Risk Management: Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA) January 21, 2009

Agenda Why contractor security implementation is important - from the perspective of a lawyer and an information security officer Legislative history of FISMA and FISMA contractor provisions Agency difficulties in effectively obtaining contractor compliance with FISMA Recent legislative initiatives to address shortcomings related to contractor compliance Tips for contractors A “Unified Approach” to compliance 1

Why contractor security implementation is important - from the perspective of a lawyer and an information security officer

Legislative history of FISMA and FISMA contractor provisions

Agency difficulties in effectively obtaining contractor compliance with FISMA

Recent legislative initiatives to address shortcomings related to contractor compliance

Tips for contractors

A “Unified Approach” to compliance

Why Contractor Security is Important - - from the perspective of a lawyer and an information security officer 2

Why Contractor Security is Important -

Contractor Risks: People Source: INFORMATION SECURITY: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk , GAO-05-362, p. 13, (General Accountability Office April 2005) (hereinafter “GAO Contractor Risks”) 3 Inadequate segregation of duties (e.g., software developer is the same individual who puts the software into production). Contractor or privileged users of federal data and systems who may not receive appropriate, periodic background investigations. Unauthorized personnel having electronic access to agency IT resources (including systems and data). Increased use of foreign nationals. Unauthorized personnel having physical access to agency IT resources (including systems, facilities, and data). People Risk description Category

Contractor Risks: Processes Source: GAO Contractor Risks, p. 13 4 Contractor or privileged users of federal data and systems may have ineffective patch management processes. Lack of effective compliance monitoring of contractors performing work off-site or privileged users of federal data and systems. Possible disclosure of agency-sensitive information to unauthorized individuals or entities. Failure by contractor or privileged users of federal data and systems to follow agency IT security requirements. Processes Risk description Category

Contractor Risks: Technology Source: GAO Contractor Risks, p. 13 5 Intentional or unintentional introduction of viruses and worms. Encryption technology may not meet federal standards. Incorporation of unauthorized features in customized application software. For example, a third-party software developer has the potential to incorporate “back doors,” spyware, or malicious code into customized application software that could expose agency IT resources to unauthorized loss, damage, modification, or disclosure of data. Technology Risk description Category

Contractor Risks: Legal FISMA Legal Requirements Government Contracts Mandatory Disclosures Federal Information Processing Standards OMB Mandates and Standards Other legal Government Contractor Defense Subcontract Issues 6

FISMA Legal Requirements

Government Contracts

Mandatory Disclosures

Federal Information Processing Standards

OMB Mandates and Standards

Other legal

Government Contractor Defense

Subcontract Issues

2. Legislative history of FISMA and FISMA contractor provisions Despite FISMA Language, Primary Focus Has Been on Federal Agency Compliance 7

Legislative History 8 1987 Computer Security Act 1995 Paperwork Reduction Act 1996 Information Technology Reform Act 2000 Government Information Security Reform Act (GISRA) 2002 Federal Information Security Management Act (FISMA) 2008 S. 3474, FISMA Act of 2008 (2009)?

OMB Circular No. A-130 Appendix III, Security of Federal Automated Information Resources Makes it mandatory for agencies and departments to implement the requirements of the Computer Security Act of 1987 and the Federal Information Security Management Act of 2002 (FISMA): all federal information systems to have security plans systems to have formal emergency response capabilities a single individual to have responsibility for operational security security awareness training be available to all government users, administrators of the system regular review and improvement upon contingency plans for the system to be done This OMB Circular was essentially codified to create GISRA, but it is still relevant under FISMA 9

Appendix III, Security of Federal Automated Information Resources

Makes it mandatory for agencies and departments to implement the requirements of the Computer Security Act of 1987 and the Federal Information Security Management Act of 2002 (FISMA):

all federal information systems to have security plans

systems to have formal emergency response capabilities

a single individual to have responsibility for operational security

security awareness training be available to all government users, administrators of the system

regular review and improvement upon contingency plans for the system to be done

This OMB Circular was essentially codified to create GISRA, but it is still relevant under FISMA

FISMA Federal Information Security Management Act (FISMA) was passed by Congress and signed Into law in 2002 FISMA was passed as part of the E-Government Act of 2002 (Pub. L. No. 107-347) C o d i f i e d 4 4 U . S . C . § 3 5 4 4 et. seq 10

