Risk Management: Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA) January...
Agenda <ul><li>Why contractor security implementation is important - from the perspective of a lawyer and an information s...
<ul><li>Why Contractor Security is Important -  </li></ul>- from the perspective of a lawyer and an information security o...
Contractor Risks: People Source:  INFORMATION SECURITY: Improving Oversight of Access to Federal Systems and Data by Contr...
Contractor Risks: Processes Source:  GAO Contractor Risks, p. 13   4 Contractor or privileged users of federal data and sy...
Contractor Risks: Technology Source:  GAO Contractor Risks, p. 13   5 Intentional or unintentional introduction of viruses...
Contractor Risks: Legal <ul><li>FISMA Legal Requirements </li></ul><ul><ul><li>Government Contracts </li></ul></ul><ul><ul...
2. Legislative history of FISMA and FISMA contractor provisions Despite FISMA Language, Primary Focus Has Been on Federal ...
Legislative History 8 1987 Computer Security Act 1995 Paperwork Reduction Act 1996 Information Technology Reform Act 2000 ...
OMB Circular No. A-130 <ul><li>Appendix III,  Security of Federal Automated Information Resources </li></ul><ul><li>Makes ...
FISMA <ul><li>Federal Information Security Management Act (FISMA) was passed by Congress and signed Into law in 2002 </li>...
FISMA  Continues  GISRA Framework <ul><li>GISRA, which expired in 2002, provided the framework for FISMA </li></ul><ul><ul...
FISMA New Provisions <ul><li>FISMA included many new provisions: </li></ul><ul><ul><li>Directs NIST to develop security gu...
FISMA Compliance Oversight <ul><li>OMB </li></ul><ul><ul><li>Develops and oversees implementation of government-wide polic...
FISMA Security Program Elements <ul><li>Risk Analysis .  Periodic assessments of risk and harm to information systems and ...
FISMA Security Program Elements, Cont’d <ul><li>Security Awareness Training .  This part of the program is designed to inf...
NIST Risk Management Framework Monitor  Security Controls SP 800-37/SP 800-53A   Categorize  Information System   FIPS 199...
Agency Grades Improving, But Still Lacking  17
FISMA Contractors Provisions <ul><li>OMB Director/Agency head </li></ul><ul><li>Shall oversee/be responsible for providing...
“Information System” <ul><li>…  a discrete set of information resources organized for the collection, processing, maintena...
“Federal Information System” <ul><li>… an information system used or operated by an executive agency,  by a contractor of ...
Not Subject to FISMA:   “National Security System” <ul><li>Means any information system (including any telecommunications ...
FISMA’s Broad Applicability <ul><li>Otherwise, FISMA applies to all information and information systems </li></ul><ul><li>...
3. Agency difficulties in effectively obtaining contractor compliance with FISMA Wide Variance in How Agencies Handle Cont...
FISMA Applies Contractors, but How do we do it? No certainty about number  and location of  contractors Where? How Many? I...
FISMA Definitions: “Information Security” <ul><li>Information security means protecting </li></ul><ul><ul><li>information ...
FISMA Contractor Program:  Legislative Requirements <ul><li>Periodic assessments  of the risk and magnitude of harm that c...
FISMA Contractor Program:  Legislative Requirements  (cont’d) <ul><li>Periodic testing and evaluation  of the effectivenes...
Some Insights from Contractors <ul><li>Most RFPs simply require contractors  to “comply with all FISMA requirements” or re...
Common RFP language <ul><li>“ Contractor(s) shall ensure that information systems and facility are operated in accordance ...
DOT Contract RFP <ul><li>Compare this with a recent DOT Contract RFP which contains 19 Pages of “Security Requirements” wh...
DOT Contract RFP, Cont’d <ul><li>Specifies OMB Memoranda </li></ul><ul><ul><li>M-07-16, Safeguarding Against and Respondin...
DOT Contract RFP, Cont’d <ul><li>Specifies Federal Information Processing Standards (FIPS):   </li></ul><ul><ul><li>FIPS 2...
DOT Contract RFP, Cont’d <ul><li>Specifies the following NIST special publications: </li></ul><ul><ul><li>Sp 800-18 Guide ...
DOT Contract RFP, Cont’d <ul><li>“The Contractor(s) may consult with the …Information System Security Officer (ISSO) for g...
Consultation is a Good Idea: Many Terms Redundant and Confusing <ul><li>IT Security Plan   </li></ul><ul><li>Personnel Scr...
Improving Contractor Compliance with FISMA Increase Oversight of  Contractor  Systems Improve Inventory of  Contractor-Run...
Inventory of Systems <ul><li>FISMA continues the Paperwork Reduction Act requirement to develop and maintain an inventory ...
Information System Inventory:   22 of 25 IGs reported Inventory as 80 % complete   Inventory  Contractor-Run  Systems 38 3...
FY 2007 OMB Annual Report  <ul><li>4 of 25 agency IGs indicated they do not generally agree with the number of contractor ...
