• Save
Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA)
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA)

  • 5,409 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
5,409
On Slideshare
5,402
From Embeds
7
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
5

Embeds 7

http://www.slideshare.net 6
http://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Risk Management: Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA) January 21, 2009
  • 2. Agenda
    • Why contractor security implementation is important - from the perspective of a lawyer and an information security officer
    • Legislative history of FISMA and FISMA contractor provisions
    • Agency difficulties in effectively obtaining contractor compliance with FISMA
    • Recent legislative initiatives to address shortcomings related to contractor compliance
    • Tips for contractors
    • A “Unified Approach” to compliance
    1
  • 3.
    • Why Contractor Security is Important -
    - from the perspective of a lawyer and an information security officer 2
  • 4. Contractor Risks: People Source: INFORMATION SECURITY: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk , GAO-05-362, p. 13, (General Accountability Office April 2005) (hereinafter “GAO Contractor Risks”) 3 Inadequate segregation of duties (e.g., software developer is the same individual who puts the software into production). Contractor or privileged users of federal data and systems who may not receive appropriate, periodic background investigations. Unauthorized personnel having electronic access to agency IT resources (including systems and data). Increased use of foreign nationals. Unauthorized personnel having physical access to agency IT resources (including systems, facilities, and data). People Risk description Category
  • 5. Contractor Risks: Processes Source: GAO Contractor Risks, p. 13 4 Contractor or privileged users of federal data and systems may have ineffective patch management processes. Lack of effective compliance monitoring of contractors performing work off-site or privileged users of federal data and systems. Possible disclosure of agency-sensitive information to unauthorized individuals or entities. Failure by contractor or privileged users of federal data and systems to follow agency IT security requirements. Processes Risk description Category
  • 6. Contractor Risks: Technology Source: GAO Contractor Risks, p. 13 5 Intentional or unintentional introduction of viruses and worms. Encryption technology may not meet federal standards. Incorporation of unauthorized features in customized application software. For example, a third-party software developer has the potential to incorporate “back doors,” spyware, or malicious code into customized application software that could expose agency IT resources to unauthorized loss, damage, modification, or disclosure of data. Technology Risk description Category
  • 7. Contractor Risks: Legal
    • FISMA Legal Requirements
      • Government Contracts
        • Mandatory Disclosures
        • Federal Information Processing Standards
        • OMB Mandates and Standards
    • Other legal
      • Government Contractor Defense
      • Subcontract Issues
    6
  • 8. 2. Legislative history of FISMA and FISMA contractor provisions Despite FISMA Language, Primary Focus Has Been on Federal Agency Compliance 7
  • 9. Legislative History 8 1987 Computer Security Act 1995 Paperwork Reduction Act 1996 Information Technology Reform Act 2000 Government Information Security Reform Act (GISRA) 2002 Federal Information Security Management Act (FISMA) 2008 S. 3474, FISMA Act of 2008 (2009)?
