Agencies find keys to FISMA

Best practices include risk management and automated security awareness tips

NRC takes steps to patch security strategy

Security at the Nuclear Regulatory Commission has been ineffective. In September, the commission’s inspector general reported that the NRC failed to certify and accredit most of its systems and did not test its contingency plans. The NRC wants to change that, said Darren Ash, its chief information officer.

“Executive management at the highest levels of the agency has taken responsibility for the security of NRC’s information systems” and compliance with the Federal Information Security Management Act, Ash said.

The NRC has hired a chief information security officer and made progress in certifying and accrediting its systems, a process that it expects to complete in fiscal 2009, Ash said.

The NRC will test its systems contingency plans by the end of June, and it has linked that requirement to senior executives’ performance reviews.

The agency also plans to have the State Department provide security awareness training to its employees under the Office of Management and Budget’s Information Systems Security Line of Business initiative.

— Mary Mosquera

Every federal agency must comply with the Federal Information Security Management Act, but there is no one-size-fits-all compliance strategy, a group of chief information security officers recently told lawmakers.

The success stories of agencies that have earned high FISMA ratings vary in their details, although they follow a similar pattern.

For example, the U.S. Agency for International Development secured support from senior agency executives, implemented extensive training and asked agency managers in charge of specific information systems to be responsible for certifying and accrediting those systems.

“This is an area where I believe we have implemented one of the foundational tenets of FISMA,” said Philip Heneghan, USAID’s chief information security officer. “For each system and network, USAID has identified an executive who owns it, has responsibility for it and is in the best position to make risk-based decisions regarding the system’s security controls.”

The CISOs spoke at a March 12 hearing of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.

Heneghan said automation is a major factor in USAID’s success. The agency centrally manages its security infrastructure, which collects and analyzes security events and network metrics from hundreds of remote security systems worldwide. It also automates much of its training, Heneghan said. For example, USAID supplements its security awareness training with a Tip of the Day program, which presents a security lesson and prompts users to answer a question about that lesson before they log into the agency’s network.

The State Department and USAID also provide information security awareness training as a shared services center under the Office of Management and Budget’s Information Systems Security Line of Business initiative.

State improved its information security standing in 2007 after receiving a failing grade in 2006, according to a report that the agency’s inspector general submitted to OMB. The agency’s score for 2007 won’t be known until OMB releases its FISMA report next month.

State uses a layered approach to risk management through various operational, technical and managerial security controls, said Susan Swart, State’s chief information officer.

The department blocks 3.5 million spam e-mail messages, intercepts 4,500 viruses and detects more than 1 million anomalous external probes of its network each week, Swart said.

State must familiarize its civil service, Foreign Service, local staff members and contractors worldwide with the department’s security policies and procedures. It formed a departmentwide information security steering committee of system owners and senior security managers to deal with security issues and to ensure that all employees follow security policies and procedures, regardless of their location. The committee created integrated information security teams of policy specialists, operational officials and managers.

State also organized a 90-Day Push project last year to focus on two major information security requirements: conducting a systems and Web site inventory and testing systems to certify and accredit them. The department conducted workshops based on guidance from the National Institute of Standards and Technology for testing systems security.

Another key to USAID and State’s FISMA compliance is their practice of automated scanning to detect security vulnerabilities.

State’s vulnerability scanning tools produce daily reports for system administrators to validate patch management, anti-virus updates and configuration compliance, Swart said. 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group