Federal Information Security Management Act (FISMA) was passed by Congress and signed Into law in 2002

FISMA was passed as part of the E-Government Act of 2002 (Pub. L. No. 107-347)

C o d i f i e d 4 4 U . S . C . § 3 5 4 4 et. seq

FISMA Continues GISRA Framework GISRA, which expired in 2002, provided the framework for FISMA Introduced annual review and reporting Recognized that at its core, security was an essential management function Emphasized accountability Moved responsibility to agency program officials to secure systems that support their operations and assets 11

GISRA, which expired in 2002, provided the framework for FISMA

Introduced annual review and reporting

Recognized that at its core, security was an essential management function

Emphasized accountability

Moved responsibility to agency program officials to secure systems that support their operations and assets

FISMA New Provisions FISMA included many new provisions: Directs NIST to develop security guidelines Stronger emphasis on configuration management Codifies requirement for ensuring continuity of system operations Development and maintenance of an inventory of major information systems, including contractor-run systems 12

FISMA included many new provisions:

Directs NIST to develop security guidelines

Stronger emphasis on configuration management

Codifies requirement for ensuring continuity of system operations

Development and maintenance of an inventory of major information systems, including contractor-run systems

FISMA Compliance Oversight OMB Develops and oversees implementation of government-wide policies and procedures, standards and guidance for the Federal government’s IT security program Issues IT security policies OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources NIST Standards and Special Publications Oversight and Enforcement IT Budget Submissions Annual Agency and IG FISMA Reports to OMB Agency remediation efforts through Plans of Action and Milestones (POA&Ms) Quarterly updates from agencies Progress on security weaknesses remediation Performance against key IT security measures Assessment of agencies IT security status and progress through their E-Government Scorecard Annual Report to Congress 13

OMB

Develops and oversees implementation of government-wide policies and procedures, standards and guidance for the Federal government’s IT security program

Issues IT security policies

OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources

NIST Standards and Special Publications

Oversight and Enforcement

IT Budget Submissions

Annual Agency and IG FISMA Reports to OMB

Agency remediation efforts through Plans of Action and Milestones (POA&Ms)

Quarterly updates from agencies

Progress on security weaknesses remediation

Performance against key IT security measures

Assessment of agencies IT security status and progress through their E-Government Scorecard

Annual Report to Congress

FISMA Security Program Elements Risk Analysis . Periodic assessments of risk and harm to information systems and processed information. Policies and Procedures . Creation and implementation of policies and procedures that reduced the identified risks to an acceptable level in a cost effective manner. Policies and procedures are to address information security throughout the lifecycle of each agency information system. The policies and procedures are to be drafted in a manner that “ensures compliance” with FISMA and may be prescribed by the Director and NIST. They are to include minimally acceptable system configuration requirements as determined by the agency and any other applicable requirements including standards and guidelines for national security systems as directed by the President. Technical Security . Plans for providing adequate information security for networks, facilities and systems or groups of information systems as appropriate. 14

Risk Analysis . Periodic assessments of risk and harm to information systems and processed information.

Policies and Procedures . Creation and implementation of policies and procedures that reduced the identified risks to an acceptable level in a cost effective manner. Policies and procedures are to address information security throughout the lifecycle of each agency information system. The policies and procedures are to be drafted in a manner that “ensures compliance” with FISMA and may be prescribed by the Director and NIST. They are to include minimally acceptable system configuration requirements as determined by the agency and any other applicable requirements including standards and guidelines for national security systems as directed by the President.

Technical Security . Plans for providing adequate information security for networks, facilities and systems or groups of information systems as appropriate.

FISMA Security Program Elements, Cont’d Security Awareness Training . This part of the program is designed to inform persons who use information systems, including personnel, contractors and other users of information security risks associated with their activities and their responsibilities, to comply with agency policies and procedures to reduce those risks. Testing and Evaluation . Periodic testing and evaluation of the effectiveness of the information security policies, procedures and practices is to be performed with a frequency based on the risk, but no less than annually. This testing shall include testing and management, operational and technical controls of every information system identified in the inventory. Incident Detection and Response Procedures . Incident detection and response are to be consistent with NIST, including methods to mitigate risks before substantial damage is done and notification to the federal information security incident center, law enforcement, the Inspector General, and an office designated by the President if it involves a threat to national security systems. Disaster Recovery and Business Continuity . Security program should also include plans and procedures to ensure continuity of operations or information systems that support the operations and assets of the agency 15

Security Awareness Training . This part of the program is designed to inform persons who use information systems, including personnel, contractors and other users of information security risks associated with their activities and their responsibilities, to comply with agency policies and procedures to reduce those risks.

