Federal Information Security Management Act (FISMA) - Office of ...

517 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
517
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Greeting this an approach which addresses the fundamental basis of FISMA. It will take into account the statute, regulations and implementation requirements of FISMA and other legislation.
  • First, understanding the model. Nothing new, a typical agency with high level goals and objectives to support its mission. An enterprise architecture to support the requirements, technology refreshment via capital planning and certification and accreditation providing risk management process. FISMA requires that the CIO have an agency-wide program to provide an level of protection to the information and an inventory of the systems and programs requiring protection.
  • Understanding the agency mission and relationship to OMB and NIST is a requirement. Some managers do not want to acknowledge this and attempt to bypass these requirements. OMB implementation guidance normally gets stringent reviews before becoming a Circular, Memoranda, or Bulletin. NIST provides the technical implementation framework for the agency. These are normally transmitted as Federal Information Processing Standards (FIPS), special publications, information technology bulletins. The combination of the two organizations provides the criteria that should be used for reviewing the agency.
  • First, understanding the model. Nothing new, a typical agency with high level goals and objectives to support its mission. An enterprise architecture to support the requirements, technology refreshment via capital planning and certification and accreditation providing risk management process. FISMA requires that the CIO have an agency-wide program to provide an level of protection to the information and an inventory of the systems and programs requiring protection.
  • FISMA and other guidance requires the agency to have an information security program. FISMA just requires that responsibility for the information security program is on the CIO for implementation. This approach makes some assumptions… 1. the agency has an enterprise architecture in place and functional; 2. the agency has a capital planning process implemented. If these functions and processes are not implemented then you have an issue with Clinger-Cohen (ITRMA) on the effectiveness and efficiency of information management. The agency-wide security program should be blessing and approval by OMB, along with having performance measures for the information assurance activities. The information assurance activities might cover several programs and services of the agency formulating the basis for risk management. NIST this month released metrics guidance to the agencies for tracking security programs.
  • Examples of programs which might be classified as information assurance activities supporting risk management.
  • The agency CIO should have an inventory of the information systems programs of the agency. These programs should relate directly to the agency’s mission and administrative responsibilities. In most cases you will find a 2 – 2.5 to 1 administrative to program systems. This condition is related to financial management statutes requiring accountability of public funds. While the program manager might have several systems for processing and tracking the information regarding their program, while the budget officer has several to account for the procurement, logistic, payment, payroll, etc. These systems should have some classification to distinguish administrative programs and mission related programs.
  • The Capital Investment Fund process to support OMB A-11 submissions is a difficult process to translate to the program management staff because most are not involve. First understanding the definition of projects and programs would serve as the basis. The programs are those activities that provide support to the mission and administrative responsibilities of the agencies. While projects are new and improvement initiatives to the day-to-day programs. Funding for programs should be base funded and maybe augmented with CIF, while projects is fully CIF. If the project fails to meet its expectations then it could be cancelled without impacting the program daily operations. Under guidance from OMB, the A-11 process along with IT Security should provide the agency with enough of a framework to integrate the A-11 process into the IT lifecycle process. The program / project manager should have the training to develop and manage the documentation needed to support the A-11 process. Once the project /program manager has developed and submitted their respective initiatives, then the CIO should have
  • Once you know the requirements based on the mission, goals and objectives then determine the technology that best meet your initiative. Using the Capital Planning process, submit the plan for the project and as you develop and refine the project, start the C & A process. Once the project is ready for deployment the vulnerabilities and risk would have been minimized. The goal of balancing the vulnerabilities, threats and risk is key to identifying C&A.
  • First, understanding the model. Nothing new, a typical agency with high level goals and objectives to support its mission. An enterprise architecture to support the requirements, technology refreshment via capital planning and certification and accreditation providing risk management process. FISMA requires that the CIO have an agency-wide program to provide an level of protection to the information and an inventory of the systems and programs requiring protection.
  • The Capital Investment Fund process to support OMB A-11 submissions is a difficult process to translate to the program management staff because most are not involve. First understanding the definition of projects and programs would serve as the basis. The programs are those activities that provide support to the mission and administrative responsibilities of the agencies. While projects are new and improvement initiatives to the day-to-day programs. Funding for programs should be base funded and maybe augmented with CIF, while projects is fully CIF. If the project fails to meet its expectations then it could be cancelled without impacting the program daily operations. Under guidance from OMB, the A-11 process along with IT Security should provide the agency with enough of a framework to integrate the A-11 process into the IT lifecycle process. The program / project manager should have the training to develop and manage the documentation needed to support the A-11 process. Once the project /program manager has developed and submitted their respective initiatives, then the CIO should have
  • ×