|
home
Now
Playing FISMA, Phase II
The
mission: develop and implement a standards based organizational
credentialing program for public and private sector entities to
demonstrate core competencies for offering security services to federal
agencies.
FISMA, Phase II embraces the
paradigm shift from policy-based compliance to risk-based mission
protection. The former dictates requirements, provides minimal
flexibility and puts little emphasis on accepting risk.
With risk-based mission protection, enterprise missions and functions
drive security requirements and associated safeguards/countermeasures;
it is highly flexible in implementation; and it focuses on
acknowledgement and acceptance of mission risk.
According to Dr. Ron Ross, Chief Computer Scientist at NIST and leader
of the FISMA program, transitioning from FISMA, Phase I to FISMA, Phase
II is all about credentialing and system trustworthiness factors
including security functionality, quality of the design, development,
implementation, and operation.
What you are looking for is security assurance says Dr. Ross; that the
grounds for confidence that the claims made about the functionality and
quality of the system are being met through independent assessments
(e.g., analyses, testing, evaluation, inspections, and audits) of the
system conducted by qualified assessors.
A 5
Year Journey
“My role at NIST is to lead the FISMA implementation
project,” says Dr. Ross. “That’s the
group that develops all of the security standards and guidelines the
Federal government needs to employ to be FISMA compliant.”
For the past 5 years, Dr. Ross and the Computer Security Resource
Center (CSRC) team have been working to develop a whole series of
standards and guidelines which are to be implemented including the
recently released NIST Risk Management Framework.
| Trustworthy Information
Systems are those worthy of being trusted to operate within
defined levels of risk to organizational operations and assets.
|
“Once we have all the basic pieces in place, then
we’ll go into our FISMA, Phase II, which for one thing is
going to deal with credentialing organizations that will want to offer
security services to our Federal agencies,” Dr. Ross
explained. “Senior leadership needs to understand who is
responsible for each one of those control areas and make sure
coordination takes place throughout the enterprise.”
FISMA
Gains and Misconceptions
Dr. Ross feels that the government is finally getting FISMA.
“I think we are getting better. Over the last couple of years
agencies have started to employ these basic security standards and
guidelines with a set of very strong controls,” Ross says.
“That is a level of due diligence which I don’t
think we’ve had before.”
FISMA mandates a standard of due diligence which really relies on a
fundamental set of controls that can be counted on in every Federal
system, with every organization looking at their own risk tolerance and
adding additional controls to protect the mission. “To me we
are making great strides, because that fundamental set has never been
there before and it
is now.”
Ross warns that just because you have a 100% score on your FISMA
scorecard doesn’t mean that you are in the clear.
“I think there’s a misconception that when you get
all of your systems certified and accredited that
everything’s OK and the next day you have a breach and then
you wonder why it happened,” says Ross.
According to Ross, the certification and accreditation (C&A)
process is just an orderly and structured process by which you can
understand what controls are in place, where your deficiencies are, and
it is managing the residual vulnerabilities that remain in every system
and being comfortable that the mission is not in jeopardy.
“So that’s the test. You can certify and accredit
every system and still get breaches, but it’s understanding
that risk to your mission that’s really the key
point,” adds Ross.
Phase
II: Now Through 2010
According to Ross, Phase II’s mission is to
“develop and implement a standards based organizational
credentialing program for public and private sector entities to
demonstrate core competencies for offering security services to federal
agencies.” Ross made his remarks at the 2007 Federal
Information Assurance Conference (FIAC).
|
|
|
|
|
|