  • 10. OMB Circular No. A-130
    • Appendix III, Security of Federal Automated Information Resources
    • Makes it mandatory for agencies and departments to implement the requirements of the Computer Security Act of 1987 and the Federal Information Security Management Act of 2002 (FISMA):
      • all federal information systems to have security plans
      • systems to have formal emergency response capabilities
      • a single individual to have responsibility for operational security
      • security awareness training be available to all government users, administrators of the system
      • regular review and improvement upon contingency plans for the system to be done
    • This OMB Circular was essentially codified to create GISRA, but it is still relevant under FISMA
    9
  • 11. FISMA
    • Federal Information Security Management Act (FISMA) was passed by Congress and signed Into law in 2002
      • FISMA was passed as part of the E-Government Act of 2002 (Pub. L. No. 107-347)
      • C o d i f i e d 4 4 U . S . C . § 3 5 4 4 et. seq
    10
  • 12. FISMA Continues GISRA Framework
    • GISRA, which expired in 2002, provided the framework for FISMA
      • Introduced annual review and reporting
      • Recognized that at its core, security was an essential management function
      • Emphasized accountability
      • Moved responsibility to agency program officials to secure systems that support their operations and assets
    11
  • 13. FISMA New Provisions
    • FISMA included many new provisions:
      • Directs NIST to develop security guidelines
      • Stronger emphasis on configuration management
      • Codifies requirement for ensuring continuity of system operations
      • Development and maintenance of an inventory of major information systems, including contractor-run systems
    12
  • 14. FISMA Compliance Oversight
    • OMB
      • Develops and oversees implementation of government-wide policies and procedures, standards and guidance for the Federal government’s IT security program
    • Issues IT security policies
      • OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources
      • NIST Standards and Special Publications
    • Oversight and Enforcement
      • IT Budget Submissions
      • Annual Agency and IG FISMA Reports to OMB
      • Agency remediation efforts through Plans of Action and Milestones (POA&Ms)
      • Quarterly updates from agencies
        • Progress on security weaknesses remediation
        • Performance against key IT security measures
        • Assessment of agencies IT security status and progress through their E-Government Scorecard
    • Annual Report to Congress
    13
  • 15. FISMA Security Program Elements
    • Risk Analysis . Periodic assessments of risk and harm to information systems and processed information.
    • Policies and Procedures . Creation and implementation of policies and procedures that reduced the identified risks to an acceptable level in a cost effective manner. Policies and procedures are to address information security throughout the lifecycle of each agency information system. The policies and procedures are to be drafted in a manner that “ensures compliance” with FISMA and may be prescribed by the Director and NIST. They are to include minimally acceptable system configuration requirements as determined by the agency and any other applicable requirements including standards and guidelines for national security systems as directed by the President.
    • Technical Security . Plans for providing adequate information security for networks, facilities and systems or groups of information systems as appropriate.
    14
  • 16. FISMA Security Program Elements, Cont’d
    • Security Awareness Training . This part of the program is designed to inform persons who use information systems, including personnel, contractors and other users of information security risks associated with their activities and their responsibilities, to comply with agency policies and procedures to reduce those risks.
    • Testing and Evaluation . Periodic testing and evaluation of the effectiveness of the information security policies, procedures and practices is to be performed with a frequency based on the risk, but no less than annually. This testing shall include testing and management, operational and technical controls of every information system identified in the inventory.
    • Incident Detection and Response Procedures . Incident detection and response are to be consistent with NIST, including methods to mitigate risks before substantial damage is done and notification to the federal information security incident center, law enforcement, the Inspector General, and an office designated by the President if it involves a threat to national security systems.
    • Disaster Recovery and Business Continuity . Security program should also include plans and procedures to ensure continuity of operations or information systems that support the operations and assets of the agency
    15
  • 17. NIST Risk Management Framework Monitor Security Controls SP 800-37/SP 800-53A Categorize Information System FIPS 199/SP 800-60 R1 Select Security Controls FIPS 200/SP 800-53 R2 Supplement Security Controls SP 800-53 R2/SP 800-30 Document Security Controls SP 800-18 R1 Implement Security Controls e.g. , SP 800-70 R1 Assess Security Controls SP 800-53A Authorize Information System SP 800-37 RISK MANAGEMENT FRAMEWORK Security Life Cycle Start 16
  • 18. Agency Grades Improving, But Still Lacking 17
  • 19. FISMA Contractors Provisions
    • OMB Director/Agency head
    • Shall oversee/be responsible for providing agency information security policies and procedures…requiring agencies… to identify and provide information security protections ... [for]
      • information collected or maintained… on behalf of an agency or
      • information systems used or operated … by a contractor of an agency or other organization on behalf of an agency .
      • OMB -44 U.S.C. §3543 (a)(2)(A) and (B); Agency Head 44. U.S.C. §3544(a)(1)(A)
    Agency Program Each agency shall develop. Document and implement an agencywide information security program…to provide information security for the information or information systems that support operations and assets of the agency including those managed by … a contractor 44 U.S.C. §3544(a)(1)(A) 18
  • 20. “Information System”
    • … a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 44 USC §3502(8)
    • … a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. Circular No. A-130 Para. 6
    19
  • 21. “Federal Information System”
    • … an information system used or operated by an executive agency, by a contractor of an executive agency , or by another organization on behalf of an executive agency.
