Information Technology H o While many agencies continue to struggle to comply with Federal Information w Security Management Act (FISMA) regulations, those that have embraced its a r requirements have found that their comprehensive and flexible nature provides d a sound security risk management framework for the implementation of essential system security controls. Detailing a proven approach for establishing and implementing a comprehensive information security program, FISMA F Principles and Best Practices: Beyond Compliance integrates compliance I S review, technical monitoring, and remediation efforts to explain how to achieve M and maintain compliance with FISMA requirements. A Based on the author’s experience developing, implementing, and maintaining enterprise FISMA-based information technology security programs at three P major federal agencies, including the U.S. Department of Housing and Urban r Development, the book gives you workable solutions for establishing and i n operating an effective security compliance program. It delineates the processes, practices, and principles involved in managing the complexities of FISMA c compliance. Describing how FISMA can be used to form the basis for an i p enterprise security risk management program, the book l e • Provides a comprehensive analysis of FISMA requirements s • Highlights the primary considerations in establishing an effective security compliance program a • Illustrates successful implementation of FISMA requirements n with numerous case studies d Clarifying exactly what it takes to gain and maintain FISMA compliance, B Pat Howard, CISO of the Nuclear Regulatory Commission, provides e detailed guidelines so you can design and staff a compliance capability, s build organizational relationships, gain management support, and integrate t compliance into the system development life cycle. While there is no such thing as absolute protection, this up-to-date resource reflects the important security P concepts and ideas for addressing information security requirements mandated r for government agencies and companies subject to these standards. a c t i c AU8291 e ISBN: 978-1-4200-7829-9 90000 s www.crcpress.com 9 781420 078299 www.auerbach-publications.com AU8291 cvr mech.indd 1 2/15/11 1:41 PM FISMA Principles and Best Practices Beyond Compliance OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Building an Enterprise-Wide Business Intelligent Video Surveillance: Continuity Program Systems and Technology Kelley Okolita Edited by Yunqian Ma and Gang Qian ISBN 978-1-4200-8864-9 ISBN 978-1-4398-1328-7 Critical Infrastructure: Homeland Security Managing an Information Security and and Emergency Preparedness, Privacy Awareness and Training Program, Second Edition Second Edition Robert Radvanovsky and Allan McDougall Rebecca Herold ISBN 978-1-4200-9527-2 ISBN 978-1-4398-1545-8 Data Protection: Governance, Mobile Device Security: A Comprehensive Risk Management, and Compliance Guide to Securing Your Information in David G. Hill a Moving World ISBN 978-1-4398-0692-0 Stephen Fried ISBN 978-1-4398-2016-2 Encyclopedia of Information Assurance Edited by Rebecca Herold and Marcus K. Rogers Secure and Resilient Software Development ISBN 978-1-4200-6620-3 Mark S. Merkow and Lakshmikanth Raghavan ISBN 978-1-4398-2696-6 The Executive MBA in Information Security John J. Trinckes, Jr. Security for Service Oriented ISBN 978-1-4398-1007-1 Architectures Bhavani Thuraisingham FISMA Principles and Best Practices: ISBN 978-1-4200-7331-7 Beyong Compliance Patrick D. Howard Security of Mobile Communications ISBN 978-1-4200-7829-9 Noureddine Boudriga ISBN 978-0-8493-7941-3 HOWTO Secure and Audit Oracle 10g and 11g Security of Self-Organizing Networks: Ron Ben-Natan MANET, WSN, WMN, VANET ISBN 978-1-4200-8412-2 Edited by Al-Sakib Khan Pathan ISBN 978-1-4398-1919-7 Information Security Management: Concepts and Practice Security Patch Management Bel G. Raggad Felicia M. Wetter ISBN 978-1-4200-7854-1 ISBN 978-1-4398-2499-3 Information Security Policies and Security Risk Assessment Handbook: Procedures: A Practitioner’s Reference, A Complete Guide for Performing Security Second Edition Risk Assessments, Second Edition Thomas R. Peltier Douglas Landoll ISBN 978-0-8493-1958-7 ISBN 978-1-4398-2148-0 Information Security Risk Analysis, Security Strategy: From Requirements Third Edition to Reality Thomas R. Peltier Bill Stackpole and Eric Oksendahl ISBN 978-1-4398-3956-0 ISBN 978-1-4398-2733-8 Information Technology Control and Audit, Vulnerability Management Third Edition Park Foreman Sandra Senft and Frederick Gallegos ISBN 978-1-4398-0150-5 ISBN 978-1-4200-6550-3 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] FISMA Principles and Best Practices Beyond Compliance Patrick D. Howard Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4200-7830-5 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a pho- tocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com Dedication To Daniela and Peter: Thank you for all the joy you have brought me. © 2011 by Taylor & Francis Group, LLC Contents PREFACE vii ACKNOWLEDGMENTS ix PART I INTRODUCTION CHAPTER 1 ANALYSIS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 7 CHAPTER 2 PRINCIPLES OF FISMA REPORTING 29 PART II MANAGING FISMA COMPLIANCE CHAPTER 3 MANAGEMENT SUPPORT 51 CHAPTER 4 THE INFORMATION SECURITY ORGANIZATION 65 CHAPTER 5 STAFFING CONSIDERATIONS 85 CHAPTER 6 PROGRAM PLANNING 101 CHAPTER 7 DEVELOPING POLICY AND GUIDANCE 115 CHAPTER 8 TRAINING AND AWARENESS 131 CHAPTER 9 AUDIT LIAISON 151 CHAPTER 10 MONITORING MECHANISMS 167 CHAPTER 11 LIFE-CYCLE ISSUES 183 VII © 2011 by Taylor & Francis Group, LLC VIII CONTENTS CHAPTER 12 OUTREACH 193 PART III SUMMARY APPENDIX A: THE FISMA LEGISLATION 219 APPENDIX B: OMB FISMA REPORTING GUIDELINES 245 APPENDIX C: OMB FISMA FY10 REPORTING QUESTIONNAIRES 283 APPENDIX D: CONSENSUS AUDIT GUIDELINES 313 APPENDIX E: BIBLIOGRAPHY 325 © 2011 by Taylor & Francis Group, LLC Preface Over the last seven years, federal agencies have come to understand the requirements of the Federal Information Security Management Act (FISMA), have learned the routine for periodic reporting of FISMA compliance, and also generally comply with the requirements of the act, particularly with respect to system authorization, weak- ness remediation, and awareness training. However, most agencies continue to struggle with finding resources to maintain compliance and with balancing FISMA compliance with other ongoing needs for the continuous protection of agency data. Most agencies find that resources to support information technology security are limited and are growing more constrained. Hence, agencies are being forced to be more efficient in how they implement security controls and manage information technology (IT) security programs. Threats are intensify- ing and evolving; and an agile defense posture must be employed. The purpose of this book is to help the reader understand how efficiencies can be gained in the implementation of a FISMA- based, agency-level information technology security program, and to share ideas about how compliance requirements can be balanced against overall organization needs for security. It is my contention that FISMA legislation is sufficiently comprehensive and flexible to permit an agency-level Chief Information Security Officer (CISO) to balance compliance requirements against overall needs for security, IX © 2011 by Taylor & Francis Group, LLC