FISMA: Going Beyond Mere Compliance
Government agencies and the contractors and vendors that serve them hold a veritable treasure trove of confidential information and are routinely entrusted with citizens’ personal and financial data. Cybercriminals are well aware of this fact. And as several recent high-profile breaches have demonstrated, government agencies are becoming an increasingly attractive target for sophisticated attacks and malicious activities.
At the same time, citizens now count on Federal agencies to provide them with online services, and in fact, expect digital experiences from the government that are on par with what the private sector can deliver. This means that IT systems are becoming ever more central to government agencies’ ability to fulfill their mission. As they do, cyberattacks are becoming able to cause greater disruption and more harm than ever before.
The Federal Information Security Management Act (FISMA) was created in an effort to mitigate these growing risks. Initially passed as part of the broader E-Government Act of 2002 and then replaced with an amended and revised version in 2014, the act recognizes the critical importance of information security to the U.S.’s economic and national security interests. It requires government agencies to develop, document and implement an agency-wide program to secure information systems and report annually to Congress on the program’s effectiveness. In addition, state agencies charged with administering federal programs can be held to that same standard, along with businesses contracted to provide services to government agencies.
To further strengthen the cybersecurity of federal networks, government agencies are now required to adhere to the provisions of Executive Order 13800 as well. This mandate directs them to use the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework to guide their risk management processes.
FISMA compliance challenges: an overview
FISMA’s requirements are both broad and extensive. In general, auditors assess agencies’ and contractors’ information security programs in terms of their ability to perform five core security functions.
According to NIST, these five functions are to be performed concurrently, continuously, and on an ongoing basis. In addition, agencies must maintain a detailed inventory of all information systems they use, must categorize those systems and the data they contain in terms of risk, and must create and maintain a security plan for the entire system. Although the NIST framework outlines an extensive catalog of security controls, individual agencies’ specific requirements are based on the particular risks they face.
Although which security controls are required to be in place will vary from agency to agency, all entities subject to FISMA are required to perform continuous monitoring of their security controls. They’re also tasked with “maintaining and testing… processes and procedures to ensure they have timely and adequate awareness of anomalous events on their systems and networks.” The goal is to ensure that agencies “are able to discover cybersecurity events in a timely manner.” For many, these mandates are among the most challenging aspects of FISMA compliance to achieve.
Deciding exactly what adequate “continuous monitoring” means is up to the individual auditor or assessor, as is determining whether “detection” and “response” processes are adequate. However, in the United States Government Accountability Office’s most recent report, a majority of agencies were found to be “at-risk” or “at high risk” due to an inability to identify and prevent malicious traffic from entering their networks. Cloud-based services were particularly vulnerable to risks from inadequate monitoring. Overall, only six of the 23 agencies audited were judged to have an “effective” information security program.
Continuous monitoring is mandatory; effective monitoring is needed for real risk reduction
Numerous organizations and agencies have attempted to achieve FISMA compliance by implementing a system information and event management (SIEM) solution or other log management tool to fulfill the regulation’s mandates. And while some individual auditors might decide that merely retaining logs of configuration settings and the data collected by your security sensor grid for use in after-the-fact forensic analysis or occasional review by a member of your team meets the minimum requirements, there’s no guarantee that this will be the case and it certainly doesn’t meet the intent of the requirement.
Of course, government agencies and their subcontractors don’t have unlimited budgets. FISMA recognizes this reality, directing agencies to minimize real information security risks while also eliminating inefficient and wasteful spending. Naturally, there’s an opportunity here for agencies to fulfill not only the letter but the spirit of FISMA’s requirements by introducing intelligent decision automation into their security operations workflow—reducing costs and real-world risks along the way.
Both FISMA and the NIST framework mandate that certain security controls be in place within an agency’s IT environment; both also stipulate that security controls be evaluated regularly, and the findings are documented. Neither, however, offers firms guidelines on which particular technologies must be implemented. Instead, it’s the responsibility of individual entities to find the vendors and solutions that will work best for their unique risk profile, and within their budget.
When looking at the security controls and operational workflows that your agency has in place, it’s essential to ask: are you managing risk effectively? In reality, achieving this aim means finding solutions that can be deployed quickly and cost-effectively, and that will support compliance with the spirit as well as the letter of these regulations. It’s also critical to find tools that will save time since today’s security analysts are spending more than one-quarter of their working hours on monitoring activities.
Enhancing agencies’ ability to comply with FISMA: The Continuous Diagnostics and Mitigation (CDM) Program
To enhance Federal agencies’ IT infrastructure monitoring capabilities and make it easier for them to meet all of FISMA’s requirements, the Department of Homeland Security (DHS) launched an additional initiative, the Continuous Diagnostics and Mitigation (CDM) Program, in 2013. Its provisions continue to be revised, but essentially the program supports the implementation of industry-leading off-the-shelf tools and solutions to help agencies understand which users and devices are accessing their networks, what activities and events are taking place on their networks, and how their data is being protected and managed.
CDM makes it easier for government agencies to reduce their ongoing security risks and discover problems and threats in near real-time. We’ll discuss its provisions in an upcoming blog.
In the meantime, know that everyone—including FISMA-compliant entities—needs to implement information security solutions that are more effective yet reduce costs. We invite you to experience the Respond Analyst:
- an automated solution that can be stood up in (on average) 4 hours.
- a monitoring tool that gives security operations teams a 96 percent reduction in false-positive alerts.
- an intelligent, decision-making secops automation solution that relies on integrated reasoning to achieve 87 percent accuracy out-of-the-box, and has the learning capability to exceed 95 percent.