    • 40 U.S.C. 11331(g)
    20
  • 22. Not Subject to FISMA: “National Security System”
    • Means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency
    • The function, operation or use of which :
      • Involves :
        • intelligence activities
        • cryptographic activities related to national security
        • command and control of military forces
        • equipment that is an integral part of a weapon or weapons system,
      • Is critical to the direct fulfillment of military or intelligence missions, (D oes not include a system that is to be used for routine administrative applications (including payroll, finance, logistics and personnel management which is subject to FISMA)
      • Is protected at all times by procedures established for information that have been classified in the interest of national security or foreign policy
    21
  • 23. FISMA’s Broad Applicability
    • Otherwise, FISMA applies to all information and information systems
    • Agency IT security programs apply to all organizations or sources which possess or use federal information on behalf of the federal agency
      • i.e. , those which operate, use, or have access to Federal Information systems
    • This follows longstanding OMB policy concerning sharing government information and interconnecting systems
      • i.e. , Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls
    22
  • 24. 3. Agency difficulties in effectively obtaining contractor compliance with FISMA Wide Variance in How Agencies Handle Contractors 23
  • 25. FISMA Applies Contractors, but How do we do it? No certainty about number and location of contractors Where? How Many? Inconsistent Contractual Requirements What have we agreed to do? Lack of Clear Guidelines How are we doing? Variance in how contractors manage risk 24 Could lead to information security risks…
  • 26. FISMA Definitions: “Information Security”
    • Information security means protecting
      • information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
        • confidentiality , which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information
        • integrity , which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity
        • availability , which means ensuring timely and reliable access to and use of information
    25
  • 27. FISMA Contractor Program: Legislative Requirements
    • Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems
    • Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system
    • Provide adequate information security for networks, facilities, and systems or groups of information systems
    • Security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency
    • 44 USC §3544(b)
    26
  • 28. FISMA Contractor Program: Legislative Requirements (cont’d)
    • Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency’s required inventory of major information systems
    • A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency
    • Incident response procedures for detecting, reporting, and responding to security incidents and
    • COOP Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency
    • 44 USC §3544(b)
    27
  • 29. Some Insights from Contractors
    • Most RFPs simply require contractors to “comply with all FISMA requirements” or reference that “all FISMA documentation must be provided to the Government”
      • “ At that point, each agency takes radically different courses of action. Some are extremely disciplined, others very lax. While I have submitted identical documentation to multiple federal customers, I have had differing reactions based on the ISSM and up through their chain to the DAA.”
    • “ Some are more concerned about the formatting of the documents than the content. Some just want to see some words (almost regardless of what they say) against each control category.”
    28
  • 30. Common RFP language
    • “ Contractor(s) shall ensure that information systems and facility are operated in accordance with the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. §3541, et seq.”
    29
  • 31. DOT Contract RFP
    • Compare this with a recent DOT Contract RFP which contains 19 Pages of “Security Requirements” which specifies 17 management, operational, technical “security areas”
      • Access control;
      • Awareness and training;
      • Audit and accountability;
      • Certification, accreditation, and security assessments;
      • Configuration management;
      • Contingency planning;
      • Identification and authentication;
      • Incident response;
      • Maintenance;
    • Media protection;
    • Physical and environmental protection;
    • Planning;
    • Personnel security;
    • Risk assessment;
    • Systems and services acquisition;
    • System and communications protection; and
    • System and information integrity.
