Saturday, April 24, 2010

Thoughts on New OMB FISMA Memo

I read the new OMB memorandum M-10-15, "FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management." This InformationWeek article pretty well summarizes the memo, but I'd like to share a few thoughts.

Long-time blog readers should know I've been writing about FISMA for five years, calling it a "joke," a "a jobs program for so-called security companies without the technical skills to operationally defend systems," and other kind words. Any departure from the previous implementation is a welcome change.

However, it's critical to remember that control monitoring is not threat monitoring. Let's take a look at the OMB letter to see if we can see what is really changing for FISMA implementation.

For FY 2010, FISMA reporting for agencies through CyberScope, due November 15, 2010, will follow a three-tiered approach:

1. Data feeds directly from security management tools
2. Government-wide benchmarking on security posture
3. Agency-specific interviews

I wonder how long before CyberScope is compromised?

Turning to the three points, what does #1 really mean?

Beginning January 1, 2011, agencies will be required to report on this new information monthly. The new data feeds will include summary information, not detailed information, in the following areas for CIOs:

• Inventory
• Systems and Services
• Hardware
• Software
• External Connections
• Security Training
• Identity Management and Access

So it looks like OMB is requiring agencies to basically report asset inventory information, training status for employees, and some IDM information? And monthly? I guess if you're moving from a three-year cycle to a monthly cycle, that sounds "continuous," but monthly in the modern enterprise is recognized as a snapshot.

How about #2?

A set of questions on the security posture of the agencies will also be asked in CyberScope. All agencies, except microagencies, will be required to respond to these questions in addition to the data feeds described above.

Now I see OMB will be asking agencies questions, which they will have to answer?

And #3:

As a follow-up to the questions described above, a team of government security specialists will interview all agencies individually on their respective security postures.

This looks like another question-and-answer session, except I expect OMB to spend time with the problem cases identified in steps 1 and 2.

Let's be clear: there's no "continuous monitoring" happening here. This is basic housekeeping, although the scale of the government and bureaucratic inertia make this a difficult problem. I hope this is only the first round of change.

I found the frequently asked questions to be more interesting than the main memo.

30. Why should agencies conduct continuous monitoring of their security controls?

Continuous monitoring of security controls is a cost-effective and important part of managing enterprise risk and maintaining an accurate understanding of the security risks confronting your agency’s information systems. Continuous monitoring of security controls is required as part of the security authorization process to ensure controls remain effective over time (e.g., after the initial security authorization or reauthorization of an information system) in the face of changing threats, missions, environments of operation, and technologies.

Ah ha, finally we see it in print: "continuous monitoring of security controls." There's no continuous monitoring of threats here. Furthermore, I'm wondering why OMB considers asset inventory, training, and IDM to be so crucial to security risks. Sure, they are important, but where's the real "security" in those controls? In other words, they could still observe controls, but those controls could be implementation of filtering Web proxies, firewalls, anti-malware, and other traditional security measures.

36. Must Government contractors abide by FISMA requirements?

Yes... Because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems (whether automated or manual) – on behalf of a Federal agency. Such other organizations may include contractors, grantees, State and local Governments, industry partners, providers of software subscription services, etc. FISMA, therefore, underscores longstanding OMB policy concerning sharing Government information and interconnecting systems.

This concerns me. Is the government further pushing on contractors to adopt FISMA in private business?

FISMA is unambiguous regarding the extent to which security authorizations and annual IT security assessments apply. To the extent that contractor, state, or grantee systems process, store, or house Federal Government information (for which the agency continues to be responsible for maintaining control), their security controls must be assessed against the same NIST criteria and standards as if they were a Government-owned or -operated system. The security authorization boundary for these systems must be carefully mapped to ensure that Federal information:

(a) is adequately protected,

(b) is segregated from the contractor, state or grantee corporate infrastructure, and

(c) there is an interconnection security agreement in place to address connections from the contractor, state or grantee system containing the agency information to systems external to the security authorization boundary.

It's probably going to take .gov-savvy lawyer to really explain what these points mean, but private enterprise working with government data should probably take a close look at these new FISMA developments.


Omar Fink said...

The point of continuous monitoring is to make defenders more aware of the dynamic posture of their defenses instead of just putting the required controls in place and assuming they are working or testing them infrequently. SI-3 is the control for anti-virus. SI-4 is the control for network monitoring and intrusion detection. RA-5 is the control for vulnerability assessment. SI-2 is the control for patch management. Either real time or frequent monitoring of network threats is called for in each of these controls. Continuous monitoring, done right, should offer the command chain good situational analysis that shows the status of each of these controls in near real time. Since in most cases, the tools and units that actually perform these defensive tasks also produce a variety of status reports, using the status information to fulfill compliance requirements is also more efficient and can save a great amount of time, effort and expense in that area. While the NIST security controls have always offered a good outline for network defense strategy, the actual understanding of how it works or how it ends up getting implemented inside federal agencies is often lacking. NIST and OMB are trying to force a dynamic or near real time understanding of how the defense is functioning by pushing their methodology called "continuous monitoring".

DanPhilpott said...

The FAQ numbers 30, 36 and 41 are essentially unchanged from the previous year OMB memo on FISMA and Privacy reporting (M-09-29). Changes were primarily to use new terminology (e.g., changing C&A to authorization, accreditation to security authorization). These are the same rules we've been working with for a while now, no new requirements.

Anonymous said...

This OMB memo headlines and press coverage claim many things, but deliver something quite different.

As you have pointed out, "continuous monitoring of security controls" is not continuous, targets controls instead of results, and in reality, monitors inventories instead of controls.


- The requirements for $1000+/page C&A reports have not been removed.

- The overly prescriptive NIST 800-53 control list has not been revised or new flexibilities given.

- The overall "risk-based" approach (which is never implemented that way) has not been revised.

This memo is a giant step backward for feds and (now) contractors.

- They are required to waste even more resources on "continuous monitoring of security controls" that will not help anything.

- They must continue to waste resources on the old reports.

- The overall security approach, which has been shown to fail badly, hasn't been changed, so they must continue doing what's been shown to fail.

Lies, damn lies, and government press releases.

Dave Funk said...

Looks to me like NASA is fighting back: and sure enough the big guns are comming in to say 'this is what we meant from the beginning":
All that is missing now is for Ron Ross to put 10 more controls into SP 800-53 with 125 new tests into SP 800-53A to ensure that federal agencies have implemented this great step forward without any negative impact to the FBBIA (Federal Beltway Bandit Income Act) of 2009. Meanwhile Federal CIOs and CISOs (none of whome have ever been paid to be a system administrator on a moderate sized network) tell us what a great job the FISMA (Federal Information Security Mismanagment Act) has done at making security on their networks transparent. Meanwhile practitioners are struggling to decide if FISMA scores have a positive or negative corelation with network security. From my seat, the negative corelation side seems to be winning.