Testing and Evaluation . Periodic testing and evaluation of the effectiveness of the information security policies, procedures and practices is to be performed with a frequency based on the risk, but no less than annually. This testing shall include testing and management, operational and technical controls of every information system identified in the inventory.

Incident Detection and Response Procedures . Incident detection and response are to be consistent with NIST, including methods to mitigate risks before substantial damage is done and notification to the federal information security incident center, law enforcement, the Inspector General, and an office designated by the President if it involves a threat to national security systems.

Disaster Recovery and Business Continuity . Security program should also include plans and procedures to ensure continuity of operations or information systems that support the operations and assets of the agency

NIST Risk Management Framework Monitor Security Controls SP 800-37/SP 800-53A Categorize Information System FIPS 199/SP 800-60 R1 Select Security Controls FIPS 200/SP 800-53 R2 Supplement Security Controls SP 800-53 R2/SP 800-30 Document Security Controls SP 800-18 R1 Implement Security Controls e.g. , SP 800-70 R1 Assess Security Controls SP 800-53A Authorize Information System SP 800-37 RISK MANAGEMENT FRAMEWORK Security Life Cycle Start 16

Agency Grades Improving, But Still Lacking 17

FISMA Contractors Provisions OMB Director/Agency head Shall oversee/be responsible for providing agency information security policies and procedures…requiring agencies… to identify and provide information security protections ... [for] information collected or maintained… on behalf of an agency or information systems used or operated … by a contractor of an agency or other organization on behalf of an agency . OMB -44 U.S.C. §3543 (a)(2)(A) and (B); Agency Head 44. U.S.C. §3544(a)(1)(A) Agency Program Each agency shall develop. Document and implement an agencywide information security program…to provide information security for the information or information systems that support operations and assets of the agency including those managed by … a contractor 44 U.S.C. §3544(a)(1)(A) 18

OMB Director/Agency head

Shall oversee/be responsible for providing agency information security policies and procedures…requiring agencies… to identify and provide information security protections ... [for]

information collected or maintained… on behalf of an agency or

information systems used or operated … by a contractor of an agency or other organization on behalf of an agency .

OMB -44 U.S.C. §3543 (a)(2)(A) and (B); Agency Head 44. U.S.C. §3544(a)(1)(A)

“Information System” … a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 44 USC §3502(8) … a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. Circular No. A-130 Para. 6 19

… a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 44 USC §3502(8)

… a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. Circular No. A-130 Para. 6

“Federal Information System” … an information system used or operated by an executive agency, by a contractor of an executive agency , or by another organization on behalf of an executive agency. 40 U.S.C. 11331(g) 20

… an information system used or operated by an executive agency, by a contractor of an executive agency , or by another organization on behalf of an executive agency.

40 U.S.C. 11331(g)

Not Subject to FISMA: “National Security System” Means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency The function, operation or use of which : Involves : intelligence activities cryptographic activities related to national security command and control of military forces equipment that is an integral part of a weapon or weapons system, Is critical to the direct fulfillment of military or intelligence missions, (D oes not include a system that is to be used for routine administrative applications (including payroll, finance, logistics and personnel management which is subject to FISMA) Is protected at all times by procedures established for information that have been classified in the interest of national security or foreign policy 21

Means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency

The function, operation or use of which :

Involves :

intelligence activities

cryptographic activities related to national security

command and control of military forces

equipment that is an integral part of a weapon or weapons system,

Is critical to the direct fulfillment of military or intelligence missions, (D oes not include a system that is to be used for routine administrative applications (including payroll, finance, logistics and personnel management which is subject to FISMA)

Is protected at all times by procedures established for information that have been classified in the interest of national security or foreign policy

FISMA’s Broad Applicability Otherwise, FISMA applies to all information and information systems Agency IT security programs apply to all organizations or sources which possess or use federal information on behalf of the federal agency i.e. , those which operate, use, or have access to Federal Information systems This follows longstanding OMB policy concerning sharing government information and interconnecting systems i.e. , Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls 22