Primary Methods for Imposing Contractor Compliance <ul><li>Using contract language to establish information security requi...
Federal Acquisition Regulations <ul><li>The FAR  </li></ul><ul><ul><li>provides the primary regulation for federal executi...
FAR 52.239-1 <ul><li>52.239-1  Privacy or Security Safeguards.  As prescribed in 39.107, insert a clause substantially the...
Problems with FAR 52.239-1 <ul><li>Does not address key aspects of an information security program,  e.g. : </li></ul><ul>...
2005 FAR Amendments <ul><li>Adds the stipulation that when buying goods and services contracting officers shall seek advic...
PART 39—ACQUISITION OF  INFORMATION TECHNOLOGY  FAR  39.101 <ul><li>39.101  Policy.  </li></ul><ul><li>* * * </li></ul><ul...
PART 7—ACQUISITION PLANNING FAR §7.103(u) <ul><li>7.103 Agency-head responsibilities. </li></ul><ul><li>* * * * </li></ul>...
PART 11—DESCRIBING AGENCY NEEDS FAR 11.102 <ul><li>11.102 Standardization program. </li></ul><ul><li>Agencies shall select...
Does 2005 FAR Does Go Far Enough? <ul><li>Emphasizes planning, and not implementation </li></ul><ul><ul><li>does not inclu...
Another Contract Issue: Interconnection Security Agreement <ul><li>Documents specific technical and security requirements ...
IG Oversight of Contractor Compliance with FISMA <ul><li>OMB asked IGs to confirm whether the agency ensures information s...
Training <ul><li>Agencies did not ensure that all information security… contractors including those who have significant i...
Oversight through Polices and Procedures <ul><li>In 2005, most agencies reported having written policies covering contract...
4. Recent legislative initiatives to address shortcomings related to contractor compliance Finally Some Guidance? 53
FISMA Act of 2008 <ul><li>S. 3474, if passed, would:   </li></ul><ul><ul><li>turn the current FISMA requirement for an ann...
FISMA Act of 2008 (cont’d) <ul><ul><li>require agencies to create a Chief Information Security Office and create an intera...
FISMA Act of 2008:  Contractor Requirements <ul><ul><li>Would require that within 180 days enactment that the OMB, in cons...
FISMA 2008: Regulations <ul><li>Regulations to be promulgated shall specify requirements concerning: </li></ul><ul><ul><li...
FISMA Act of 2008: Status <ul><li>The &quot;Federal Information Security Management Act of 2008&quot; (S. 3474), was intro...
Impact on Contractors <ul><li>If passed, the legislation will: </li></ul><ul><ul><li>help to identify contractors that mus...
5. Tips for Contractors Some Considerations in an Uncertain Environment 60
Tips for Contractors <ul><li>Get a head start by implementing basic FIPS/NIST requirements </li></ul><ul><li>Align FISMA r...
6. A Unified Approach to Compliance Integrate all state, national and international legal requirements into security and p...
Remember All of Your Security and Privacy Compliance Requirements  GLBA HIPAA State International FISMA ISO NIST FIPS OECD...
Thank You! M. Peter Adler Direct 202.220.1278 Mobile 202.251.7600 Direct Fax  800.684.2749 [email_address] Michael A. Hord...
Thank You Email Brian Dolan at  [email_address]  for a copy of today’s presentation or with questions for any of our speak...
Upcoming SlideShare
Loading in...5
×

Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA)

4,501

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,501
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA)

    1. 1. Risk Management: Contractor Responsibilities under the Federal Information Security Management Act of 2002 (FISMA) January 21, 2009
    2. 2. Agenda <ul><li>Why contractor security implementation is important - from the perspective of a lawyer and an information security officer </li></ul><ul><li>Legislative history of FISMA and FISMA contractor provisions </li></ul><ul><li>Agency difficulties in effectively obtaining contractor compliance with FISMA </li></ul><ul><li>Recent legislative initiatives to address shortcomings related to contractor compliance </li></ul><ul><li>Tips for contractors </li></ul><ul><li>A “Unified Approach” to compliance </li></ul>1
    3. 3. <ul><li>Why Contractor Security is Important - </li></ul>- from the perspective of a lawyer and an information security officer 2
    4. 4. Contractor Risks: People Source: INFORMATION SECURITY: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk , GAO-05-362, p. 13, (General Accountability Office April 2005) (hereinafter “GAO Contractor Risks”) 3 Inadequate segregation of duties (e.g., software developer is the same individual who puts the software into production). Contractor or privileged users of federal data and systems who may not receive appropriate, periodic background investigations. Unauthorized personnel having electronic access to agency IT resources (including systems and data). Increased use of foreign nationals. Unauthorized personnel having physical access to agency IT resources (including systems, facilities, and data). People Risk description Category