    30
  • 32. DOT Contract RFP, Cont’d
    • Specifies OMB Memoranda
      • M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information
      • M-06-16, Protection of Sensitive Agency Information
      • M-06-15, Safeguarding Personally Identifiable Information
      • M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments
    31
  • 33. DOT Contract RFP, Cont’d
    • Specifies Federal Information Processing Standards (FIPS):
      • FIPS 200 Minimum Security Requirements for Federal Information and Information Systems
      • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
      • FIPS 140-2; Security Requirements for Cryptographic Modules
    32
  • 34. DOT Contract RFP, Cont’d
    • Specifies the following NIST special publications:
      • Sp 800-18 Guide for Developing Security Plans for Federal Information Systems
      • SP 800-34, Contingency Planning Guide for Information Technology Systems;
      • SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
      • SP 800-53, Recommended Security Controls for Federal Information Systems;
      • SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems
      • SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
      • SP 800-61 Computer Security Incident Handling Guide; and
      • SP 800-64, Security Considerations for the Information System Development Life Cycle
    33
  • 35. DOT Contract RFP, Cont’d
    • “The Contractor(s) may consult with the …Information System Security Officer (ISSO) for guidance on the applicability of these and other publications in these series not herein identified.”
    34
  • 36. Consultation is a Good Idea: Many Terms Redundant and Confusing
    • IT Security Plan
    • Personnel Screening
    • Personnel Training
    • Security Site Assessment (Physical)
    • Annual Self Assessment
    • Contingency planning/testing
    • Monthly Scan
    • Cleansing, removal, and destruction of IT Equipment
    • PII controls (at rest and in transit encryption)
    • Access Controls (User ID/Password)
    • Third Part Certification and Accreditation (C&A)
    • IT Security Plan Developed within 30 days of contract award
    • Security Site Assessment
    • Annual System Self Assessment
    • Continuity of Operations Planning (COOP)/Disaster Recovery (DR)
    • Incident Response Program
    • Security Awareness
    • Rules of Behavior
    • Contractor Employee Report
    • Agency Scans – HIGH, MODERATE, LOW
    35
  • 37. Improving Contractor Compliance with FISMA Increase Oversight of Contractor Systems Improve Inventory of Contractor-Run Systems Contractually Impose Compliance 36
  • 38. Inventory of Systems
    • FISMA continues the Paperwork Reduction Act requirement to develop and maintain an inventory of major information systems (including national security systems) that are operated by or under the control of the agency, including those operated by contractors
    • “ Without complete and accurate inventories, agencies cannot effectively maintain and secure their systems.”
    Inventory Contractor-Run Systems Source: INFORMATION SECURITY: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies , GAO-08-571T, p. 16, (General Accountability Office March 12, 2008) (hereinafter “FISMA Deficiencies Persist”) 37
  • 39. Information System Inventory: 22 of 25 IGs reported Inventory as 80 % complete Inventory Contractor-Run Systems 38 390 369 384 Not Categorized 168 205 334 Low 252 397 513 Moderate 295 236 121 High 1,105 1,207 1,105 Contractor Systems 229 331 585 Not Categorized 4,351 4,516 4,456 Low 3,264 3,174 2,497 Moderate 1,089 1,367 1,646 High 8,993 9,388 9,184 Agency Systems FY 2007 FY 2006 FY 2005 Systems/Impact Level
  • 40. FY 2007 OMB Annual Report
    • 4 of 25 agency IGs indicated they do not generally agree with the number of contractor information systems identified in the inventory.
    • The overall inventory decreased by 3 percent from the prior year.
      • Inventory fluctuations were reported by several agencies, including significant inventory decreases at Treasury, NASA, and DHS
      • Large fluctuations in FISMA inventories, both upwards and downwards, are an indication of immaturity or instability in an agency’s process for identifying systems that should be included in the inventory
      • the inventories of a few agencies dipped for the annual reporting cycle, and then rose again in the first quarter FISMA report with a subsequent decrease in C&A rates
    Inventory Contractor-Run Systems 39
  • 41. Primary Methods for Imposing Contractor Compliance
    • Using contract language to establish information security requirements
    • Provide clear guidance to contractors on what they must do to comply
    Contractually Impose Compliance 40
  • 42. Federal Acquisition Regulations
    • The FAR
      • provides the primary regulation for federal executive agencies in their acquisition of IT supplies and services with appropriated funds
      • emphasizes planning
      • includes certain specific information security requirements
    Contractually Impose Compliance 41
  • 43. FAR 52.239-1
    • 52.239-1  Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following:
    • Privacy or Security Safeguards (Aug 1996)
    • (a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.
