- from the perspective of a lawyer and an information security officer 2
Contractor Risks: People Source: INFORMATION SECURITY: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk , GAO-05-362, p. 13, (General Accountability Office April 2005) (hereinafter “GAO Contractor Risks”) 3 Inadequate segregation of duties (e.g., software developer is the same individual who puts the software into production). Contractor or privileged users of federal data and systems who may not receive appropriate, periodic background investigations. Unauthorized personnel having electronic access to agency IT resources (including systems and data). Increased use of foreign nationals. Unauthorized personnel having physical access to agency IT resources (including systems, facilities, and data). People Risk description Category
Contractor Risks: Processes Source: GAO Contractor Risks, p. 13 4 Contractor or privileged users of federal data and systems may have ineffective patch management processes. Lack of effective compliance monitoring of contractors performing work off-site or privileged users of federal data and systems. Possible disclosure of agency-sensitive information to unauthorized individuals or entities. Failure by contractor or privileged users of federal data and systems to follow agency IT security requirements. Processes Risk description Category
Contractor Risks: Technology Source: GAO Contractor Risks, p. 13 5 Intentional or unintentional introduction of viruses and worms. Encryption technology may not meet federal standards. Incorporation of unauthorized features in customized application software. For example, a third-party software developer has the potential to incorporate “back doors,” spyware, or malicious code into customized application software that could expose agency IT resources to unauthorized loss, damage, modification, or disclosure of data. Technology Risk description Category
2. Legislative history of FISMA and FISMA contractor provisions Despite FISMA Language, Primary Focus Has Been on Federal Agency Compliance 7
Legislative History 8 1987 Computer Security Act 1995 Paperwork Reduction Act 1996 Information Technology Reform Act 2000 Government Information Security Reform Act (GISRA) 2002 Federal Information Security Management Act (FISMA) 2008 S. 3474, FISMA Act of 2008 (2009)?
Risk Analysis . Periodic assessments of risk and harm to information systems and processed information.
Policies and Procedures . Creation and implementation of policies and procedures that reduced the identified risks to an acceptable level in a cost effective manner. Policies and procedures are to address information security throughout the lifecycle of each agency information system. The policies and procedures are to be drafted in a manner that “ensures compliance” with FISMA and may be prescribed by the Director and NIST. They are to include minimally acceptable system configuration requirements as determined by the agency and any other applicable requirements including standards and guidelines for national security systems as directed by the President.
Technical Security . Plans for providing adequate information security for networks, facilities and systems or groups of information systems as appropriate.
Security Awareness Training . This part of the program is designed to inform persons who use information systems, including personnel, contractors and other users of information security risks associated with their activities and their responsibilities, to comply with agency policies and procedures to reduce those risks.
Testing and Evaluation . Periodic testing and evaluation of the effectiveness of the information security policies, procedures and practices is to be performed with a frequency based on the risk, but no less than annually. This testing shall include testing and management, operational and technical controls of every information system identified in the inventory.
Incident Detection and Response Procedures . Incident detection and response are to be consistent with NIST, including methods to mitigate risks before substantial damage is done and notification to the federal information security incident center, law enforcement, the Inspector General, and an office designated by the President if it involves a threat to national security systems.
Disaster Recovery and Business Continuity . Security program should also include plans and procedures to ensure continuity of operations or information systems that support the operations and assets of the agency
NIST Risk Management Framework Monitor Security Controls SP 800-37/SP 800-53A Categorize Information System FIPS 199/SP 800-60 R1 Select Security Controls FIPS 200/SP 800-53 R2 Supplement Security Controls SP 800-53 R2/SP 800-30 Document Security Controls SP 800-18 R1 Implement Security Controls e.g. , SP 800-70 R1 Assess Security Controls SP 800-53A Authorize Information System SP 800-37 RISK MANAGEMENT FRAMEWORK Security Life Cycle Start 16
Shall oversee/be responsible for providing agency information security policies and procedures…requiring agencies… to identify and provide information security protections ... [for]
information collected or maintained… on behalf of an agency or
information systems used or operated … by a contractor of an agency or other organization on behalf of an agency .
OMB -44 U.S.C. §3543 (a)(2)(A) and (B); Agency Head 44. U.S.C. §3544(a)(1)(A)
Agency Program Each agency shall develop. Document and implement an agencywide information security program…to provide information security for the information or information systems that support operations and assets of the agency including those managed by … a contractor 44 U.S.C. §3544(a)(1)(A) 18
… a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 44 USC §3502(8)
… a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. Circular No. A-130 Para. 6
… an information system used or operated by an executive agency, by a contractor of an executive agency , or by another organization on behalf of an executive agency.
40 U.S.C. 11331(g)
Not Subject to FISMA: “National Security System”
Means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency
The function, operation or use of which :
cryptographic activities related to national security
command and control of military forces
equipment that is an integral part of a weapon or weapons system,
Is critical to the direct fulfillment of military or intelligence missions, (D oes not include a system that is to be used for routine administrative applications (including payroll, finance, logistics and personnel management which is subject to FISMA)
Is protected at all times by procedures established for information that have been classified in the interest of national security or foreign policy
Otherwise, FISMA applies to all information and information systems
Agency IT security programs apply to all organizations or sources which possess or use federal information on behalf of the federal agency
i.e. , those which operate, use, or have access to Federal Information systems
This follows longstanding OMB policy concerning sharing government information and interconnecting systems
i.e. , Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls
3. Agency difficulties in effectively obtaining contractor compliance with FISMA Wide Variance in How Agencies Handle Contractors 23
FISMA Applies Contractors, but How do we do it? No certainty about number and location of contractors Where? How Many? Inconsistent Contractual Requirements What have we agreed to do? Lack of Clear Guidelines How are we doing? Variance in how contractors manage risk 24 Could lead to information security risks…
Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems
Risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system
Provide adequate information security for networks, facilities, and systems or groups of information systems
Security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency
Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency’s required inventory of major information systems
A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency
Incident response procedures for detecting, reporting, and responding to security incidents and
COOP Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency
Most RFPs simply require contractors to “comply with all FISMA requirements” or reference that “all FISMA documentation must be provided to the Government”
“ At that point, each agency takes radically different courses of action. Some are extremely disciplined, others very lax. While I have submitted identical documentation to multiple federal customers, I have had differing reactions based on the ISSM and up through their chain to the DAA.”
“ Some are more concerned about the formatting of the documents than the content. Some just want to see some words (almost regardless of what they say) against each control category.”
FISMA continues the Paperwork Reduction Act requirement to develop and maintain an inventory of major information systems (including national security systems) that are operated by or under the control of the agency, including those operated by contractors
“ Without complete and accurate inventories, agencies cannot effectively maintain and secure their systems.”
Inventory Contractor-Run Systems Source: INFORMATION SECURITY: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies , GAO-08-571T, p. 16, (General Accountability Office March 12, 2008) (hereinafter “FISMA Deficiencies Persist”) 37
Information System Inventory: 22 of 25 IGs reported Inventory as 80 % complete Inventory Contractor-Run Systems 38 390 369 384 Not Categorized 168 205 334 Low 252 397 513 Moderate 295 236 121 High 1,105 1,207 1,105 Contractor Systems 229 331 585 Not Categorized 4,351 4,516 4,456 Low 3,264 3,174 2,497 Moderate 1,089 1,367 1,646 High 8,993 9,388 9,184 Agency Systems FY 2007 FY 2006 FY 2005 Systems/Impact Level
4 of 25 agency IGs indicated they do not generally agree with the number of contractor information systems identified in the inventory.
The overall inventory decreased by 3 percent from the prior year.