    5. 5. Contractor Risks: Processes Source: GAO Contractor Risks, p. 13 4 Contractor or privileged users of federal data and systems may have ineffective patch management processes. Lack of effective compliance monitoring of contractors performing work off-site or privileged users of federal data and systems. Possible disclosure of agency-sensitive information to unauthorized individuals or entities. Failure by contractor or privileged users of federal data and systems to follow agency IT security requirements. Processes Risk description Category
    6. 6. Contractor Risks: Technology Source: GAO Contractor Risks, p. 13 5 Intentional or unintentional introduction of viruses and worms. Encryption technology may not meet federal standards. Incorporation of unauthorized features in customized application software. For example, a third-party software developer has the potential to incorporate “back doors,” spyware, or malicious code into customized application software that could expose agency IT resources to unauthorized loss, damage, modification, or disclosure of data. Technology Risk description Category
    7. 7. Contractor Risks: Legal <ul><li>FISMA Legal Requirements </li></ul><ul><ul><li>Government Contracts </li></ul></ul><ul><ul><ul><li>Mandatory Disclosures </li></ul></ul></ul><ul><ul><ul><li>Federal Information Processing Standards </li></ul></ul></ul><ul><ul><ul><li>OMB Mandates and Standards </li></ul></ul></ul><ul><li>Other legal </li></ul><ul><ul><li>Government Contractor Defense </li></ul></ul><ul><ul><li>Subcontract Issues </li></ul></ul>6
    8. 8. 2. Legislative history of FISMA and FISMA contractor provisions Despite FISMA Language, Primary Focus Has Been on Federal Agency Compliance 7
    9. 9. Legislative History 8 1987 Computer Security Act 1995 Paperwork Reduction Act 1996 Information Technology Reform Act 2000 Government Information Security Reform Act (GISRA) 2002 Federal Information Security Management Act (FISMA) 2008 S. 3474, FISMA Act of 2008 (2009)?
    10. 10. OMB Circular No. A-130 <ul><li>Appendix III, Security of Federal Automated Information Resources </li></ul><ul><li>Makes it mandatory for agencies and departments to implement the requirements of the Computer Security Act of 1987 and the Federal Information Security Management Act of 2002 (FISMA): </li></ul><ul><ul><li>all federal information systems to have security plans </li></ul></ul><ul><ul><li>systems to have formal emergency response capabilities </li></ul></ul><ul><ul><li>a single individual to have responsibility for operational security </li></ul></ul><ul><ul><li>security awareness training be available to all government users, administrators of the system </li></ul></ul><ul><ul><li>regular review and improvement upon contingency plans for the system to be done </li></ul></ul><ul><li>This OMB Circular was essentially codified to create GISRA, but it is still relevant under FISMA </li></ul>9
    11. 11. FISMA <ul><li>Federal Information Security Management Act (FISMA) was passed by Congress and signed Into law in 2002 </li></ul><ul><ul><li>FISMA was passed as part of the E-Government Act of 2002 (Pub. L. No. 107-347) </li></ul></ul><ul><ul><li>C o d i f i e d 4 4 U . S . C . § 3 5 4 4 et. seq </li></ul></ul>10
    12. 12. FISMA Continues GISRA Framework <ul><li>GISRA, which expired in 2002, provided the framework for FISMA </li></ul><ul><ul><li>Introduced annual review and reporting </li></ul></ul><ul><ul><li>Recognized that at its core, security was an essential management function </li></ul></ul><ul><ul><li>Emphasized accountability </li></ul></ul><ul><ul><li>Moved responsibility to agency program officials to secure systems that support their operations and assets </li></ul></ul>11
    13. 13. FISMA New Provisions <ul><li>FISMA included many new provisions: </li></ul><ul><ul><li>Directs NIST to develop security guidelines </li></ul></ul><ul><ul><li>Stronger emphasis on configuration management </li></ul></ul><ul><ul><li>Codifies requirement for ensuring continuity of system operations </li></ul></ul><ul><ul><li>Development and maintenance of an inventory of major information systems, including contractor-run systems </li></ul></ul>12
    14. 14. FISMA Compliance Oversight <ul><li>OMB </li></ul><ul><ul><li>Develops and oversees implementation of government-wide policies and procedures, standards and guidance for the Federal government’s IT security program </li></ul></ul><ul><li>Issues IT security policies </li></ul><ul><ul><li>OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources </li></ul></ul><ul><ul><li>NIST Standards and Special Publications </li></ul></ul><ul><li>Oversight and Enforcement </li></ul><ul><ul><li>IT Budget Submissions </li></ul></ul><ul><ul><li>Annual Agency and IG FISMA Reports to OMB </li></ul></ul><ul><ul><li>Agency remediation efforts through Plans of Action and Milestones (POA&Ms) </li></ul></ul><ul><ul><li>Quarterly updates from agencies </li></ul></ul><ul><ul><ul><li>Progress on security weaknesses remediation </li></ul></ul></ul><ul><ul><ul><li>Performance against key IT security measures </li></ul></ul></ul><ul><ul><ul><li>Assessment of agencies IT security status and progress through their E-Government Scorecard </li></ul></ul></ul><ul><li>Annual Report to Congress </li></ul>13
