HUD develops best practices for FISMA reports

The Housing and Urban Development Department has produced best practices documents that it hopes to share with other agencies to improve the quality of their submissions to comply with security requirements. The products are policies and procedures, templates and instructions, frequently asked questions and answers, checklists, face-to-face training presentations, and feedback.

The aim is to have best practices that all agencies can use and have the same quality starting point. They then can tailor their baselines for quality in their documents for the Federal Information Security Management Act.

HUD, which achieved A+ on the fiscal 2006 FISMA report card, is using its information technology security program as a test bed for the best practices tools, said Patrick Howard, HUD’s chief information security officer. The best practices build on IT security guidelines from the National Institute of Standards and Technology. HUD and other agencies have added the next layer.

“The best practices could make it easier for agencies to implement their security plan,” Howard said. “The documents have clear instructions, especially for people who don’t do security full time,” he said Dec. 6 at a meeting of the Information Security and Privacy Advisory Board. The board advises NIST on information security and privacy issues related to federal computer systems.

“Agencies can begin to use these products immediately,” Howard said. “Results could be realized in 2008,” he added.

The best practices apply to risk assessment, certification and accreditation testing, plans of action and milestones, and business impact and analysis. HUD also includes privacy impact assessments as part of documentation for FISMA.

“We’re willing to share and see what others are doing. It should make FISMA documentation less onerous,” he said.

Howard hopes that the NIST advisory panel will recommend that the Office of Management and Budget endorse the best practices products and mandate their use by agencies so the tools will be used consistently governmentwide to raise the quality of IT security information that agencies gather. Howard also would like NIST to assume ownership of the product set and maintain it.

The documents also have a component for inspectors general. Brenda Abrams, IT audit manager at the IG’s office at the General Services Administration, worked with Howard at HUD for nine months on a risk assessment methodology for e-authentication. Abrams developed a template with instructions on a Microsoft Excel spreadsheet and boiled down explanations into simpler terms. The approach can provide more consistent audits of that area and a baseline for quality. Abrams plans to present her e-authentication methodology to the President’s Council on Integrity and Efficiency.

“Our FISMA team will use this [tool] in 2008," Abrams said. "We haven’t been well-schooled in e-authentication."

The best-practice IT security documentation products also can be used as a quality check for contractors or incorporated as part of a statement of work, she said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.