been tested and evaluated in the last year  Number of systems with a contingency plan  Number of systems for which contingency plans have been tested  Number of systems assessed for risk and assigned a level or risk  Number of systems that have an up-to-date IT security plan  Number of systems certified and accredited  Number of systems with security control costs integrated into the life cycle of the system  Number of systems for which security controls have been tested and evaluated in the last year  Number of systems with a contingency plan  Number of systems for which contingency plans have been tested Quarterly IT Security Measures Update +=

18 Agencies should integrate training and IT security capital planning, throughout their program  Integrating IT security into the capital planning process –POA&Ms, annual FISMA reports, and executive summaries must be cross-referenced to the budget materials –Exhibit 300: Capital asset plan and justification –Exhibit 53: Summary of IT systems and expenditures. –Unique project identifier that stems from Exhibit 300s and 53s must be referenced in the “Resources Required” column of the POA&M. –Although the POA&M and Exhibit 300s may cite the same unique project identifiers, the security costs will not match because the Exhibit 300s also contains ongoing security maintenance costs.  Training –All parts of IT security management team need awareness and training –Responsibility to provide training is placed on CIO –Responsibility of program officials to complete training Mitigation Training and Capital Planning

19 Results of non-compliance  Probable exploitation of security vulnerabilities  Unauthorized access and/or modification of sensitive data  Jeopardize funding for current and future IT projects

20 Agenda  FISMA – a higher cause?  Roles and Responsibilities  FISMA Requirements  Transition from report to process

21 Putting the pieces together for a successful IT security management program requires that an agency shift its focus from the FISMA report to a more comprehensive management process  Communication throughout the program is key –FISMA encourages communication across and between business lines –System owners, budget and security personnel are expected to collaborate so that suitable decisions are made regarding functionality and security of IT assets  Management assumes an active posture towards IT security –If you can’t respond to the different measures associated with FISMA, then there is no plan for protecting your IT resources  Documentation may seem painful, but it is necessary –Provides accountability –Prevents overreliance on a subset of staff –Promotes knowledge management

22 In summary, here are some aspects of FISMA to remember when building a successful IT security management program  Performance and risk based decision making essential for sound security program  It’s not just a report – it’s a process  Know your inventory  Communicate and involve stakeholders in all phases security management –Budget personnel and program managers are stakeholders too!  Understand the mission that systems support – map to business processes  Review programs and systems  Identify and then fix security problems  Document and justify risks that are accepted