The FISMA Leader

“Once we have all the basic pieces in place, then we’ll go into our FISMA phase two which is going to deal with credentialing organizations that will want to offer security services to our Federal agencies.”

Dr. Ron Ross, NIST

“My role at NIST is to lead the FISMA implementation project,” says Dr. Ron Ross, Chief Computer Scientist at NIST. “That’s the group that develops all of the implementing security standards and guidelines that the Federal government needs to employ to be FISMA compliant.”

Ross’s areas of specialization include security requirements definition, security testing and evaluation, and information assurance, which include the development of key security standards and guidelines for the federal government and critical information infrastructure.

“The biggest priorities for NIST are to deal with getting all the basic standards and guidance documents out and completed. We’ve been working since, the legislation was passed in 2002, signed by the president in 2003,” says Ross.

“We’ve been working to develop a whole series of standards and guidelines and those standards and guidelines are implemented within what we call a risk management framework and so we are trying to get all the basic pieces in place.”

Some of his recent publications include FIPS Publication 199 (the security categorization standard), FIPS Publication 200 (the minimum security requirements standard), NIST Special Publication 800-53 (the security controls guideline), NIST Special Publication 800-53A (the security assessment guideline), and NIST Special Publication 800-37 (the system certification and accreditation guideline).

Dr. Ross is also the architect of the risk management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.

“Once we have all the basic pieces in place, then we’ll go into our FISMA phase two which is going to deal with credentialing organizations that will want to offer security services to our Federal agencies,” Ross explains.

Breadth and Depth

NIST security guidelines talk about security controls and address the breadth and depth of controls to include management, operational, and technical controls. The result is having personnel security, the physical security and the technical types of security all rolled in to one control set.

To embrace these guidelines demands senior leadership of the organization understand who is responsible for each one of those control areas. “To make sure the controls are actually implemented, assessed for effectiveness, and then you assume whatever risk that actually comes about after you do that process really depends on the leadership at the top to make sure the coordination takes place across the entire spectrum,” Ross notes.

FISMA Gains and Misconceptions

On the subject of FISMA, Ross feels that the government is finally getting it. “I think we are getting better. Over the last couple of years as organizations within the Federal government are now starting to employ these basic security standards and guidelines which really represent a set of very strong controls for these information systems,” Ross says. “That is a level of due diligence which I don’t think we’ve had before.”

FISMA mandates a standard of due diligence which really relies on a fundamental set of controls that can be counted on in every Federal system, with every organization looking at their own risk tolerance and adding additional controls to protect the mission. “To me we are making great strides, because that fundamental set has never been there before and it is now.”

Ross warns that just because you have a 100% score on your FISMA scorecard doesn’t mean that you are in the clear. “I think there’s a misconception that when you get all of your systems certified and accredited that everything’s OK and the next day you have a breach and then you wonder why it happened,” says Ross.

According to Ross, the certification and acredidation (C&A) process is just an orderly and structured process by which you can understand what controls are in place, where your deficiencies are, and it is managing the residual vulnerabilities that remain in every system and being comfortable that the mission is not in jeopardy.

“So that’s the test. You can certify and accredit every system and still get breaches, but it’s understanding that risk to your mission that’s really the key point,” adds Ross.

A Respected Scholar

Dr. Ross is a frequent speaker at public and private sector venues including federal agencies, state and local governments, and Fortune 500 companies. In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security.

Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. A 1973 graduate of the United States Military Academy at West Point, Dr. Ross served in a variety of leadership and technical positions during his twenty-year career in the United States Army.

While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on a national information security project and was awarded the Defense Superior Service Medal upon his departure from the Agency. During his military career, Dr. Ross served as a White House aide and as a senior technical advisor to the Department of the Army. Dr. Ross is a graduate of the Program Management School at the Defense Systems Management College and holds both Masters and Ph.D. degrees in Computer Science from the United States Naval Postgraduate School.

Learn more about NIST and what it offers at www.nist.gov

Building The Trust Model

“There is FISMA is a set of standards and guidelines,” explains Titus, “but the task is to take them and put them into a full compliment of risk management strategies.”

Patti Titus, TSA

Patti Titus is the Chief Information Security Officer (CISO) at the Transportation Security Administration. Her duties have been to create, implement and maintain a robust IT Security Program for TSA.

“At TSA I was charged in the early days with standing up and developing an IT security office,” explains Titus. “We had the absolute pleasure of designing that based on the NIST standards, so we are probably one of the few organizations that are solely based on NIST because we are such a new organization.”

Recently Titus’s IT Security Program rated a FISMA score of "A" according to the DHS grading methods. She also works with the CISO at the Department of Homeland Security, Mr. Robert West as an Information Systems Security Manager. Prior to joining TSA, Ms. Titus was assigned as a Technical Advisor to the Deputy CIO at the Department of Treasury.

“Part of the role of the CISO is also looking at the transportation sector, so we are starting to branch off into that area, taking what we have learned within TSA and moving that into the sector itself, so we are looking forward to that challenge as we grow and mature further.”

Making FISMA Operational

One of Titus’s most critical roles is making FISMA operational. “There is FISMA is a set of standards and guidelines,” explains Titus, “but the task is to take them and put them into a full compliment of risk management strategies.”

“Then we need to be able to take that and assimilate that information and make it digestible to the executive leadership to say these are the critical areas that we need to look at protecting.”

One of the other challenges that Titus faces is that TSA is a fully managed service organization. “Our infrastructure is in that managed service environment.

