Agencies find keys to FISMA

Best practices include risk management and automated security awareness tips

NRC takes steps to patch security strategy

Security at the Nuclear Regulatory Commission has been ineffective. In September, the commission’s inspector general reported that the NRC failed to certify and accredit most of its systems and did not test its contingency plans. The NRC wants to change that, said Darren Ash, its chief information officer.

“Executive management at the highest levels of the agency has taken responsibility for the security of NRC’s information systems” and compliance with the Federal Information Security Management Act, Ash said.

The NRC has hired a chief information security officer and made progress in certifying and accrediting its systems, a process that it expects to complete in fiscal 2009, Ash said.

The NRC will test its systems contingency plans by the end of June, and it has linked that requirement to senior executives’ performance reviews.

The agency also plans to have the State Department provide security awareness training to its employees under the Office of Management and Budget’s Information Systems Security Line of Business initiative.

— Mary Mosquera

Every federal agency must comply with the Federal Information Security Management Act, but there is no one-size-fits-all compliance strategy, a group of chief information security officers recently told lawmakers.

The success stories of agencies that have earned high FISMA ratings vary in their details, although they follow a similar pattern.

For example, the U.S. Agency for International Development secured support from senior agency executives, implemented extensive training and asked agency managers in charge of specific information systems to be responsible for certifying and accrediting those systems.

“This is an area where I believe we have implemented one of the foundational tenets of FISMA,” said Philip Heneghan, USAID’s chief information security officer. “For each system and network, USAID has identified an executive who owns it, has responsibility for it and is in the best position to make risk-based decisions regarding the system’s security controls.”

The CISOs spoke at a March 12 hearing of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.

Heneghan said automation is a major factor in USAID’s success. The agency centrally manages its security infrastructure, which collects and analyzes security events and network metrics from hundreds of remote security systems worldwide. It also automates much of its training, Heneghan said. For example, USAID supplements its security awareness training with a Tip of the Day program, which presents a security lesson and prompts users to answer a question about that lesson before they log into the agency’s network.

The State Department and USAID also provide information security awareness training as a shared services center under the Office of Management and Budget’s Information Systems Security Line of Business initiative.

State improved its information security standing in 2007 after receiving a failing grade in 2006, according to a report that the agency’s inspector general submitted to OMB. The agency’s score for 2007 won’t be known until OMB releases its FISMA report next month.

State uses a layered approach to risk management through various operational, technical and managerial security controls, said Susan Swart, State’s chief information officer.

The department blocks 3.5 million spam e-mail messages, intercepts 4,500 viruses and detects more than 1 million anomalous external probes of its network each week, Swart said.

State must familiarize its civil service, Foreign Service, local staff members and contractors worldwide with the department’s security policies and procedures. It formed a departmentwide information security steering committee of system owners and senior security managers to deal with security issues and to ensure that all employees follow security policies and procedures, regardless of their location. The committee created integrated information security teams of policy specialists, operational officials and managers.

State also organized a 90-Day Push project last year to focus on two major information security requirements: conducting a systems and Web site inventory and testing systems to certify and accredit them. The department conducted workshops based on guidance from the National Institute of Standards and Technology for testing systems security.

Another key to USAID and State’s FISMA compliance is their practice of automated scanning to detect security vulnerabilities.

State’s vulnerability scanning tools produce daily reports for system administrators to validate patch management, anti-virus updates and configuration compliance, Swart said. 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected