On March 20, 2013 a House of Representatives panel approved and sent legislation to the house to change the Federal Information Security Management Act (FISMA), the law that governs IT security in the federal government.
The Federal Information Security Amendments Act of 2013 (H.R.-1163-Federal-Information-Security-Amendments-Act-of-2013) unanimously passed the House Oversight and Government Reform Committee. While government agencies and commercial enterprises rally over the passing of the bill as these changes are long overdue, a closer examination of information security marketplace using blogs, press releases, conference notes, vendor materials, etc., indicates that there may be major misconceptions in the interpretations of H.R. 1163 over the provisions the new amendments offered.
The intent of the white paper is to dispel the misconception that the paper-based checklist approach to IT security would no longer be required. In other words, the belief that system security plan (SSP), security assessment report (SAR), and other relevant supporting evidence to a robust and sound demonstration of a IT security would no longer be required, and the organization should only rely on automated continuous threat monitoring.
Let take a quick recap at the original FISMA. The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets. In actual implementation, FISMA requires a standardized approach to security assessment, authorization, and continuous monitoring. FISMA does rely on paper-based process to evaluate effectiveness and offers limited provisions for automation support. The FISMA approach does have merits in that it follows the principle of what gets measured gets done.
One of the key provisions of the Federal Information Security Amendments Act of 2013, or the bill, is the use of automated continuous monitoring to support threat assessment and management of assets. Unfortunately, this provision itself manifests into a major misconception. The misconception is further fueled by the dissatisfaction with the heavy emphasis by the Federal government on the paper-based monitoring associated with FISMA, and the constraints FISMA placed on the CISOs in the implementation of IT security for their organizations to improve security posture.
Lets examine the bill in details. While the bill recognizes that innovation in technologies has evolved to offer a myriad of automated solutions to manage threats, the bill does not state that automate solutions would be the only approach. This position was reiterated several times throughout the bill starting with the first purpose of the bill itself where the bill discusses the purposes of the subchapter (related to the amendments):
“(1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;”
The bill introduces no changes to National Institute of Standards and Technology (NIST)’s responsibilities to prescribe standards and guidelines pertaining to Federal information systems. The bill also provided no additional guidance on the definition of ‘comprehensive framework’, unlike the remaining terms such as automated continuous monitoring and others. The lack of these details would imply that the bill intends for the current Risk Management Framework (RMF, NIST Special Publication 800-37 Revision 1) as defined and implemented under the original authority (i.e. section 11331 of Title 40) to remain, in effect, fully valid. The NIST RMF provides a comprehensive approach to implement organization-wide IT security program. The framework maintains the ongoing need for key deliverables such as SSP and SAR for risk executives and authorizing officials to evaluate and sign-off on risk posture of the systems for the organization.
The bill proposes significant changes to the responsibilities of Chief Information Security Officers (CISOs), according to BankInfoSecurity’s article, “7 Duties for CISOs under FISMA Reform”, including:
- Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and agency information systems;
- Developing, maintaining and overseeing an agencywide information security program;
- Developing, maintaining and overseeing information security policies, procedures and control techniques to address all applicable requirements;
- Training and overseeing personnel with significant responsibilities for information security;
- Assisting senior agency officials on cybersecurity matters;
- Ensuring the agency has a sufficient number of trained and security-cleared personnel to assist in complying with federal cybersecurity law and procedures;
- Reporting at least annually to agency executives the effectiveness of the agency information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.
The bill, in defining the new responsibilities and other requirements, uses language as not to interfere or override the applicable standards and guidelines from NIST. With regard to new responsibilities for CISOs, the bill stipulates that, although the CISOs have greater degree to implement and shape the organization’s security policies, procedures, and operation, the CISOs must still ensure compliance to standards and guidelines established under Section 11331 of Title 40.
This expectation places the CISOs back to the same position of having to demonstrate compliance to a security framework that, to some extent, originally designed to support a risk management approach using a combination of paper-based and technology automation. Similar observations can also be made to Section B of the bill with regard to the implementation of an organization-wide information security program.
The bill specifies that the program must comply with the standards and guidelines defined by Section 11331 of Title 40. The bill also extends the same stipulation to the use of automated and continuous monitoring solutions, and points specifically to vulnerability assessments and penetration testing. Are these observations within various areas of the bill were purely by chance? What we do know is that no effective security program can be implemented without having transparent policies, procedures, and metrics in place.
Documentation is not only essential to a successful security program, but also complements in ensuring its ongoing success. Automation can significantly enhance the security posture of the organization, and in some cases, may more effective at producing results to those performed by individuals. An example of this effort is the use of SANS Institute’s 20 critical controls. These critical controls are technical in nature and most, if not all, can be automated through commercial applications.