It is a challenge, but it has been key to the success of TSA’s active security program”

One of the challenges of any managed service program is how to you manage this “multisector or blended” workforce. For the government employee part of it is identifying what are inherently government functions. What is inherently government?

“It is building the verified piece of the trust model, and I think that has also been key to building the program and making it successful,” says Titus. “We are looking forward to taking that model and methodology out to the private sector and making sure that the great work that we’ve done at TSA can also be replicated to our private industry partners.”

For Titus this also means marketing what she is doing to senior leaders. “I think education is probably one of the critical factors. Being able to articulate what you are trying to do, I think really one of the key successes for the program,” Titus notes. “I used to be a VP of sales and marketing so I can bring that marketing slant to it and be able to take my knowledge as a subject matter expert and then market it at the different senior levels, which has been very helpful.”

 March 9, 2007 • Volume 5 • Number 2

USAID: Worldwide Coverage

“We are constantly gathering new metrics and yet you have to feed it up to the executives in a way that they can digest and make intelligent business decisions so that is the primary challenge."

Phil Heneghan, USAID

“My role there as the Chief Information Security Officer also includes the role of Chief Privacy Officer, obviously the two are greatly connected,” says USAID’s Phil Heneghan.  “We are a small enough agency that it’s all in one place. On the other hand we are a world wide organization with offices in 80 countries around the world, so the security challenge is pretty unique.”

Serving a world wide organization has its challenges. “We have is actually gathering the metrics to give the business executives to make decisions about risk,” explains Heneghan. “We’ve adopted the NIST FISMA guidance which actually is all risk based and drives the decisions, the business decisions, away from the technical arena and now business can own this.”

Heneghan is constantly gathering metrics and reporting monthly about the status of systems to about 100 senior executives within the agency and around the world including the CFO and the director of HR.

“They are constantly informed and they can make decisions. But because the threat is constantly changing, we are constantly gathering new metrics and yet you have to feed it up to the executives in a way that they can digest and make intelligent business decisions so that is the primary challenge,” adds Heneghan.

Assigning Risk

FISMA mandates C&A for all agency systems. So, who is responsible if systems are not up to snuff?  At USAID Heneghan says the C&A grading process changed about four years ago. The CISO for the CIO certifies all the systems. “What that means to everyone is that we can accept all the risks identified to the enterprise, but all the accreditation is done by the business owners.”

Shifting the risk also had another benefit. “What I found when we shifted that risk, the resource issues sort of started to go away,” says Heneghan.

“Because when the CFO was confronted with accepting these risks, or not, the money appeared to do that. It’s the same with all these other systems. So again you are driving the business people they were ready to bring the money to the table to avoid accepting these risks.”

Accepting the risks means improving coordination at USAID. With locations around the world including Iraq and Afghanistan USAID follows some pretty clear standards and metrics because they have to deal with the physical security side as well as the personnel security up front.

“We have in fact used the NIST guidance for operational and managerial controls. And that is the criteria that our office of security uses and any deviations from that are actually dealt with at a fairly senior level in the agency which hires the CISO, but again it’s a lot of coordination so that we are all in tune, adds Heneghan.”

Heneghan thinks FISMA itself actually has given the agency the support it needs to secure its systems “The fact that the Hill has been grading everybody on IT security has put that out in the forefront. I think that when FISMA was first passed, everybody just said we can never do it all. And in fact you can’t do it all unless you really look at things and prioritize in a risk based process. And NIST has put out good guidance to help us do that.”

March 9, 2007 • Volume 5 • Number 2

Attack-Based Metrics

“We take a proactive view of the things that matter the most, what we call attack-based metrics,” says Dennis Heretick, Deputy CIO for Information Security at Justice. “They give you a chance to learn from experience what has been successful so at least you are mitigating those successful attacks first -- those things that would have that direct impact on the mission.”

Thwarting attacks are an everyday occurrence for cyber security professionals as they guard against a constant barrage of threats and potential digital Pearl Harbor. 

“We have a swat team approach at Justice,” declares Heretick.  “We start with our cyber security assessment and management tool which gives us a way to take the threats that we had and look specifically at the controls that mitigate those that have a direct impact on our mission.” The team then team then prioritizes those at the top versus those that don’t have a direct impact.

Heretick’s role at Justice includes being responsible for the agency wide IT security program. That includes requirements for risk negation, as well as implementation strategies and our performance.

Trust Relationship

“Law enforcement today especially requires sharing information with other agencies, with customs, with a great number of people,” explains Heretick. “To do our mission, it requires sharing and to do that you have to have a trust relationship. That means is you need to know the requirements so we can best implement the type of controls that give us the business data.”

According to Heretick, it’s not just about implementing controls but prioritizing those based on the mission. Characteristics of the business are “we do a lot of planning, we do system security planning, we do certification and accreditation, we do testing, evaluation, with a priority on actually implementing security.”

The result is a focus that has been to be very effective at the planning and compliance and doing that in a way that gives Justice the ability to emphasize implementing our mission priorities and getting business value.

Attention To Mission Requirements Please

At Justice IT security gets a lot of attention. “I think the challenge is to focus that attention on actionable things that clearly support your mission requirements,” says Heretic. “As soon as you get off doing things just for the sake of requirements, you are going the wrong way. You must relate and channel that attention into effectively supporting the mission of IT security solutions. I think that’s the key.”

“Your priorities can’t just be some priorities; you have to have priorities in each one of those areas. You can’t do everything all at one time, but you need to look across a broad spectrum or everything you are not looking at will be the way that you fail,” explains Heretick.