Otherwise, FISMA applies to all information and information systems

Agency IT security programs apply to all organizations or sources which possess or use federal information on behalf of the federal agency

i.e. , those which operate, use, or have access to Federal Information systems

This follows longstanding OMB policy concerning sharing government information and interconnecting systems

i.e. , Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls

3. Agency difficulties in effectively obtaining contractor compliance with FISMA Wide Variance in How Agencies Handle Contractors 23

FISMA Applies Contractors, but How do we do it? No certainty about number and location of contractors Where? How Many? Inconsistent Contractual Requirements What have we agreed to do? Lack of Clear Guidelines How are we doing? Variance in how contractors manage risk 24 Could lead to information security risks…

FISMA Definitions: “Information Security” Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— confidentiality , which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information integrity , which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity availability , which means ensuring timely and reliable access to and use of information 25

Information security means protecting

information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

confidentiality , which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information

integrity , which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity

availability , which means ensuring timely and reliable access to and use of information

FISMA Contractor Program: Legislative Requirements Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system Provide adequate information security for networks, facilities, and systems or groups of information systems Security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency 44 USC §3544(b) 26

Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems

Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system

Provide adequate information security for networks, facilities, and systems or groups of information systems

Security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency

44 USC §3544(b)

FISMA Contractor Program: Legislative Requirements (cont’d) Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency’s required inventory of major information systems A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency Incident response procedures for detecting, reporting, and responding to security incidents and COOP Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency 44 USC §3544(b) 27

Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency’s required inventory of major information systems

A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency

Incident response procedures for detecting, reporting, and responding to security incidents and

COOP Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency

44 USC §3544(b)

Some Insights from Contractors Most RFPs simply require contractors to “comply with all FISMA requirements” or reference that “all FISMA documentation must be provided to the Government” “ At that point, each agency takes radically different courses of action. Some are extremely disciplined, others very lax. While I have submitted identical documentation to multiple federal customers, I have had differing reactions based on the ISSM and up through their chain to the DAA.” “ Some are more concerned about the formatting of the documents than the content. Some just want to see some words (almost regardless of what they say) against each control category.” 28

Most RFPs simply require contractors to “comply with all FISMA requirements” or reference that “all FISMA documentation must be provided to the Government”

“ At that point, each agency takes radically different courses of action. Some are extremely disciplined, others very lax. While I have submitted identical documentation to multiple federal customers, I have had differing reactions based on the ISSM and up through their chain to the DAA.”

“ Some are more concerned about the formatting of the documents than the content. Some just want to see some words (almost regardless of what they say) against each control category.”

Common RFP language “ Contractor(s) shall ensure that information systems and facility are operated in accordance with the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. §3541, et seq.” 29

“ Contractor(s) shall ensure that information systems and facility are operated in accordance with the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. §3541, et seq.”

DOT Contract RFP Compare this with a recent DOT Contract RFP which contains 19 Pages of “Security Requirements” which specifies 17 management, operational, technical “security areas” Access control; Awareness and training; Audit and accountability; Certification, accreditation, and security assessments; Configuration management; Contingency planning; Identification and authentication; Incident response; Maintenance; Media protection; Physical and environmental protection; Planning; Personnel security; Risk assessment; Systems and services acquisition; System and communications protection; and System and information integrity. 30

Compare this with a recent DOT Contract RFP which contains 19 Pages of “Security Requirements” which specifies 17 management, operational, technical “security areas”

Access control;

Awareness and training;

Audit and accountability;

Certification, accreditation, and security assessments;

Configuration management;

Contingency planning;

Identification and authentication;

Incident response;

Maintenance;

Media protection;

Physical and environmental protection;

Planning;

Personnel security;

Risk assessment;

Systems and services acquisition;

System and communications protection; and

System and information integrity.

