Agencies find keys to FISMA

Every federal agency must comply with the Federal Information Security Management Act, but there is no one-size-fits-all compliance strategy, a group of chief information security officers recently told lawmakers. The success stories of agencies that have earned high FISMA ratings vary in their details, although they follow a similar pattern. For example, the U.S. Agency for International Development secured support from senior agency executives, implemented extensive training and asked agency managers in charge of specific information systems to be responsible for certifying and accrediting those systems. “This is an area where I believe we have implemented one of the foundational tenets of FISMA,” said Philip Heneghan, USAID’s chief information security officer. “For each system and network, USAID has identified an executive who owns it, has responsibility for it and is in the best position to make risk-based decisions regarding the system’s security controls.” The CISOs spoke at a March 12 hearing of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security. Heneghan said automation is a major factor in USAID’s success. The agency centrally manages its security infrastructure, which collects and analyzes security events and network metrics from hundreds of remote security systems worldwide. It also automates much of its training, Heneghan said. For example, USAID supplements its security awareness training with a Tip of the Day program, which presents a security lesson and prompts users to answer a question about that lesson before they log into the agency’s network. The State Department and USAID also provide information security awareness training as a shared services center under the Office of Management and Budget’s Information Systems Security Line of Business initiative. State improved its information security standing in 2007 after receiving a failing grade in 2006, according to a report that the agency’s inspector general submitted to OMB. The agency’s score for 2007 won’t be known until OMB releases its FISMA report next month. State uses a layered approach to risk management through various operational, technical and managerial security controls, said Susan Swart, State’s chief information officer. The department blocks 3.5 million spam e-mail messages, intercepts 4,500 viruses and detects more than 1 million anomalous external probes of its network each week, Swart said. State must familiarize its civil service, Foreign Service, local staff members and contractors worldwide with the department’s security policies and procedures. It formed a departmentwide information security steering committee of system owners and senior security managers to deal with security issues and to ensure that all employees follow security policies and procedures, regardless of their location. The committee created integrated information security teams of policy specialists, operational officials and managers. State also organized a 90-Day Push project last year to focus on two major information security requirements: conducting a systems and Web site inventory and testing systems to certify and accredit them. The department conducted workshops based on guidance from the National Institute of Standards and Technology for testing systems security. Another key to USAID and State’s FISMA compliance is their practice of automated scanning to detect security vulnerabilities. State’s vulnerability scanning tools produce daily reports for system administrators to validate patch management, anti-virus updates and configuration compliance, Swart said.