    • (b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases.
    • (c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.
    Contractually Impose Compliance 42
  • 44. Problems with FAR 52.239-1
    • Does not address key aspects of an information security program, e.g. :
      • Planning implementing, evaluating and documenting remedial actions to address deficiencies
      • Periodic testing and evaluation of security program
      • Detecting, reporting and responding to security incidents
      • Business continuity and disaster planning
    • Does not apply to subcontractors
    Contractually Impose Compliance 43
  • 45. 2005 FAR Amendments
    • Adds the stipulation that when buying goods and services contracting officers shall seek advice from specialists in information security; FAR 7.103(u)
    • Adds a definition for the term ‘‘Information Security’’ (FAR 2.101);
    • Incorporating security requirements in acquisition planning and when describing agency needs (FAR 11.102 and 39.101)
    • Requiring adherence to Federal Information Processing Standards (FIPS) FAR 11.102
    • Revising the policy in FAR 39.101to require including the appropriate agency security policy and requirements in information technology acquisitions. FAR 39.101 (d)
    Contractually Impose Compliance 44
  • 46. PART 39—ACQUISITION OF INFORMATION TECHNOLOGY FAR 39.101
    • 39.101  Policy.
    • * * *
    • (b)(1) In acquiring information technology, agencies shall identify their requirements pursuant to—
    • (i) OMB Circular A-130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; and
    • * * *
    • (2) (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated
    Contractually Impose Compliance 45
  • 47. PART 7—ACQUISITION PLANNING FAR §7.103(u)
    • 7.103 Agency-head responsibilities.
    • * * * *
    • (u) Ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology.
    • 7.105 Contents of written acquisition plans.
    • * * * * *
    • (b) * * *
    • (17) * * * For Information Technology acquisitions, discuss how agency
    • information security requirements will be met.
    • * * * * *
    Contractually Impose Compliance 46
  • 48. PART 11—DESCRIBING AGENCY NEEDS FAR 11.102
    • 11.102 Standardization program.
    • Agencies shall select existing requirements documents or
    • develop new requirements documents that meet the needs of
    • the agency in accordance with the guidance contained in the
    • Federal Standardization Manual, FSPM-0001;
    • for DoD components, DoD 4120.24-M, Defense Standardization Program Policies and Procedures;
    • and for IT standards and guidance, the Federal Information Processing Standards Publications (FIPS PUBS).
    Contractually Impose Compliance 47
  • 49. Does 2005 FAR Does Go Far Enough?
    • Emphasizes planning, and not implementation
      • does not include task or delivery orders issued pursuant to contracts
    • Emphasizes technology and not security management
    • Requiring adherence to FIPS, but does not bring in all of the NIST guidance
    • Does not address agency oversight
    48 Contractually Impose Compliance
  • 50. Another Contract Issue: Interconnection Security Agreement
    • Documents specific technical and security requirements for connecting IT systems from different organizations, such as between a federal agency and a contractor or between a federal agency and other users with privileged access to federal data and systems.
      • In 2005 most of the agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements
    • RFP provisions not clear: “ The contractor shall be responsible for IT security for all systems operated by or connected to a DOT network, regardless of location.”