These critical controls allow government agencies and other large enterprises to focus their spending on the key controls that block known attacks and find the ones that get through. The critical controls complement the IT security program but the controls are not the IT security program. Cares should be taken, by organizations, to include in the operational and management controls to ensure that the standards and guidelines can be met as to support a risk-based decision to authorize the system for use.
Another clue to the expectations under the bill can be found in the definition for ‘automated and continuous monitoring’. According to the bill,
“The term ‘automated and continuous monitoring’ means monitoring, with minimal human involvement, through an uninterrupted, ongoing real time, or near real-time process used to determine if the complete set of planned, required, and deployed security controls within an information system continue to be effective over time with rapidly changing information technology and threat development.’
In practice, a complete set of planned, required, and deployed controls should vary with the security categorization of the information system. For all information systems or resources, there will be multiple controls, or controls associated with operational and management classes, that cannot be implemented via automated monitoring solutions as they may be related to policies or procedures (these are typically identify the xx-1 controls in NIST 800-53 control set). In certain cases, the controls are not limited to just the xx-1 controls but to all the controls within the family such as AT and PM control families where they typically organization-wide controls. These controls will require reviews from assessors to determine their effectiveness to the organization and the applicable information system.
Figure 1 - Distribution of Control Classes by Family
Figure 1 shows the distribution of the controls over the three classes by family. If at least half of the operational classes can be automated, that would still leave half of the control families to be evaluated by organization without the use of any automation. This would indicate that the bill has already taken into account of the constraints of available technology, and organizations are still expected to provide mechanisms to bridge the gap.
Another consideration that the bill may have taken into account (although not discussed) is the prevalent use of third-party conformity assessment process by several government agencies including:
- Federal Risk and Authorization Management Program (FedRAMP)’s Third-Party Assessment Organizations (3PAOs)
- Centers for Medicare and Medicaid’s Health IT
- Federal Communication Commission’s electronic devices
- Environmental Protection Agency’s WaterSense
- Consumer Product Safety Commission’s toys safety
To understand how conformity assessment impacts security program, let examine FedRAMP in details. The FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The process mirrors the NIST’s Risk Management Framework, however sets extensive expectation on the cloud service providers (CSPs) in demonstrating compliance. Under this program, the CSP, sponsored by a government agency, must submit the security authorization package of the cloud offerings to the FedRAMP Project Management Office (PMO) for review and consideration for Joint Authorization Board (JAB) authorization.
The package consists of a large number of key deliverables that serve as supporting evidence in providing full disclosure of the safeguards and the controls implemented by the CSPs to potential and existing CSP customers and the government agency. FedRAMP process requires the CSP to use 3PAOs to independently validate and verify that the CSP has met the FedRAMP security requirements. From the FedRAMP perspective, the documentation is a necessity in assessing the CSP’s compliance to requirements as well as serving the basis for the 3PAO assessment.
Along the same discussion, the conformity assessment approach to compliance has also been employed by certified public accountants (CPAs) to report on controls at a private or public company that affect user entities’ internal control over financial report (SOC 1) , or controls relevant to security, availability, processing integrity, confidentiality, or privacy of its information systems (SOC 2).
These standards are more commonly known as Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. With very few exceptions as highlighted by companies such as Enron, WorldCom, Adelphia, and Zerox, where internal controls or independence of assessors have either failed or conflicted, this time-proven technique has demonstrated acceptable and cost-effective use, and is widely utilized in the assessment of public and private companies for their financial reporting for a significant number of years.
Another example of conformity assessment approach is the certification to ISO 9001:2008 or ISO 14001:2004 demonstrating the organization’s compliance to quality and environmental management standards from International Organization for Standardization. All of these conformity assessment approaches rely on documentation as evidence of compliance to the standards.
In closing, organizations should embrace the Federal Information Security Amendments Act of 2013 as enhancements to improve the existing FISMA process by integrating better technologies and solutions to streamline security management processes and needs, and not as an elimination of previous paperwork.
The outcome of the bill will still be the same as FISMA in that the security posture of the organization will improve. Organizations should not lose sight to ensure that the essentials such as documentation (i.e. SSP and SAR) remain in place to provide the evidence demonstrating compliance to the regulations, standards, and guidelines.
Risk management and compliance is a collection of activities and not any specific activity alone. To that end, under the new era of the Federal Information Security Amendments Act of 2013, organizations continue to maintain a robust and comprehensive security framework that integrates technology automation and business processes, and one is not mutually exclusive of the other.
Tuan Phan is the Vice President of Trusted Integration, Inc. in Alexandria, VA, where he has been responsible for the configuration, deployment, and training of TrustedAgent GRC for several government agencies and commercial enterprises.
He has also authored numerous articles on validation and testing of information systems and processes for compliance to FDA-regulated standards including 21 CFR Part 11, Part 210, Part 211, and Part 820. He can be connected on LinkedIn and Twitter @TrustedAgentGRC