    15. 15. FISMA Security Program Elements <ul><li>Risk Analysis . Periodic assessments of risk and harm to information systems and processed information. </li></ul><ul><li>Policies and Procedures . Creation and implementation of policies and procedures that reduced the identified risks to an acceptable level in a cost effective manner. Policies and procedures are to address information security throughout the lifecycle of each agency information system. The policies and procedures are to be drafted in a manner that “ensures compliance” with FISMA and may be prescribed by the Director and NIST. They are to include minimally acceptable system configuration requirements as determined by the agency and any other applicable requirements including standards and guidelines for national security systems as directed by the President. </li></ul><ul><li>Technical Security . Plans for providing adequate information security for networks, facilities and systems or groups of information systems as appropriate. </li></ul>14
    16. 16. FISMA Security Program Elements, Cont’d <ul><li>Security Awareness Training . This part of the program is designed to inform persons who use information systems, including personnel, contractors and other users of information security risks associated with their activities and their responsibilities, to comply with agency policies and procedures to reduce those risks. </li></ul><ul><li>Testing and Evaluation . Periodic testing and evaluation of the effectiveness of the information security policies, procedures and practices is to be performed with a frequency based on the risk, but no less than annually. This testing shall include testing and management, operational and technical controls of every information system identified in the inventory. </li></ul><ul><li>Incident Detection and Response Procedures . Incident detection and response are to be consistent with NIST, including methods to mitigate risks before substantial damage is done and notification to the federal information security incident center, law enforcement, the Inspector General, and an office designated by the President if it involves a threat to national security systems. </li></ul><ul><li>Disaster Recovery and Business Continuity . Security program should also include plans and procedures to ensure continuity of operations or information systems that support the operations and assets of the agency </li></ul>15
    17. 17. NIST Risk Management Framework Monitor Security Controls SP 800-37/SP 800-53A Categorize Information System FIPS 199/SP 800-60 R1 Select Security Controls FIPS 200/SP 800-53 R2 Supplement Security Controls SP 800-53 R2/SP 800-30 Document Security Controls SP 800-18 R1 Implement Security Controls e.g. , SP 800-70 R1 Assess Security Controls SP 800-53A Authorize Information System SP 800-37 RISK MANAGEMENT FRAMEWORK Security Life Cycle Start 16
    18. 18. Agency Grades Improving, But Still Lacking 17
    19. 19. FISMA Contractors Provisions <ul><li>OMB Director/Agency head </li></ul><ul><li>Shall oversee/be responsible for providing agency information security policies and procedures…requiring agencies… to identify and provide information security protections ... [for] </li></ul><ul><ul><li>information collected or maintained… on behalf of an agency or </li></ul></ul><ul><ul><li>information systems used or operated … by a contractor of an agency or other organization on behalf of an agency . </li></ul></ul><ul><ul><li>OMB -44 U.S.C. §3543 (a)(2)(A) and (B); Agency Head 44. U.S.C. §3544(a)(1)(A) </li></ul></ul>Agency Program Each agency shall develop. Document and implement an agencywide information security program…to provide information security for the information or information systems that support operations and assets of the agency including those managed by … a contractor 44 U.S.C. §3544(a)(1)(A) 18
    20. 20. “Information System” <ul><li>… a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 44 USC §3502(8) </li></ul><ul><li>… a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. Circular No. A-130 Para. 6 </li></ul>19
    21. 21. “Federal Information System” <ul><li>… an information system used or operated by an executive agency, by a contractor of an executive agency , or by another organization on behalf of an executive agency. </li></ul><ul><li>40 U.S.C. 11331(g) </li></ul>20
    22. 22. Not Subject to FISMA: “National Security System” <ul><li>Means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency </li></ul><ul><li>The function, operation or use of which : </li></ul><ul><ul><li>Involves : </li></ul></ul><ul><ul><ul><li>intelligence activities </li></ul></ul></ul><ul><ul><ul><li>cryptographic activities related to national security </li></ul></ul></ul><ul><ul><ul><li>command and control of military forces </li></ul></ul></ul><ul><ul><ul><li>equipment that is an integral part of a weapon or weapons system, </li></ul></ul></ul><ul><ul><li>Is critical to the direct fulfillment of military or intelligence missions, (D oes not include a system that is to be used for routine administrative applications (including payroll, finance, logistics and personnel management which is subject to FISMA) </li></ul></ul><ul><ul><li>Is protected at all times by procedures established for information that have been classified in the interest of national security or foreign policy </li></ul></ul>21
    23. 23. FISMA’s Broad Applicability <ul><li>Otherwise, FISMA applies to all information and information systems </li></ul><ul><li>Agency IT security programs apply to all organizations or sources which possess or use federal information on behalf of the federal agency </li></ul><ul><ul><li>i.e. , those which operate, use, or have access to Federal Information systems </li></ul></ul><ul><li>This follows longstanding OMB policy concerning sharing government information and interconnecting systems </li></ul><ul><ul><li>i.e. , Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls </li></ul></ul>22
    24. 24. 3. Agency difficulties in effectively obtaining contractor compliance with FISMA Wide Variance in How Agencies Handle Contractors 23
    25. 25. FISMA Applies Contractors, but How do we do it? No certainty about number and location of contractors Where? How Many? Inconsistent Contractual Requirements What have we agreed to do? Lack of Clear Guidelines How are we doing? Variance in how contractors manage risk 24 Could lead to information security risks…
    26. 26. FISMA Definitions: “Information Security” <ul><li>Information security means protecting </li></ul><ul><ul><li>information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— </li></ul></ul><ul><ul><ul><li>confidentiality , which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information </li></ul></ul></ul><ul><ul><ul><li>integrity , which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity </li></ul></ul></ul><ul><ul><ul><li>availability , which means ensuring timely and reliable access to and use of information </li></ul></ul></ul>25
    27. 27. FISMA Contractor Program: Legislative Requirements <ul><li>Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems </li></ul><ul><li>Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system </li></ul><ul><li>Provide adequate information security for networks, facilities, and systems or groups of information systems </li></ul><ul><li>Security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency </li></ul><ul><li>44 USC §3544(b) </li></ul>26
    28. 28. FISMA Contractor Program: Legislative Requirements (cont’d) <ul><li>Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency’s required inventory of major information systems </li></ul><ul><li>A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency </li></ul><ul><li>Incident response procedures for detecting, reporting, and responding to security incidents and </li></ul><ul><li>COOP Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency </li></ul><ul><li>44 USC §3544(b) </li></ul>27
    29. 29. Some Insights from Contractors <ul><li>Most RFPs simply require contractors to “comply with all FISMA requirements” or reference that “all FISMA documentation must be provided to the Government” </li></ul><ul><ul><li>“ At that point, each agency takes radically different courses of action. Some are extremely disciplined, others very lax. While I have submitted identical documentation to multiple federal customers, I have had differing reactions based on the ISSM and up through their chain to the DAA.” </li></ul></ul><ul><li>“ Some are more concerned about the formatting of the documents than the content. Some just want to see some words (almost regardless of what they say) against each control category.” </li></ul>28
    30. 30. Common RFP language <ul><li>“ Contractor(s) shall ensure that information systems and facility are operated in accordance with the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. §3541, et seq.” </li></ul>29
    31. 31. DOT Contract RFP <ul><li>Compare this with a recent DOT Contract RFP which contains 19 Pages of “Security Requirements” which specifies 17 management, operational, technical “security areas” </li></ul><ul><ul><li>Access control; </li></ul></ul><ul><ul><li>Awareness and training; </li></ul></ul><ul><ul><li>Audit and accountability; </li></ul></ul><ul><ul><li>Certification, accreditation, and security assessments; </li></ul></ul><ul><ul><li>Configuration management; </li></ul></ul><ul><ul><li>Contingency planning; </li></ul></ul><ul><ul><li>Identification and authentication; </li></ul></ul><ul><ul><li>Incident response; </li></ul></ul><ul><ul><li>Maintenance; </li></ul></ul><ul><li>Media protection; </li></ul><ul><li>Physical and environmental protection; </li></ul><ul><li>Planning; </li></ul><ul><li>Personnel security; </li></ul><ul><li>Risk assessment; </li></ul><ul><li>Systems and services acquisition; </li></ul><ul><li>System and communications protection; and </li></ul><ul><li>System and information integrity. </li></ul>30
    32. 32. DOT Contract RFP, Cont’d <ul><li>Specifies OMB Memoranda </li></ul><ul><ul><li>M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information </li></ul></ul><ul><ul><li>M-06-16, Protection of Sensitive Agency Information </li></ul></ul><ul><ul><li>M-06-15, Safeguarding Personally Identifiable Information </li></ul></ul><ul><ul><li>M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments </li></ul></ul>31
    33. 33. DOT Contract RFP, Cont’d <ul><li>Specifies Federal Information Processing Standards (FIPS): </li></ul><ul><ul><li>FIPS 200 Minimum Security Requirements for Federal Information and Information Systems </li></ul></ul><ul><ul><li>FIPS 199 Standards for Security Categorization of Federal Information and Information Systems </li></ul></ul><ul><ul><li>FIPS 140-2; Security Requirements for Cryptographic Modules </li></ul></ul>32
    34. 34. DOT Contract RFP, Cont’d <ul><li>Specifies the following NIST special publications: </li></ul><ul><ul><li>Sp 800-18 Guide for Developing Security Plans for Federal Information Systems </li></ul></ul><ul><ul><li>SP 800-34, Contingency Planning Guide for Information Technology Systems; </li></ul></ul><ul><ul><li>SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems </li></ul></ul><ul><ul><li>SP 800-53, Recommended Security Controls for Federal Information Systems; </li></ul></ul><ul><ul><li>SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems </li></ul></ul><ul><ul><li>SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories </li></ul></ul><ul><ul><li>SP 800-61 Computer Security Incident Handling Guide; and </li></ul></ul><ul><ul><li>SP 800-64, Security Considerations for the Information System Development Life Cycle </li></ul></ul>33
    35. 35. DOT Contract RFP, Cont’d <ul><li>“The Contractor(s) may consult with the …Information System Security Officer (ISSO) for guidance on the applicability of these and other publications in these series not herein identified.” </li></ul>34
    36. 36. Consultation is a Good Idea: Many Terms Redundant and Confusing <ul><li>IT Security Plan </li></ul><ul><li>Personnel Screening </li></ul><ul><li>Personnel Training </li></ul><ul><li>Security Site Assessment (Physical) </li></ul><ul><li>Annual Self Assessment </li></ul><ul><li>Contingency planning/testing </li></ul><ul><li>Monthly Scan </li></ul><ul><li>Cleansing, removal, and destruction of IT Equipment </li></ul><ul><li>PII controls (at rest and in transit encryption) </li></ul><ul><li>Access Controls (User ID/Password) </li></ul><ul><li>Third Part Certification and Accreditation (C&A) </li></ul><ul><li>IT Security Plan Developed within 30 days of contract award </li></ul><ul><li>Security Site Assessment </li></ul><ul><li>Annual System Self Assessment </li></ul><ul><li>Continuity of Operations Planning (COOP)/Disaster Recovery (DR) </li></ul><ul><li>Incident Response Program </li></ul><ul><li>Security Awareness </li></ul><ul><li>Rules of Behavior </li></ul><ul><li>Contractor Employee Report </li></ul><ul><li>Agency Scans – HIGH, MODERATE, LOW </li></ul>35
    37. 37. Improving Contractor Compliance with FISMA Increase Oversight of Contractor Systems Improve Inventory of Contractor-Run Systems Contractually Impose Compliance 36
    38. 38. Inventory of Systems <ul><li>FISMA continues the Paperwork Reduction Act requirement to develop and maintain an inventory of major information systems (including national security systems) that are operated by or under the control of the agency, including those operated by contractors </li></ul><ul><li>“ Without complete and accurate inventories, agencies cannot effectively maintain and secure their systems.” </li></ul>Inventory Contractor-Run Systems Source: INFORMATION SECURITY: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies , GAO-08-571T, p. 16, (General Accountability Office March 12, 2008) (hereinafter “FISMA Deficiencies Persist”) 37
    39. 39. Information System Inventory: 22 of 25 IGs reported Inventory as 80 % complete Inventory Contractor-Run Systems 38 390 369 384 Not Categorized 168 205 334 Low 252 397 513 Moderate 295 236 121 High 1,105 1,207 1,105 Contractor Systems 229 331 585 Not Categorized 4,351 4,516 4,456 Low 3,264 3,174 2,497 Moderate 1,089 1,367 1,646 High 8,993 9,388 9,184 Agency Systems FY 2007 FY 2006 FY 2005 Systems/Impact Level
    40. 40. FY 2007 OMB Annual Report <ul><li>4 of 25 agency IGs indicated they do not generally agree with the number of contractor information systems identified in the inventory. </li></ul><ul><li>The overall inventory decreased by 3 percent from the prior year. </li></ul><ul><ul><li>Inventory fluctuations were reported by several agencies, including significant inventory decreases at Treasury, NASA, and DHS </li></ul></ul><ul><ul><li>Large fluctuations in FISMA inventories, both upwards and downwards, are an indication of immaturity or instability in an agency’s process for identifying systems that should be included in the inventory </li></ul></ul><ul><ul><li>the inventories of a few agencies dipped for the annual reporting cycle, and then rose again in the first quarter FISMA report with a subsequent decrease in C&A rates </li></ul></ul>Inventory Contractor-Run Systems 39
    41. 41. Primary Methods for Imposing Contractor Compliance <ul><li>Using contract language to establish information security requirements </li></ul><ul><li>Provide clear guidance to contractors on what they must do to comply </li></ul>Contractually Impose Compliance 40
    42. 42. Federal Acquisition Regulations <ul><li>The FAR </li></ul><ul><ul><li>provides the primary regulation for federal executive agencies in their acquisition of IT supplies and services with appropriated funds </li></ul></ul><ul><ul><li>emphasizes planning </li></ul></ul><ul><ul><li>includes certain specific information security requirements </li></ul></ul>Contractually Impose Compliance 41
    43. 43. FAR 52.239-1 <ul><li>52.239-1  Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following: </li></ul><ul><li>Privacy or Security Safeguards (Aug 1996) </li></ul><ul><li>(a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. </li></ul><ul><li>(b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases. </li></ul><ul><li>(c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party. </li></ul>Contractually Impose Compliance 42
    44. 44. Problems with FAR 52.239-1 <ul><li>Does not address key aspects of an information security program, e.g. : </li></ul><ul><ul><li>Planning implementing, evaluating and documenting remedial actions to address deficiencies </li></ul></ul><ul><ul><li>Periodic testing and evaluation of security program </li></ul></ul><ul><ul><li>Detecting, reporting and responding to security incidents </li></ul></ul><ul><ul><li>Business continuity and disaster planning </li></ul></ul><ul><li>Does not apply to subcontractors </li></ul>Contractually Impose Compliance 43
    45. 45. 2005 FAR Amendments <ul><li>Adds the stipulation that when buying goods and services contracting officers shall seek advice from specialists in information security; FAR 7.103(u) </li></ul><ul><li>Adds a definition for the term ‘‘Information Security’’ (FAR 2.101); </li></ul><ul><li>Incorporating security requirements in acquisition planning and when describing agency needs (FAR 11.102 and 39.101) </li></ul><ul><li>Requiring adherence to Federal Information Processing Standards (FIPS) FAR 11.102 </li></ul><ul><li>Revising the policy in FAR 39.101to require including the appropriate agency security policy and requirements in information technology acquisitions. FAR 39.101 (d) </li></ul>Contractually Impose Compliance 44
    46. 46. PART 39—ACQUISITION OF INFORMATION TECHNOLOGY FAR 39.101 <ul><li>39.101  Policy. </li></ul><ul><li>* * * </li></ul><ul><li>(b)(1) In acquiring information technology, agencies shall identify their requirements pursuant to— </li></ul><ul><li>(i) OMB Circular A-130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; and </li></ul><ul><li>* * * </li></ul><ul><li>(2) (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated </li></ul>Contractually Impose Compliance 45
    47. 47. PART 7—ACQUISITION PLANNING FAR §7.103(u) <ul><li>7.103 Agency-head responsibilities. </li></ul><ul><li>* * * * </li></ul><ul><li>(u) Ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology. </li></ul><ul><li>7.105 Contents of written acquisition plans. </li></ul><ul><li>* * * * * </li></ul><ul><li>(b) * * * </li></ul><ul><li>(17) * * * For Information Technology acquisitions, discuss how agency </li></ul><ul><li>information security requirements will be met. </li></ul><ul><li>* * * * * </li></ul>Contractually Impose Compliance 46
    48. 48. PART 11—DESCRIBING AGENCY NEEDS FAR 11.102 <ul><li>11.102 Standardization program. </li></ul><ul><li>Agencies shall select existing requirements documents or </li></ul><ul><li>develop new requirements documents that meet the needs of </li></ul><ul><li>the agency in accordance with the guidance contained in the </li></ul><ul><li>Federal Standardization Manual, FSPM-0001; </li></ul><ul><li>for DoD components, DoD 4120.24-M, Defense Standardization Program Policies and Procedures; </li></ul><ul><li>and for IT standards and guidance, the Federal Information Processing Standards Publications (FIPS PUBS). </li></ul>Contractually Impose Compliance 47
    49. 49. Does 2005 FAR Does Go Far Enough? <ul><li>Emphasizes planning, and not implementation </li></ul><ul><ul><li>does not include task or delivery orders issued pursuant to contracts </li></ul></ul><ul><li>Emphasizes technology and not security management </li></ul><ul><li>Requiring adherence to FIPS, but does not bring in all of the NIST guidance </li></ul><ul><li>Does not address agency oversight </li></ul>48 Contractually Impose Compliance
    50. 50. Another Contract Issue: Interconnection Security Agreement <ul><li>Documents specific technical and security requirements for connecting IT systems from different organizations, such as between a federal agency and a contractor or between a federal agency and other users with privileged access to federal data and systems. </li></ul><ul><ul><li>In 2005 most of the agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements </li></ul></ul><ul><li>RFP provisions not clear: “ The contractor shall be responsible for IT security for all systems operated by or connected to a DOT network, regardless of location.” </li></ul>Contractually Impose Compliance Source: GAO Contractor Risks, p. 17, Footnote 13 49
    51. 51. IG Oversight of Contractor Compliance with FISMA <ul><li>OMB asked IGs to confirm whether the agency ensures information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy, and NIST guidelines </li></ul>Oversight of Contractor Compliance 50
    52. 52. Training <ul><li>Agencies did not ensure that all information security… contractors including those who have significant information security responsibilities received sufficient training </li></ul>Oversight of Contractor Compliance 51
