Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 06/30/08 web stories

William Jackson | The FISMA paradigm

Security policies remain a burden to federal IT managers, but they are producing results

By William Jackson

There is no question that the Federal Information Security Management Act has changed the way information technology managers do their jobs. It has changed the way agencies write requests for proposals and set standards for vulnerability and configuration scanning — and it eats up days and weeks in the production of reports.

The question remaining is whether federal IT systems are more secure now.

Rich Kellet, IT security officer at the General Services Administration’s Citizen Services and Communications office, gave a qualified yes. Requirements for monthly vulnerability scans with deadlines for correcting critical problems have resulted in more secure systems. But Kellet described himself as skeptical about the overall requirements for detailed reporting to the Office of Management and Budget.

One of the bright spots in the FISMA paradigm is the guidance produced by the National Institute of Standards and Technology. The 800-series of special publications produced by the NIST Computer Security Division puts flesh on the bare bones of FISMA with guidelines and specifications for meeting compliance requirements.

Chief among these, Kellet said, is Special Publication (SP) 800-53, titled “Techniques and Procedures for Verifying the Effectiveness of Security Controls in Information Systems.” Kellet called this a training manual for IT systems management. Everyone should be familiar with at least the general summary section of this publication, he said. But if you are not up to reading all of its several hundred pages, Kellet recommended SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems.” “It’s really must reading for everyone.”

This is not just bedtime reading. The guidelines in 800-53 form a baseline of requirements that must be included in requests for proposals for IT systems and services. Agencies cannot meet FISMA requirements unless their vendors are meeting them.

“You cannot simply say in a contract, ‘Follow 800-53’,” he said. “We made that mistake.” A list of specific deliverables with standards for meeting them is better for the vendor and agency, he said. “We want them to cost it out because we don’t want surprises at the end.”

More news on related topics: Communications / Networks, IT Security, IT Management



GCN Popup