JKeyes posted on June 22, 2011 13:11
On June 1, 2011, the federal government issued new requirements for agencies to report their compliance with the Federal Information Security Management Act (FISMA). What's changed?
For starters, this year was the first time since FISMA's inception that the Office of Management and Budget (OMB) did not release the
requirements for measuring federal agencies' compliance with FISMA; instead, these metrics were issued by the Department of Homeland Security (DHS) National Cyber Security Division. This is likely not a surprise to you if you were involved in FISMA reporting last year, when OMB transitioned out of, and DHS
transitioned into, this role.
This year's metrics include new reporting requirements in 13 areas, including:
- System Inventory
- Asset Management
- Configuration Management
- Vulnerability Management
- Identity and Access Management
- Data Protection
- Boundary Protection
- Incident Management
- Training and Education
- Remote Access
- Network Security Protocols
- Software Assurance
- Continuous Monitoring
Generally, the metrics this year build on last year's requirements. An important change, however, is the growing shift in improving operational security through the continuous monitoring of information systems, as opposed to the traditional snap-shot in time approach documented in the past. For example, last year agencies were asked if they had the technical ability to identify the introduction of unauthorized hardware onto their networks. This year they are being asked, consistent with the guidelines established in the National Institute of Standards and Technology's (NIST)
Risk Management Framework, whether they have implemented an automated process to detect and block unauthorized hardware from their networks.
Another addition to this year's metrics mirrors the Obama Administration's technology priorities, most notably in the area of cloud computing. As agencies move into cloud environments, DHS is interested in the number of systems/services that are--by FIPS security categorization--leveraging public clouds. The requirements also measure how many of those in public clouds could have received a security assessment and an authorization to utilize the cloud.
The new metrics recognize the reality that today's federal workforce is more mobile than in the past. We've seen exponential growth in the use of smartphones, netbooks, tablets, USB drives, and other mobile devices within the government to support the agency missions. Like OMB's previous metrics, DHS still wants to know about agency laptops, but DHS is also looking at data protection at a more granular level, asking agencies to provide the total number of mobile devices--by device type--in use by the agency and whether the user data on those devices is encrypted with FIPS 140-2 validated encryption.
Lastly, this year's metrics focus on a growing area of exploitation: agencies email systems and their anti-spoofing capabilities. DHS requires agencies to report how many of their email systems implement and check sender verification--a signal for agencies to bolster their email security policies.
These new metrics raise a number of questions, and KCG is here to help. We will be posting insight into these new metrics and other key areas impacting federal cybersecurity here at the Trusted Advisor blog, so please check back with us soon.