DOT Contract RFP, Cont’d Specifies OMB Memoranda M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information M-06-16, Protection of Sensitive Agency Information M-06-15, Safeguarding Personally Identifiable Information M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments 31

Specifies OMB Memoranda

M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information

M-06-16, Protection of Sensitive Agency Information

M-06-15, Safeguarding Personally Identifiable Information

M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments

DOT Contract RFP, Cont’d Specifies Federal Information Processing Standards (FIPS): FIPS 200 Minimum Security Requirements for Federal Information and Information Systems FIPS 199 Standards for Security Categorization of Federal Information and Information Systems FIPS 140-2; Security Requirements for Cryptographic Modules 32

Specifies Federal Information Processing Standards (FIPS):

FIPS 200 Minimum Security Requirements for Federal Information and Information Systems

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems

FIPS 140-2; Security Requirements for Cryptographic Modules

DOT Contract RFP, Cont’d Specifies the following NIST special publications: Sp 800-18 Guide for Developing Security Plans for Federal Information Systems SP 800-34, Contingency Planning Guide for Information Technology Systems; SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems SP 800-53, Recommended Security Controls for Federal Information Systems; SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories SP 800-61 Computer Security Incident Handling Guide; and SP 800-64, Security Considerations for the Information System Development Life Cycle 33

Specifies the following NIST special publications:

Sp 800-18 Guide for Developing Security Plans for Federal Information Systems

SP 800-34, Contingency Planning Guide for Information Technology Systems;

SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems

SP 800-53, Recommended Security Controls for Federal Information Systems;

SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems

SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories

SP 800-61 Computer Security Incident Handling Guide; and

SP 800-64, Security Considerations for the Information System Development Life Cycle

DOT Contract RFP, Cont’d “The Contractor(s) may consult with the …Information System Security Officer (ISSO) for guidance on the applicability of these and other publications in these series not herein identified.” 34

“The Contractor(s) may consult with the …Information System Security Officer (ISSO) for guidance on the applicability of these and other publications in these series not herein identified.”

Consultation is a Good Idea: Many Terms Redundant and Confusing IT Security Plan Personnel Screening Personnel Training Security Site Assessment (Physical) Annual Self Assessment Contingency planning/testing Monthly Scan Cleansing, removal, and destruction of IT Equipment PII controls (at rest and in transit encryption) Access Controls (User ID/Password) Third Part Certification and Accreditation (C&A) IT Security Plan Developed within 30 days of contract award Security Site Assessment Annual System Self Assessment Continuity of Operations Planning (COOP)/Disaster Recovery (DR) Incident Response Program Security Awareness Rules of Behavior Contractor Employee Report Agency Scans – HIGH, MODERATE, LOW 35

IT Security Plan

Personnel Screening

Personnel Training

Security Site Assessment (Physical)

Annual Self Assessment

Contingency planning/testing

Monthly Scan

Cleansing, removal, and destruction of IT Equipment

PII controls (at rest and in transit encryption)

Access Controls (User ID/Password)

Third Part Certification and Accreditation (C&A)

IT Security Plan Developed within 30 days of contract award

Security Site Assessment

Annual System Self Assessment

Continuity of Operations Planning (COOP)/Disaster Recovery (DR)

Incident Response Program

Security Awareness

Rules of Behavior

Contractor Employee Report

Agency Scans – HIGH, MODERATE, LOW

Improving Contractor Compliance with FISMA Increase Oversight of Contractor Systems Improve Inventory of Contractor-Run Systems Contractually Impose Compliance 36

Inventory of Systems FISMA continues the Paperwork Reduction Act requirement to develop and maintain an inventory of major information systems (including national security systems) that are operated by or under the control of the agency, including those operated by contractors “ Without complete and accurate inventories, agencies cannot effectively maintain and secure their systems.” Inventory Contractor-Run Systems Source: INFORMATION SECURITY: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies , GAO-08-571T, p. 16, (General Accountability Office March 12, 2008) (hereinafter “FISMA Deficiencies Persist”) 37

FISMA continues the Paperwork Reduction Act requirement to develop and maintain an inventory of major information systems (including national security systems) that are operated by or under the control of the agency, including those operated by contractors

“ Without complete and accurate inventories, agencies cannot effectively maintain and secure their systems.”

Information System Inventory: 22 of 25 IGs reported Inventory as 80 % complete Inventory Contractor-Run Systems 38 390 369 384 Not Categorized 168 205 334 Low 252 397 513 Moderate 295 236 121 High 1,105 1,207 1,105 Contractor Systems 229 331 585 Not Categorized 4,351 4,516 4,456 Low 3,264 3,174 2,497 Moderate 1,089 1,367 1,646 High 8,993 9,388 9,184 Agency Systems FY 2007 FY 2006 FY 2005 Systems/Impact Level

FY 2007 OMB Annual Report 4 of 25 agency IGs indicated they do not generally agree with the number of contractor information systems identified in the inventory. The overall inventory decreased by 3 percent from the prior year. Inventory fluctuations were reported by several agencies, including significant inventory decreases at Treasury, NASA, and DHS Large fluctuations in FISMA inventories, both upwards and downwards, are an indication of immaturity or instability in an agency’s process for identifying systems that should be included in the inventory the inventories of a few agencies dipped for the annual reporting cycle, and then rose again in the first quarter FISMA report with a subsequent decrease in C&A rates Inventory Contractor-Run Systems 39

4 of 25 agency IGs indicated they do not generally agree with the number of contractor information systems identified in the inventory.

The overall inventory decreased by 3 percent from the prior year.

Inventory fluctuations were reported by several agencies, including significant inventory decreases at Treasury, NASA, and DHS

Large fluctuations in FISMA inventories, both upwards and downwards, are an indication of immaturity or instability in an agency’s process for identifying systems that should be included in the inventory

the inventories of a few agencies dipped for the annual reporting cycle, and then rose again in the first quarter FISMA report with a subsequent decrease in C&A rates

Primary Methods for Imposing Contractor Compliance Using contract language to establish information security requirements Provide clear guidance to contractors on what they must do to comply Contractually Impose Compliance 40

Using contract language to establish information security requirements

Provide clear guidance to contractors on what they must do to comply

Federal Acquisition Regulations The FAR provides the primary regulation for federal executive agencies in their acquisition of IT supplies and services with appropriated funds emphasizes planning includes certain specific information security requirements Contractually Impose Compliance 41

The FAR

provides the primary regulation for federal executive agencies in their acquisition of IT supplies and services with appropriated funds

emphasizes planning

includes certain specific information security requirements

FAR 52.239-1 52.239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following: Privacy or Security Safeguards (Aug 1996) (a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. (b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases. (c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party. Contractually Impose Compliance 42

52.239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following:

Privacy or Security Safeguards (Aug 1996)

(a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.

(b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases.

(c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.

Problems with FAR 52.239-1 Does not address key aspects of an information security program, e.g. : Planning implementing, evaluating and documenting remedial actions to address deficiencies Periodic testing and evaluation of security program Detecting, reporting and responding to security incidents Business continuity and disaster planning Does not apply to subcontractors Contractually Impose Compliance 43

Does not address key aspects of an information security program, e.g. :

Planning implementing, evaluating and documenting remedial actions to address deficiencies

Periodic testing and evaluation of security program

Detecting, reporting and responding to security incidents

Business continuity and disaster planning

Does not apply to subcontractors

2005 FAR Amendments Adds the stipulation that when buying goods and services contracting officers shall seek advice from specialists in information security; FAR 7.103(u) Adds a definition for the term ‘‘Information Security’’ (FAR 2.101); Incorporating security requirements in acquisition planning and when describing agency needs (FAR 11.102 and 39.101) Requiring adherence to Federal Information Processing Standards (FIPS) FAR 11.102 Revising the policy in FAR 39.101to require including the appropriate agency security policy and requirements in information technology acquisitions. FAR 39.101 (d) Contractually Impose Compliance 44

Adds the stipulation that when buying goods and services contracting officers shall seek advice from specialists in information security; FAR 7.103(u)

Adds a definition for the term ‘‘Information Security’’ (FAR 2.101);

Incorporating security requirements in acquisition planning and when describing agency needs (FAR 11.102 and 39.101)

Requiring adherence to Federal Information Processing Standards (FIPS) FAR 11.102

Revising the policy in FAR 39.101to require including the appropriate agency security policy and requirements in information technology acquisitions. FAR 39.101 (d)

PART 39—ACQUISITION OF INFORMATION TECHNOLOGY FAR 39.101 39.101 Policy. * * * (b)(1) In acquiring information technology, agencies shall identify their requirements pursuant to— (i) OMB Circular A-130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; and * * * (2) (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated Contractually Impose Compliance 45

39.101 Policy.

* * *

(b)(1) In acquiring information technology, agencies shall identify their requirements pursuant to—

(i) OMB Circular A-130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; and

* * *

(2) (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated

PART 7—ACQUISITION PLANNING FAR §7.103(u) 7.103 Agency-head responsibilities. * * * * (u) Ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology. 7.105 Contents of written acquisition plans. * * * * * (b) * * * (17) * * * For Information Technology acquisitions, discuss how agency information security requirements will be met. * * * * * Contractually Impose Compliance 46

7.103 Agency-head responsibilities.

* * * *

(u) Ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology.

7.105 Contents of written acquisition plans.

* * * * *

(b) * * *

(17) * * * For Information Technology acquisitions, discuss how agency

information security requirements will be met.

* * * * *

PART 11—DESCRIBING AGENCY NEEDS FAR 11.102 11.102 Standardization program. Agencies shall select existing requirements documents or develop new requirements documents that meet the needs of the agency in accordance with the guidance contained in the Federal Standardization Manual, FSPM-0001; for DoD components, DoD 4120.24-M, Defense Standardization Program Policies and Procedures; and for IT standards and guidance, the Federal Information Processing Standards Publications (FIPS PUBS). Contractually Impose Compliance 47

11.102 Standardization program.

Agencies shall select existing requirements documents or

develop new requirements documents that meet the needs of

the agency in accordance with the guidance contained in the

Federal Standardization Manual, FSPM-0001;

for DoD components, DoD 4120.24-M, Defense Standardization Program Policies and Procedures;

and for IT standards and guidance, the Federal Information Processing Standards Publications (FIPS PUBS).

Does 2005 FAR Does Go Far Enough? Emphasizes planning, and not implementation does not include task or delivery orders issued pursuant to contracts Emphasizes technology and not security management Requiring adherence to FIPS, but does not bring in all of the NIST guidance Does not address agency oversight 48 Contractually Impose Compliance

Emphasizes planning, and not implementation

does not include task or delivery orders issued pursuant to contracts

Emphasizes technology and not security management

Requiring adherence to FIPS, but does not bring in all of the NIST guidance

Does not address agency oversight

Another Contract Issue: Interconnection Security Agreement Documents specific technical and security requirements for connecting IT systems from different organizations, such as between a federal agency and a contractor or between a federal agency and other users with privileged access to federal data and systems. In 2005 most of the agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements RFP provisions not clear: “ The contractor shall be responsible for IT security for all systems operated by or connected to a DOT network, regardless of location.” Contractually Impose Compliance Source: GAO Contractor Risks, p. 17, Footnote 13 49

Documents specific technical and security requirements for connecting IT systems from different organizations, such as between a federal agency and a contractor or between a federal agency and other users with privileged access to federal data and systems.

In 2005 most of the agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements

RFP provisions not clear: “ The contractor shall be responsible for IT security for all systems operated by or connected to a DOT network, regardless of location.”

IG Oversight of Contractor Compliance with FISMA OMB asked IGs to confirm whether the agency ensures information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy, and NIST guidelines Oversight of Contractor Compliance 50

OMB asked IGs to confirm whether the agency ensures information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy, and NIST guidelines

Training Agencies did not ensure that all information security… contractors including those who have significant information security responsibilities received sufficient training Oversight of Contractor Compliance 51

Agencies did not ensure that all information security… contractors including those who have significant information security responsibilities received sufficient training

Oversight through Polices and Procedures In 2005, most agencies reported having written policies covering contractors with privileged access, few established oversight of contractor compliance 22 of the surveyed agencies reported having information security policies for contractors 15 reported having policies for other users with privileged access to federal data and systems The policies did not define information security oversight requirements, and did not include: description of oversight methods the frequency of reviews or assessments key management controls to mitigate unauthorized disclosure of information physical/logical access controls or the introduction of unauthorized features Agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements Source: GAO Contractor Risks, p. 17 Oversight of Contractor Compliance 52

In 2005, most agencies reported having written policies covering contractors with privileged access, few established oversight of contractor compliance

22 of the surveyed agencies reported having information security policies for contractors

15 reported having policies for other users with privileged access to federal data and systems

The policies did not define information security oversight requirements, and did not include:

description of oversight methods

the frequency of reviews or assessments

key management controls to mitigate unauthorized disclosure of information

physical/logical access controls or

the introduction of unauthorized features

Agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements

4. Recent legislative initiatives to address shortcomings related to contractor compliance Finally Some Guidance? 53

FISMA Act of 2008 S. 3474, if passed, would: turn the current FISMA requirement for an annual compliance "evaluation" into a mandatory yearly "audit" of data security practices at each agency require that an audit include "a conclusion as to whether the agency's information security controls are effective, including an identification of any significant deficiencies in the controls 54

