With the 2006 reporting period for the annual Federal Information Security Management Act just ended, it seems a good time to pause and consider what this law is designed to do and how it fits in the patchwork of vendor tools that promise to help ensure security of the Defense Department’s IT.
Basically, FISMA requires organizations to report on the status of efforts to secure systems. What agencies must report on is straightforward. First, what information systems are in the inventory? How are they defined? What computing and network devices are involved? What are their boundaries and what are they connected to? Next, agencies must characterize how important these systems are and the kind of information they process. The system documentation must also include details on implementing security measures and plans for handling major system failures.
“The activities required by FISMA align with the basics of systems operation.”
The next step is to take this information and craft an operational risk assessment. Identify the vulnerabilities and threats to the system, and map the appropriate security measures to resolve these vulnerabilities and document security gaps. Obviously, the agency must take additional security measures to fill the gaps as necessary. To ensure the security measures remain effective, an annual review and certification are required. The organization’s accreditation official uses this information to grant a system the “authority to operate.”
Back to Basics
Because we are dealing with systems there is a temptation to focus heavily on the available security technologies. Virus scanners, spyware detection, firewalls, intrusion detection, intrusion prevention, token-based authentication, vulnerability scanners—the list of technologies available to secure systems and networks goes on and on. Each of these tools has a place as a security measure, but these technologies are not a panacea. FISMA does not require agencies to report the number of firewalls in their infrastructure. The activities required by FISMA align more with the basics of systems operation.
So what are these basics? Configuration management, software distribution, access controls, backup and continuity planning, high-quality systems administration and user awareness. None of these are exclusively security problems, but all are vital to both standard systems and network operations and the security of systems. Automation support for configuration management and software distribution can provide the foundation to keep up with security patch distribution as well as product upgrades and functionality improvements. The rapidly changing nature of the threat environment and the ever-increasing complexity of today’s software require that configuration management and software distribution be supported by automation. But this, also, is not enough.
An agency can’t secure a system unless it can manage it in an effective manner. Why? Because a system with the best security software loaded isn’t secure if users rely on faulty passwords or if it lets users load malicious software. FISMA requires an integrated view of security. In the end, this means DOD personnel charged with systems security must take a holistic approach—to think about the foundations and build on them—integrating security into our management practices rather than handling it separately.
Roberta G. Stempfley is vice director for strategic planning and information and deputy CIO at the Defense Information Systems Agency.
![1105 Media [purity]](/images/ds1_pntmlogo.gif "1105 Media [purity]"){kind=small}
