What is FISMA? Part II.

This is a continuation of the previous article, “What is FISMA?“.

Implement - At this stage, security controls are implemented. This requires taking all of the information in the previous steps and applying them in a practical manner to the information systems. For example, if a system was given a security of categorization of Low from the Categorize step, the Low set of controls from NIST 800-53 would be implemented. In addition, any supplemental controls that management deemed necessary, would also be implemented.

Again, NIST provides guidance for a variety of controls though their special publications series (NIST 800 SP). Some of NIST’s documents provide for detailed control measures such as securing wireless or implementing PKI. Those responsible for security are also able to use industry best practice and vendor guidelines for securely implemented systems.

Assess - Once controls have been put into place. They need to be assessed to determine their effectiveness. This is usually done by an outside consultant (like CSCI), to minimize any conflicts of interest on part of the staff (separation of duties is generally a control which is implemented). If the initial documentation was written by one contractor, ideally a second contractor would be brought in to confirm the documentation for the same reasons. In fact, the USDA had this as part of their C&A policy.

The assessors will utilize NIST SP 800-53a (a companion document to NIST 800-53r2) to determine the state of the controls. This is usually part of a Security Test and Evaluation (ST&E) process and documentation. In addition, the assessors will review, update, and edit the System Security Plan, the Risk Assessment (using the new information), and Contingency Plan. Other minor documents such as System Features User Guide (SFUG) and Trusted Facility Manual (TFM) may be updated during this process as well.

Authorize - Once the information system has been assessed, it needs an Authorization to Operate (ATO) or an Interim Authorization to Operate (IATO). This is performed by the Designated Approving Authority (DAA). This is the person who basically assumes the risk of the information system to operate as described. This is usually someone in upper management of the agency.

All of the system documentation is packaged up and delivered to the DAA. It is up to the DAA to review and trust the documentation is valid. They must then decide that it is ok for the system to operated as described by granting it an ATO. If the DAA decides not to grant an ATO, there are two other options. One is to flat out deny the ability of the information system to operate. This would require the documentation and/or the information system to be better shape. Or, they could grant an IATO. This allow the information system to operate only for a fixed time, say 3 months. It is accompanied with a line item of requirements with deadlines. These requirements must be in place by their deadlines for the DAA to grant an ATO. These requirements are called a Plan of Action and Milestones (POAM). If the information system does not meet the POAM requirements, the DAA may decide to shut down the information system.

Monitor - This step is essentially what it says. You monitor the information system and adjust as you go along. Generally, when changes happen to the system, the security documentation needs to be updated. For instance, if the data center where the system sits receives a more power UPS, than it should be reflected in the documentation that it was upgraded. This could have been a POAM item and may be marked off that list and also removed from the Risk Assessment. For major changes, it might kickstart the entire process over again. For instance if web application was a Microsoft .NET application and it was rewritten in JAVA, this would be a major change that has huge security impacts to the security posture of the information system. This would require a rework of all documentation to ensure that it is still applicable. The DAA would then need to reaccredit the system for operation.

Comments

• Categories

  • Access Control
  • Certification and Accreditation
  • FISMA
  • Security

• Tags

  Access Controls Accreditation Certification DIACAP E-Government Act FISMA GLBA HIPAA NIST Sarbanes Oxley Security

• Calendar

  June 2008

  S	M	T	W	T	F	S
  « May
  1	2	3	4	5	6	7
  8	9	10	11	12	13	14
  15	16	17	18	19	20	21
  22	23	24	25	26	27	28
  29	30

• Company Links

  • Aviel
  • CSCI
  • NGS

• Security Links

  • CCCure.org
  • CIS
  • DISA STIGs
  • NIST SP800
  • Nmap
  • Security Tools
  • Wireshark

• Recent Posts

  • What is FISMA? Part II.
  • What is FISMA?
  • Certification and Accreditation
  • Access Controls

• Recent Comments

  • What is FISMA? Part II. : CSCI Security Blog on What is FISMA?
  • Jeremy’s Brain Dump » FISMA on What is FISMA?
  • Jeremy’s Brain Dump » Access Controls Article on Access Controls

• Subscribe through Feedburner

  • 
  • 
  • 
  • 

• US CERT High Risk Activity

  • SSH Key-based Attacks August 27th 2008
  • Microsoft Revised Security Bulletin MS08-051 August 25th 2008
  • Red Hat Releases OpenSSH Security Update August 25th 2008
  • Malware Circulating via Russia/Georgia Conflict Spam Messages August 21st 2008
  • Opera Releases Version 9.52 August 21st 2008
  • Webex Meeting Manager ActiveX Control Vulnerability August 18th 2008
  • Joomla! Password Reset Vulnerability August 14th 2008
  • Apple MobileMe Phishing Scam August 13th 2008
  • Microsoft Releases August Security Bulletin August 12th 2008
  • Microsoft Releases Advanced Notification for August Security Bulletin August 7th 2008