    53. 53. Oversight through Polices and Procedures <ul><li>In 2005, most agencies reported having written policies covering contractors with privileged access, few established oversight of contractor compliance </li></ul><ul><ul><li>22 of the surveyed agencies reported having information security policies for contractors </li></ul></ul><ul><ul><li>15 reported having policies for other users with privileged access to federal data and systems </li></ul></ul><ul><li>The policies did not define information security oversight requirements, and did not include: </li></ul><ul><ul><li>description of oversight methods </li></ul></ul><ul><ul><li>the frequency of reviews or assessments </li></ul></ul><ul><ul><li>key management controls to mitigate unauthorized disclosure of information </li></ul></ul><ul><ul><li>physical/logical access controls or </li></ul></ul><ul><ul><li>the introduction of unauthorized features </li></ul></ul><ul><li>Agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements </li></ul>Source: GAO Contractor Risks, p. 17 Oversight of Contractor Compliance 52
    54. 54. 4. Recent legislative initiatives to address shortcomings related to contractor compliance Finally Some Guidance? 53
    55. 55. FISMA Act of 2008 <ul><li>S. 3474, if passed, would: </li></ul><ul><ul><li>turn the current FISMA requirement for an annual compliance &quot;evaluation&quot; into a mandatory yearly &quot;audit&quot; of data security practices at each agency </li></ul></ul><ul><ul><li>require that an audit include &quot;a conclusion as to whether the agency's information security controls are effective, including an identification of any significant deficiencies in the controls </li></ul></ul>54
    56. 56. FISMA Act of 2008 (cont’d) <ul><ul><li>require agencies to create a Chief Information Security Office and create an interagency Chief Information Security Officer Council, to provide data security best practices guidance </li></ul></ul><ul><ul><li>require agencies to continuously monitor their information networks for malicious activity </li></ul></ul><ul><ul><li>require the DHS to provide annual reports to Congress on cybersecurity operational evaluations and testing protocols employed by each federal agency </li></ul></ul>55
    57. 57. FISMA Act of 2008: Contractor Requirements <ul><ul><li>Would require that within 180 days enactment that the OMB, in consultation with the NIST, propose information security regulations governing contracts </li></ul></ul><ul><ul><li>Contracts to include: </li></ul></ul><ul><ul><ul><li>task and/or delivery orders issued pursuant to contracts </li></ul></ul></ul><ul><ul><ul><li>Between the federal government and any individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency </li></ul></ul></ul>56
    58. 58. FISMA 2008: Regulations <ul><li>Regulations to be promulgated shall specify requirements concerning: </li></ul><ul><ul><li>adequacy and effectiveness of the security of information systems </li></ul></ul><ul><ul><li>the collection and transmission of information, including personally identifiable information </li></ul></ul><ul><ul><li>procedures in the event of a security incident </li></ul></ul>57
    59. 59. FISMA Act of 2008: Status <ul><li>The &quot;Federal Information Security Management Act of 2008&quot; (S. 3474), was introduced Sept. 11 Sens. Thomas Carper (D-DE) and Norm Coleman (R-MN), Committee Chairman Joseph Lieberman (I-CT), and Ranking Minority Member Susan Collins (R-ME) </li></ul><ul><ul><li>The legislation was approved Sept. 23 by the Senate Committee on Homeland Security and Governmental Affairs, without amendment on a voice vote </li></ul></ul>58
    60. 60. Impact on Contractors <ul><li>If passed, the legislation will: </li></ul><ul><ul><li>help to identify contractors that must comply with FISMA </li></ul></ul><ul><ul><li>impose clear contractual requirements on contractors </li></ul></ul><ul><ul><li>provide clearer compliance guidelines </li></ul></ul><ul><ul><li>improve agency oversight </li></ul></ul><ul><ul><li>enhance OMB reporting </li></ul></ul>59
    61. 61. 5. Tips for Contractors Some Considerations in an Uncertain Environment 60
    62. 62. Tips for Contractors <ul><li>Get a head start by implementing basic FIPS/NIST requirements </li></ul><ul><li>Align FISMA requirements with current information security and privacy compliance programs </li></ul><ul><li>Keep up with developments in FISMA and FIPS/NIST provisions </li></ul><ul><li>As early as possible, clarify or negotiate information security terms in RFPS and Contracts with agency personnel (e.g., ISSO) </li></ul><ul><li>Work closely with agency throughout the C&A process </li></ul>61
    63. 63. 6. A Unified Approach to Compliance Integrate all state, national and international legal requirements into security and privacy program 62
    64. 64. Remember All of Your Security and Privacy Compliance Requirements GLBA HIPAA State International FISMA ISO NIST FIPS OECD AICPA Follow a UNIFIED APPROACH to Compliance 63
    65. 65. Thank You! M. Peter Adler Direct 202.220.1278 Mobile 202.251.7600 Direct Fax 800.684.2749 [email_address] Michael A. Hordell Direct 202.220.1232 Mobile 703.927.0769 Direct Fax 202.318.4527 [email_address] Questions?
    66. 66. Thank You Email Brian Dolan at [email_address] for a copy of today’s presentation or with questions for any of our speakers.

    ×