S. 3474, if passed, would:

turn the current FISMA requirement for an annual compliance "evaluation" into a mandatory yearly "audit" of data security practices at each agency

require that an audit include "a conclusion as to whether the agency's information security controls are effective, including an identification of any significant deficiencies in the controls

FISMA Act of 2008 (cont’d) require agencies to create a Chief Information Security Office and create an interagency Chief Information Security Officer Council, to provide data security best practices guidance require agencies to continuously monitor their information networks for malicious activity require the DHS to provide annual reports to Congress on cybersecurity operational evaluations and testing protocols employed by each federal agency 55

require agencies to create a Chief Information Security Office and create an interagency Chief Information Security Officer Council, to provide data security best practices guidance

require agencies to continuously monitor their information networks for malicious activity

require the DHS to provide annual reports to Congress on cybersecurity operational evaluations and testing protocols employed by each federal agency

FISMA Act of 2008: Contractor Requirements Would require that within 180 days enactment that the OMB, in consultation with the NIST, propose information security regulations governing contracts Contracts to include: task and/or delivery orders issued pursuant to contracts Between the federal government and any individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency 56

Would require that within 180 days enactment that the OMB, in consultation with the NIST, propose information security regulations governing contracts

Contracts to include:

task and/or delivery orders issued pursuant to contracts

Between the federal government and any individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency

FISMA 2008: Regulations Regulations to be promulgated shall specify requirements concerning: adequacy and effectiveness of the security of information systems the collection and transmission of information, including personally identifiable information procedures in the event of a security incident 57

Regulations to be promulgated shall specify requirements concerning:

adequacy and effectiveness of the security of information systems

the collection and transmission of information, including personally identifiable information

procedures in the event of a security incident

FISMA Act of 2008: Status The "Federal Information Security Management Act of 2008" (S. 3474), was introduced Sept. 11 Sens. Thomas Carper (D-DE) and Norm Coleman (R-MN), Committee Chairman Joseph Lieberman (I-CT), and Ranking Minority Member Susan Collins (R-ME) The legislation was approved Sept. 23 by the Senate Committee on Homeland Security and Governmental Affairs, without amendment on a voice vote 58

The "Federal Information Security Management Act of 2008" (S. 3474), was introduced Sept. 11 Sens. Thomas Carper (D-DE) and Norm Coleman (R-MN), Committee Chairman Joseph Lieberman (I-CT), and Ranking Minority Member Susan Collins (R-ME)

The legislation was approved Sept. 23 by the Senate Committee on Homeland Security and Governmental Affairs, without amendment on a voice vote

Impact on Contractors If passed, the legislation will: help to identify contractors that must comply with FISMA impose clear contractual requirements on contractors provide clearer compliance guidelines improve agency oversight enhance OMB reporting 59

If passed, the legislation will:

help to identify contractors that must comply with FISMA

impose clear contractual requirements on contractors

provide clearer compliance guidelines

improve agency oversight

enhance OMB reporting

5. Tips for Contractors Some Considerations in an Uncertain Environment 60

Tips for Contractors Get a head start by implementing basic FIPS/NIST requirements Align FISMA requirements with current information security and privacy compliance programs Keep up with developments in FISMA and FIPS/NIST provisions As early as possible, clarify or negotiate information security terms in RFPS and Contracts with agency personnel (e.g., ISSO) Work closely with agency throughout the C&A process 61

Get a head start by implementing basic FIPS/NIST requirements

Align FISMA requirements with current information security and privacy compliance programs

Keep up with developments in FISMA and FIPS/NIST provisions

As early as possible, clarify or negotiate information security terms in RFPS and Contracts with agency personnel (e.g., ISSO)

Work closely with agency throughout the C&A process

6. A Unified Approach to Compliance Integrate all state, national and international legal requirements into security and privacy program 62

Remember All of Your Security and Privacy Compliance Requirements GLBA HIPAA State International FISMA ISO NIST FIPS OECD AICPA Follow a UNIFIED APPROACH to Compliance 63

Thank You! M. Peter Adler Direct 202.220.1278 Mobile 202.251.7600 Direct Fax 800.684.2749 [email_address] Michael A. Hordell Direct 202.220.1232 Mobile 703.927.0769 Direct Fax 202.318.4527 [email_address] Questions?

Thank You Email Brian Dolan at [email_address] for a copy of today’s presentation or with questions for any of our speakers.