Inventory fluctuations were reported by several agencies, including significant inventory decreases at Treasury, NASA, and DHS
Large fluctuations in FISMA inventories, both upwards and downwards, are an indication of immaturity or instability in an agency’s process for identifying systems that should be included in the inventory
the inventories of a few agencies dipped for the annual reporting cycle, and then rose again in the first quarter FISMA report with a subsequent decrease in C&A rates
Inventory Contractor-Run Systems 39
Primary Methods for Imposing Contractor Compliance
Using contract language to establish information security requirements
Provide clear guidance to contractors on what they must do to comply
52.239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following:
Privacy or Security Safeguards (Aug 1996)
(a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.
(b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases.
(c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.
Adds the stipulation that when buying goods and services contracting officers shall seek advice from specialists in information security; FAR 7.103(u)
Adds a definition for the term ‘‘Information Security’’ (FAR 2.101);
Incorporating security requirements in acquisition planning and when describing agency needs (FAR 11.102 and 39.101)
Requiring adherence to Federal Information Processing Standards (FIPS) FAR 11.102
Revising the policy in FAR 39.101to require including the appropriate agency security policy and requirements in information technology acquisitions. FAR 39.101 (d)
Contractually Impose Compliance 44
PART 39—ACQUISITION OF INFORMATION TECHNOLOGY FAR 39.101
* * *
(b)(1) In acquiring information technology, agencies shall identify their requirements pursuant to—
(i) OMB Circular A-130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; and
* * *
(2) (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated
(u) Ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology.
7.105 Contents of written acquisition plans.
* * * * *
(b) * * *
(17) * * * For Information Technology acquisitions, discuss how agency
does not include task or delivery orders issued pursuant to contracts
Emphasizes technology and not security management
Requiring adherence to FIPS, but does not bring in all of the NIST guidance
Does not address agency oversight
48 Contractually Impose Compliance
Another Contract Issue: Interconnection Security Agreement
Documents specific technical and security requirements for connecting IT systems from different organizations, such as between a federal agency and a contractor or between a federal agency and other users with privileged access to federal data and systems.
In 2005 most of the agencies did not have policies or provide guidance on key areas, including control of agency data in an off-site facility or requirements for interconnection security agreements
RFP provisions not clear: “ The contractor shall be responsible for IT security for all systems operated by or connected to a DOT network, regardless of location.”
IG Oversight of Contractor Compliance with FISMA
OMB asked IGs to confirm whether the agency ensures information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy, and NIST guidelines
Would require that within 180 days enactment that the OMB, in consultation with the NIST, propose information security regulations governing contracts
Contracts to include:
task and/or delivery orders issued pursuant to contracts
Between the federal government and any individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency
The "Federal Information Security Management Act of 2008" (S. 3474), was introduced Sept. 11 Sens. Thomas Carper (D-DE) and Norm Coleman (R-MN), Committee Chairman Joseph Lieberman (I-CT), and Ranking Minority Member Susan Collins (R-ME)
The legislation was approved Sept. 23 by the Senate Committee on Homeland Security and Governmental Affairs, without amendment on a voice vote
Get a head start by implementing basic FIPS/NIST requirements
Align FISMA requirements with current information security and privacy compliance programs
Keep up with developments in FISMA and FIPS/NIST provisions
As early as possible, clarify or negotiate information security terms in RFPS and Contracts with agency personnel (e.g., ISSO)
Work closely with agency throughout the C&A process
6. A Unified Approach to Compliance Integrate all state, national and international legal requirements into security and privacy program 62
Remember All of Your Security and Privacy Compliance Requirements GLBA HIPAA State International FISMA ISO NIST FIPS OECD AICPA Follow a UNIFIED APPROACH to Compliance 63
Thank You! M. Peter Adler Direct 202.220.1278 Mobile 202.251.7600 Direct Fax 800.684.2749 [email_address] Michael A. Hordell Direct 202.220.1232 Mobile 703.927.0769 Direct Fax 202.318.4527 [email_address] Questions?
Thank You Email Brian Dolan at [email_address] for a copy of today’s presentation or with questions for any of our speakers.