    Contractually Impose Compliance Source: GAO Contractor Risks, p. 17, Footnote 13 49
  • 51. IG Oversight of Contractor Compliance with FISMA
    • OMB asked IGs to confirm whether the agency ensures information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy, and NIST guidelines
    Oversight of Contractor Compliance 50
  • 52. Training
    • Agencies did not ensure that all information security… contractors including those who have significant information security responsibilities received sufficient training
    Oversight of Contractor Compliance 51
  • 53. Oversight through Polices and Procedures
    • In 2005, most agencies reported having written policies covering contractors with privileged access, few established oversight of contractor compliance
      • 22 of the surveyed agencies reported having information security policies for contractors
      • 15 reported having policies for other users with privileged access to federal data and systems
    • The policies did not define information security oversight requirements, and did not include:
      • description of oversight methods
      • the frequency of reviews or assessments
      • key management controls to mitigate unauthorized disclosure of information
      • physical/logical access controls or
      • the introduction of unauthorized features
    • Agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements
    Source: GAO Contractor Risks, p. 17 Oversight of Contractor Compliance 52
  • 54. 4. Recent legislative initiatives to address shortcomings related to contractor compliance Finally Some Guidance? 53
  • 55. FISMA Act of 2008
    • S. 3474, if passed, would:
      • turn the current FISMA requirement for an annual compliance "evaluation" into a mandatory yearly "audit" of data security practices at each agency
      • require that an audit include "a conclusion as to whether the agency's information security controls are effective, including an identification of any significant deficiencies in the controls
    54
  • 56. FISMA Act of 2008 (cont’d)
      • require agencies to create a Chief Information Security Office and create an interagency Chief Information Security Officer Council, to provide data security best practices guidance
      • require agencies to continuously monitor their information networks for malicious activity
      • require the DHS to provide annual reports to Congress on cybersecurity operational evaluations and testing protocols employed by each federal agency
    55
  • 57. FISMA Act of 2008: Contractor Requirements
      • Would require that within 180 days enactment that the OMB, in consultation with the NIST, propose information security regulations governing contracts
      • Contracts to include:
        • task and/or delivery orders issued pursuant to contracts
        • Between the federal government and any individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency
    56
  • 58. FISMA 2008: Regulations
    • Regulations to be promulgated shall specify requirements concerning:
      • adequacy and effectiveness of the security of information systems
      • the collection and transmission of information, including personally identifiable information
      • procedures in the event of a security incident
    57
  • 59. FISMA Act of 2008: Status
    • The "Federal Information Security Management Act of 2008" (S. 3474), was introduced Sept. 11 Sens. Thomas Carper (D-DE) and Norm Coleman (R-MN), Committee Chairman Joseph Lieberman (I-CT), and Ranking Minority Member Susan Collins (R-ME)
      • The legislation was approved Sept. 23 by the Senate Committee on Homeland Security and Governmental Affairs, without amendment on a voice vote
    58
  • 60. Impact on Contractors
    • If passed, the legislation will:
      • help to identify contractors that must comply with FISMA
      • impose clear contractual requirements on contractors
      • provide clearer compliance guidelines
      • improve agency oversight
      • enhance OMB reporting
    59
  • 61. 5. Tips for Contractors Some Considerations in an Uncertain Environment 60
  • 62. Tips for Contractors
    • Get a head start by implementing basic FIPS/NIST requirements
    • Align FISMA requirements with current information security and privacy compliance programs
    • Keep up with developments in FISMA and FIPS/NIST provisions
    • As early as possible, clarify or negotiate information security terms in RFPS and Contracts with agency personnel (e.g., ISSO)
    • Work closely with agency throughout the C&A process
    61
  • 63. 6. A Unified Approach to Compliance Integrate all state, national and international legal requirements into security and privacy program 62
  • 64. Remember All of Your Security and Privacy Compliance Requirements GLBA HIPAA State International FISMA ISO NIST FIPS OECD AICPA Follow a UNIFIED APPROACH to Compliance 63
  • 65. Thank You! M. Peter Adler Direct 202.220.1278 Mobile 202.251.7600 Direct Fax 800.684.2749 [email_address] Michael A. Hordell Direct 202.220.1232 Mobile 703.927.0769 Direct Fax 202.318.4527 [email_address] Questions?
  • 66. Thank You Email Brian Dolan at [email_address] for a copy of today’s presentation or with questions for any of our speakers.